SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #61
August 05, 2008
Two weeks until the early registration deadline for Network Security 2008 in Las Vegas - but more importantly there are still a few seats left in the new Penetration Testing (both network and application testing) courses and in the Hacker Exploits courses. Early registration will make sure you get a seat. http://www.sans.org/ns2008
Alan
TOP OF THE NEWS
FCC Vote Effectively Ends Selective Traffic BlockingSenate Approves Amended ID Theft Legislation
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSDutch Police Arrest Two Brothers in Botnet Case
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Some Firewall Software Undoes DNS Patch Port Randomizing
Apple DNS Patch Doesn't Fix Client Versions of OS X
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Customs and Border Patrol Electronic Device Search Policy Raises Privacy Concerns
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Judge Likely to Declare Mistrial in Jammie Thomas Case
Woman Admits to Sharing Music Files, but Says Fines are Excessive
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Two Arrested in Connection with Theft and Sale of Countrywide Loan Applicant Data
Former Employee Arrested in Calif. Supermarket ATM Scam
MISCELLANEOUS
Insurance Companies Using Health Databases to Make Coverage Decisions
Lawmakers Want to Know More About ISPs Use of Deep Packet Inspection
COMMENTARY
Paller on Scott Charney and Public-Private Partnerships
Northcutt On The Jammie Thomas Case
******************** Sponsored By Sourcefire, Inc. **********************
Best of Open Source Security (BOSS) Conference
February 8-10, 2009 Flamingo_Las Vegas
Be sure to register the first IT security conference dedicated to promoting open source security (OSS) technologies and the commercial products that embrace them.
This long overdue conference will bring together passionate OSS advocates and vendors under the same roof to share ideas and experiences.
For more information, visit http://www.sans.org/info/31428
*************************************************************************
TRAINING UPDATE
- - Las Vegas (9/28-10/6) http://www.sans.org/ns2008 NETWORK SECURITY 2008)
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
FCC Vote Effectively Ends Selective Traffic Blocking (August 2, 2008)
In a 3 to 2 vote, the US Federal Communications Commission (FCC) said that Comcast violated federal policy by throttling Internet traffic for subscribers using BitTorrent file sharing software. No fine was assessed. Comcast maintains its actions were within the scope of ordinary network management practices and that it slowed traffic only to manage the network during high traffic periods. Comcast also says that FCC's network neutrality is a policy statement and not an enforceable rule. The policy statement issued in 2005 is designed to provide "widely deployed, open, affordable and accessible (broadband networks) to all consumers." The principles are "subject to reasonable network management," which has remained a vague term. FCC chairman Kevin J. Martin said that Comcast was not merely managing network traffic when it targeted a specific application to block. The FCC went on to say that Comcast had a motive for its action; users downloading video files through the peer-to-peer application could be perceived to be taking business away from Comcast's video-on-demand service. The ruling requires Comcast to make changes in the way it manages network traffic and to make clear to its customers the methods it uses.-http://www.washingtonpost.com/wp-dyn/content/article/2008/08/01/AR2008080101205_
pf.html
-http://www.nytimes.com/2008/08/02/technology/02fcc.html?_r=1&oref=slogin&
;partner=rssnyt&emc=rss&pagewanted=print
-http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-284286A1.doc
[Editor's Note (Pescatore): Note that any ISP has the right to enforce service level agreements where price plans prohibit running servers or allow only a certain level of throughput. The issue here was Comcast being selective about it, which is always a slippery slope.]
