SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #59

July 29, 2008

Secure Coding Update: The secure coding flaws found in popular books on programming are now posted at http://www.sans-ssi.org/resources/Winners_of_insecure_coding_contest_20080721.pd
f Also the new course on Secure Coding in Java was a huge hit at SANSFIRE as well as in on-site presentations. This is the application security course that we have all needed. Now it is here and it is wonderful. If you have programmers and want to have us train them or if you want to develop in-house trainers to give the course yourself, please email spa@sans.org today.
Alan

---

TOP OF THE NEWS

FCC to Vote on Comcast Issue
Internet Giants Urged to Uphold Free Internet Use
Evilgrade Exploits DNS Flaw
Reports Suggest DNS Flaw is Being Actively Exploited

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
College Student in Jail for Alleged ID Theft
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
RealPlayer Update Fixes Four Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Six Arrested in Connection with South Korean Data Theft
Texas Clinic Patient Data Stolen, Used in Payday Loan Fraud
STANDARDS & BEST PRACTICES
NIST Releases Guidance for Securing XP Systems and Security Baseline Database
MISCELLANEOUS
SF Prosecutors Place VPN Usernames and Passwords on Public Record
NIST and George Mason Univ. Develop Attack Graph Analysis

---

***************** Protecting the Critical Infrastructures **************

A free program at the European SCADA Security Summit (Amsterdam, Sept 8-9) will show all vendors of control systems how to comply with the new global procurement standards for baking security into the systems they sell. Their compliance will make it possible for electric utilities (large and small) and other buyers of control systems to have much more security than they do now. There is no more valuable initiative in control systems security. Users of control systems will learn about the standards, how attackers are breaking in, and what works to improve their security, as part of the Summit. If you buy control systems, make sure your vendors are complying with the new procurement standards - even in the maintenance of your current systems. Information on the Summit is at: http://www.sans.org/info/30854 Vendors who want to attend the free session should email apaller@sans.org with the subject "SCADA Security Procurement Standards."

*************************************************************************

TRAINING UPDATE
- - Las Vegas (9/28-10/6) http://www.sans.org/ns2008 NETWORK SECURITY 2008)
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

FCC to Vote on Comcast Issue (July 28, 2008)

The US Federal Communications Commission (FCC) will likely vote this week on an order to enact enforcement against Comcast for deliberately blocking or degrading Internet traffic to thwart filesharing. Comcast says it only slowed traffic for network management during peak usage times. If the FCC agrees that Comcast violated federal policy, Comcast will be prohibited from slowing and blocking traffic and will have to make its practices clear to its customers. Comcast maintains that the FCC does not have the authority to impose penalties. The issue is on the FCC's August 1 agenda.
-http://www.informationweek.com/news/services/data/showArticle.jhtml?articleID=20
9602109
-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/28/BUAB120T33.DTL
-http://government.zdnet.com/?p=3907
[Editor's Note (Ullrich): This topic may have more impact on network security then many think. A key question that has been heavily debated in the past is whether and how ISPs like Comcast should manage traffic, and whether ISPs should be allowed, or even required, to block some malicious traffic.
(Schultz): This case promises to be drawn out and dramatic; Comcast declares that the FCC has no authority in situations such as this one and the FCC maintains that it very much does. Whatever ruling comes out of it will be yet another that helps define the limits of power (or lack thereof) for ISPs, especially big and powerful ones such as Comcast. ]

Internet Giants Urged to Uphold Free Internet Use (July 25, 2008)

Two US legislators are pushing the CEOs of Yahoo!, Google and Microsoft, to adopt "a voluntary code of conduct" which says they will not help foreign governments' attempts to stifle or persecute dissenting Internet users. Senators Dick Durbin (D-Ill.) and Tom Coburn (R-Okla.) say that if the companies do not adopt the policy, they could see legislation that would require them not to cooperate with foreign governments that aim to repress citizens' human rights. Yahoo! has been criticized in the past for providing Chinese authorities with information that led to the arrest of a dissident who was ultimately sentenced to 10 years in prison for forwarding an email to a human rights group. Companies say they are bound to abide by the laws of the countries in which they operate.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209601006
[Editor's Note (Northcutt): Planet Earth is very big and the USA's power is shrinking due to fiscal irresponsibility and over confidence in our military capability. We cannot legislate behavior for the rest of the world; rather we should start to pay attention to our own very real domestic problems. ]