Senate Approves Amended ID Theft Legislation (July 31, 2008)
The US Senate has unanimously approved an amended version of the Identity Theft Enforcement and Restitution Act, sponsored by Senators Patrick Leahy (D-Vt.) and Arlen Specter (R-Pa.). It now goes back to the House of Representatives for consideration. The legislation originally passed the Senate in November 2007, but stalled in the House. The Senate tacked the legislation onto a House bill that guarantees former Vice Presidents and their immediate families Secret Service protection for six months after leaving office. If it becomes law, the bill would allow identity theft victims to seek restitution for their time and funds spent fixing their credit and other effects; allow prosecution of thieves who impersonate a business; and give felony status to the crime of using spyware or keystroke loggers to damage 10 or more computers.-http://leahy.senate.gov/press/200807/073108a.html
-http://www.scmagazineus.com/Senate-OKs-revamped-identity-theft-legislation/artic
le/113232/
[Editor's Note (Schultz): Given how severe the consequences of identity theft are, it is simply unbelievable that ID theft legislation has not yet been passed in the US. I hope this time things will be different. ]
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Dutch Police Arrest Two Brothers in Botnet Case (August 4, 2008)
Police in the Netherlands have arrested two brothers who allegedly controlled an international botnet of 40,000 to 100,000 computers; just 1,100 of the compromised machines were in the Netherlands. The FBI was involved in the investigation that led to the arrests of the brothers and a third man who is from Brazil. The older of the Dutch brothers, who is 19, appeared before a judge in Rotterdam last week; the younger brother, who is 16, has been released until a later trial. The Brazilian man is awaiting extradition to the US.-http://www.theregister.co.uk/2008/08/04/dutch_botnet_herders_arrested/print.html
[Editor's Note (Pescatore): It is not unusual to see enterprises that look for bot clients on their PCs to find 3-7% of PCs compromised with bot clients, even when using up to date AV and host based intrusion prevention. This is not just a consumer problem; existing defenses and vulnerability assessment processes need to be augmented to be effective against such targeted threats.
(Northcutt): The two brothers will join James C. Brewer, Jason Michael Downey, and Robert Alan Soloway as people run to ground by the Botnet Task Force, at some point Botnet operators are going to feel that the risk of prosecution, anywhere in the world, is great enough to give pause.
-http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm
-http://www.silicon.com/research/specialreports/ecrime/0,3800011283,39158294,00.h
tm]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Some Firewall Software Undoes DNS Patch Port Randomizing (August 4, 2008)
Firewall vendors are "scrambling" to update their products to address a problem in the software that undoes the source port randomization component of the recently released DNS patches. The problem lies with some firewalls that do IP address translation. The DNS patches have reportedly been causing some other minor problems - particularly slowing down traffic on some servers.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9111500&intsrc=hm_ts_head
[Editor's Note (Skoudis): This one could get ugly, folks. Widely available tools exploit this flaw to trick software update features into installing malware, and surely the bad guys have many other equally nasty tricks up their sleeves. And, tomorrow (August 6), Dan Kaminsky will deliver his full presentation, which will likely provide insights into optimizing the attack even further. Patch your DNS servers... and push your firewall vendors on this too. If your firewall unrandomizes the source port, someone can still poison the DNS server behind the firewall. Ironically, such a firewall is actually weakening security here, exposing your whole network to attack.
(Guest Editor and Internet Storm Center Handler Donald Smith): Actually it is the PAT, Port Address Translation, function that is causing this issue. That is often used in conjunction with NAT, Network Address Translation, but then it should be called NAT/PAT. The functions are separate logical functions even if used together in most NAT/PAT implementations.
-http://en.wikipedia.org/wiki/Network_address_translation
- From
-http://isc.sans.org/diary.html?storyid=4687
"The patch will impact your server performance. Test carefully before patching a very busy server. Internet Storm Center (isc.org) mentions 10,000 queries/sec as a problem. " - From
-http://isc.sans.org/diary.html?storyid=4777
"Home firewall NAT devices are also proving to be vulnerable as many don't seem to randomize the source port." - From
-http://isc.sans.org/diary.html?storyid=4780
Conclusion: So is this bad: yes, it is unless your DNS clients, name-servers and the name-servers you forward to are up-to-date on patches, and your NAT devices (routers, firewalls, etc) in between do not randomize source ports. ]
Apple DNS Patch Doesn't Fix Client Versions of OS X (August 1, 2008)
Apple released a patch for the recently disclosed and exploited DNS vulnerability, but while it fixes Mac OS X systems used as DNS servers, it does not protect Macs being used as client systems. Fully patched versions of both Tiger (version 10.4.11) and Leopard (version 10.5.4) do not adequately randomize DNS source ports. Apple released Security Update 2008-005 on Thursday, July 31 to address 17 flaws in its OS X operating system. - From Internet Storm Center:-http://isc.sans.org/diary.html?storyid=4810
A quick packet dump of my fully patched Leopard machine (OS X 10.5.4) shows it is - as a DNS client - still using incrementing ports.
-http://www.theregister.co.uk/2008/08/01/osx_still_vulnerable/print.html
-http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=209
901566
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9111363&source=rss_topic17
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Customs and Border Patrol Electronic Device Search Policy Raises Privacy Concerns (August 1 & 3, 2008)
According to recently released documents from the US Department of Homeland Security (DHS), federal agents have the authority to "detain" travelers' electronic devices, including laptop computers, for an unspecified period of time even if the traveler is not suspected of any wrongdoing. In addition, the devices' contents may be shared with other entities, including those who provide translation or decryption services. The policies emphasize the necessity of protecting proprietary business and privileged attorney-client information, but there is no mention made of special handling for medical or financial data. Senator Russell Feingold (D-Wis.) plans to introduce legislation that would require reasonable suspicion for border searches and prohibit agents from profiling travelers by race, religion or national origin.-http://www.washingtonpost.com/wp-srv/content/article/2008/08/01/laptops.html?hpi
d=topnews
-http://www.itworld.com/legal/54007/us-border-agency-says-it-can-seize-laptops
-http://www.cbp.gov/linkhandler/cgov/travel/admissability/search_authority.ctt/se
arch_authority.pdf
[Editor's Note (Northcutt): We discuss this in the class I teach, in a sense you are between countries, leaving one, entering another, it is very hard to say which laws do and do not apply. DHS is to be commended for creating and publishing a policy, but keep in mind all of this is possible anytime you are between two countries and most do not publish their policy. The Government link above is the policy itself, it is worth reading especially if you travel internationally. The most interesting statement in the document to me is, "CBP may seek translation and/or decryption assistance from other Federal agencies or entities." At first blush I thought, no way they can break AES 256, but they might not have to, they might just be able to cold boot attack the keys, brute the PIN protecting the key, or there may be flaws in some commercial full disk encryption products that don't get the same level of scrutiny as OpenSSH, GnuPGP, or TrueCrypt.
(Ullrich): This is not new. Border agents in the US and in other countries always had broad authority to search and detain anybody trying to cross a border. What matters is how this rule is applied. Some reports make it sound like everybody's laptop will be "strip searched". Needless to say, that this would be impractical. More likely, passengers will be subjected to the same random sampling they always have been unless there is reasonable suspicion to warrant a more intense search of a particular laptop.]