Evilgrade Exploits DNS Flaw (July 28, 2008)

An exploit package called Evilgrade takes advantage of the automatic update features in various programs and operating systems to install malware on vulnerable computers. To work, Evilgrade requires a man-in-the-middle attack to have been launched against the target; the recently disclosed DNS vulnerability allows just that. Evilgrade can infiltrate iTunes, Mac OS X, Winzip, Java, Winamp, OpenOffice and other programs.
-http://www.theregister.co.uk/2008/07/28/pwning_security_updates/print.html
-http://www.securityfocus.com/brief/783
-http://blogs.zdnet.com/security/?p=1576

Reports Suggest DNS Flaw is Being Actively Exploited (July 25 & 28, 2008)

Companies are being urged to apply patches for the recently disclosed DNS flaw as soon as possible amid "anecdotal evidence" that the vulnerability is already being actively exploited. The flaw could be exploited to redirect Internet users to a site of the attackers choosing, even if users type the correct URL into their browsers themselves. Microsoft and Linux distributors have already released patches for the vulnerability, but Apple has yet to make a fix available. Major vendors, including Apple, were informed of the flaw in March, so they have had some time to prepare a patch. Those operating OS X servers should stop using them for domain name resolution until a patch is available.
-http://news.bbc.co.uk/2/hi/technology/7525206.stm
-http://www.smh.com.au/news/security/hackers-get-hold-of-critical-internet-flaw/2
008/07/25/1216492691922.html
-http://www.heise-online.co.uk/security/DNS-hole-no-patch-yet-from-Apple--/news/1
11187
[Editor's Note (Ullrich): One reason that exploits are not even more frequent is that Bind 9 appears to be immune to current exploits, even if unpatched (thanks Hal for pointing this out to me). And again, Apple is way behind the curve on critical patches to open source software redistributed with their OS. ]

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

College Student in Jail for Alleged ID Theft (July 25, 2008)

College student Christopher Fowler is in jail for allegedly stealing his professor's identity to access the school's computer network and change his grades. Investigators also allege that Fowler broke into the Georgia Highlands College VoIP system to eavesdrop on phone conversations. Charges against Fowler include unlawful surveillance or eavesdropping and computer trespass; he could also be charged with identity theft.
-http://www.myfoxatlanta.com/myfox/pages/News/Detail?contentId=7069233&versio
n=1&locale=EN-US&layoutCode=TSTY&pageId=3.2.1
-http://www.ajc.com/metro/content/metro/stories/2008/07/25/georiga_highlands_stud
ent_hacker.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

RealPlayer Update Fixes Four Flaws (July 25, 2008)

RealNetworks has released a patch for RealPlayer to fix four vulnerabilities. One is a heap-based buffer overflow in the way frames are handled in Shockwave Flash (SWF) files. A second flaw is a remote code execution vulnerability in the RealAudioObjects.RealAudio ActiveX control. No details have been published about the other two flaws. RealPlayer versions for Windows, Mac and Linux are all vulnerable to at least one of the flaws; users are urged to patch as soon as possible.
-http://www.theregister.co.uk/2008/07/25/realplayer_vulns_patched/print.html
-http://service.real.com/realplayer/security/07252008_player/en/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Six Arrested in Connection with South Korean Data Theft (July 28, 2008)

South Korean police say a Chinese hacker stole South Korean credit data and sold them to an individual who used it to broker "non-institutional" loans for individuals who appeared to need cash. The victims were telephoned and offered the alternative loans. The data were purchased for W15 million (US $14,841); the go-between who purchased the information is believed to have made W2.7 billion (US $2.67 million) in illegal profits. Six other suspects have been arrested; an arrest warrant has been requested for the go-between and another person, both who have fled the country. The stolen data were obtained from banks, loan companies, online retailers and universities.
-http://english.chosun.com/w21data/html/news/200807/200807280013.html

Texas Clinic Patient Data Stolen, Used in Payday Loan Fraud (July 24, 2008)

The personal information of more than 500 patients at medical clinics in Fort Bend County, Texas was stolen and used to commit fraud. Thirty-eight people have been indicted in connection with the identity theft ring. Two people are suspected of having stolen patient data while employed at the clinics, one is accused of using the information to obtain payday loans totaling more than US $230,000 and the rest are suspected of being involved in efforts to launder the stolen funds.
-http://www.fortbendnow.com/pages/full_story?page_label=home&id=119590&ar
ticle-Local-Medical-Clinic-Patients-Among-500-Victimized-In-Major-Identity-Theft
-Ring%20=&widget=push&instance=home_news_bullets&open=&
-http://www.chron.com/disp/story.mpl/front/5906582.html

STANDARDS & BEST PRACTICES

NIST Releases Guidance for Securing XP Systems and Security Baseline Database (July 28, 2008)

The National Institute of Standards and Technology (NIST) has released a draft document, Special Publication 800-68, "Guidance for Securing Microsoft Windows XP Systems for IT Professionals." The document provides detailed guidance for securing Windows XP Professional systems with Service Pack 2 or 3. Along with the draft document, NIST is releasing a beta version database of baseline security settings for Windows XP, Vista, Internet Explorer 7 and Windows Firewall as specified in the Federal Desktop Core Configuration (FDCC). NIST is accepting public comments on both SP 800-68 and the accompanying database. NIST has also released a revised version of SP 800-48, "Guide to Securing Legacy IEEE 802.11 Wireless networks," and SP 800-123, "Guide to General Server Security."
-http://www.gcn.com/online/vol1_no1/46739-1.html?topic=security&CMP=OTC-RSS
-http://csrc.nist.gov/itsec/download_WinXP.html
http:csrc.nist.gov/itsec/Draft-SP800-68r1.pdf
-http://csrc.nist.gov/publications/nistpubs/800-48-rev1/SP800-48r1.pdf
-http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf

MISCELLANEOUS

SF Prosecutors Place VPN Usernames and Passwords on Public Record (July 25 & 28, 2008)

San Francisco prosecutors in the case against system administrator Terry Childs have put 150 usernames and access passwords on the public record. The usernames and passwords are used by city officials to access San Francisco's virtual private network (VPN) and were recovered from Childs' computer. The passwords themselves will not get people into the VPN; a second password is required to gain network access. Childs is accused of hijacking the city's computer network by changing the passwords and refusing to give them to administrators. Childs eventually handed the passwords over to San Francisco Mayor Gavin Newsom. A spokesperson for the DA's office says that "court files have been amended."
-http://www.theregister.co.uk/2008/07/28/sf_rogue_sysadmin_password_mess/print.ht
ml
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9110758&source=rss_topic17
[Editor's Note (Veltsos): San Francisco's latest mishap illustrates how, in the rush to deal with one security issue, we may end up creating new problems. On the bright side, the city learned that some of the passwords are identical to the login names. ]

NIST and George Mason Univ. Develop Attack Graph Analysis (July 23 & 25, 2008)

NIST and George Mason University have jointly developed Attack Graph Analysis, a technology that they hope IT managers can use to identify weaknesses in their systems. Attack Graph Analysis assigns a risk probability to each possible path an attacker could pursue while attempting to gain access to a system; the vulnerabilities are assessed with NIST's National Vulnerability Database.
-http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=209601075&pri
ntable=true&printable=true
-http://www.sciencedaily.com/releases/2008/07/080723144710.htm

---

*************************************

The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).



John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.



Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.



Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.



Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.



Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.



Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.



Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.



Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.



Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.



Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.



Alan Paller is director of research at the SANS Institute



Clint Kreitner is the founding President and CEO of The Center for Internet Security.



Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.



Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.



Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.



Brian Honan is an independent security consultant based in Dublin, Ireland.



Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.



Roland Grefer is an independent consultant based in Clearwater, Florida.



Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/