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Judge Likely to Declare Mistrial in Jammie Thomas Case (August 1 & 4, 2008)
At a hearing on Monday, August 4, US District Judge Michael Davis implied that he is likely to declare a mistrial in the case in which a verdict was reached last October. The Recording Industry Association of America (RIAA) says Jammie Thomas made music files available in an open folder on the Kazaa filesharing network. The jury in the original case deliberated just five minutes before returning a guilty verdict, but seven months after the trial, the Judge Davis asked for the new hearing because he believes he made a legal error when he instructed the jury that Thomas could be found guilty of unauthorized distribution merely by making the files available and without any proof that they had actually been distributed. The "making available" issue in digital copyright law has not yet been definitely decided. There have been cases in which judged ruled against RIAA on the issue, but the rulings came in pretrial stages.-http://blog.wired.com/27bstroke6/2008/08/riaas-lawsuit-s.html
-http://blog.wired.com/27bstroke6/2008/08/judge-hints-at.html
[NewsBites Editorial Board member Stephen Northcutt provided extensive commentary and additional links on this case. We include his commentary and links at the end of this issue. ]
Woman Admits to Sharing Music Files, but Says Fines are Excessive (July 28, 2008)
An attorney for the defendant in a New York federal court case regarding illegal file distribution through the Kazaa network says his client did share files, but is arguing that the damages sought by the RIAA are excessive and is looking to change the law that allows them. Under the Copyright Act, Denise Barker could face fines of US $750 to US $150,000 for each song illegally shared over the network. Barker's attorney estimates that each instance of illegal downloading costs the music industry about US $3.50; US Supreme Court rulings say that fines in excess of a 9-to-1 ratio are unconstitutional.-http://blog.wired.com/27bstroke6/2008/07/new-riaa-lawsui.html
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Two Arrested in Connection with Theft and Sale of Countrywide Loan Applicant Data (August 1 & 2, 2008)
A former Countrywide Financial Corp. employee is accused of stealing loan applicant information and selling it to others in the mortgage industry who used the data to offer new loans to the applicants. Rene L. Rebollo Jr. allegedly used a work computer that lacked the security of other office computers to copy information of approximately 20,000 customers at a time onto a flash drive. The stolen data include Social Security numbers (SSNs). Last month, Rebollo voluntarily surrendered the flash drive and a personal computer to the FBI. Rebollo's attorney later placed a call to the FBI saying that his client had revoked his permission for the FBI to search the devices. Another man, Wahid Siddiqi, was also arrested; he allegedly sold disks of Countrywide data to a witness who was working for the FBI. Rebollo has been charged with exceeding authorized access to the computer of a financial institution. Authorities believe Siddiqi acted as a middle-man in the data theft and sale operation.-http://www.latimes.com/business/la-fi-arrest2-2008aug02,0,7330731.story
-http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2008/08/01/state/n171240D95.DTL
Former Employee Arrested in Calif. Supermarket ATM Scam
(August 1 & 2, 2008)MISCELLANEOUS
Insurance Companies Using Health Databases to Make Coverage Decisions (August 4, 2008)
Some life and health insurance companies are starting to use information from commercial medical databases to make their decisions on individual consumer coverage. The databases mined for information include those that contain prescription drugs and those gathered by clinical and pathological labs. Traditionally, insurers gather information from physicians' offices. The new developments present privacy concerns because they take place outside the protections offered by federal health regulators and legislators. Also of concern is the fact that information gathered for one purpose is being sold for another purpose. Two companies that provide the information say they release only data that have been released by patient consent as per HIPAA (Health Insurance Portability and Accountability Act); however, the companies themselves are not bound by HIPAA regulations.-http://www.washingtonpost.com/wp-dyn/content/article/2008/08/03/AR2008080302077_
pf.html
[Editor's Note (Honan): It is for situations like this that data privacy laws similar to those in most European Union countries need to be introduced. Under EU legislation it is against the law to use information gathered for one purpose for another without the explicit consent of the person from whom the data was gathered.]
Lawmakers Want to Know More About ISPs Use of Deep Packet Inspection
(August 1, 2008)COMMENTARY
Paller On Microsoft's Scott Charney and the Public Private Partnership
When the history of Internet security is written, and the authors search for people who made a difference, they are going to find that Scott Charney will be near the top of most experts' list. More than anyone else in the United States, Scott has transformed the public-private partnership from whining to active cooperation. And it works. Today's issue shows just one of his many initiatives, the Botnet Task Force, producing another major arrest. Scott helped Microsoft build a world-class law enforcement team inside Microsoft and then put top technologists to work to build technology and processes that identify malicious code and malicious people wherever they are hiding in the Internet. In his presentation at the (2005) Eleventh United Nations Congress on Crime Prevention and Criminal Justice, he lays out a blueprint for cooperation.-http://web.reed.edu/nwacc/programs/conf05/UNCrimeCongressPaper.doc
Scott doesn't just write papers; and he doesn't ask government to do it all. He invests substantial amounts of Microsoft funds in making governments' anti-cyber-crime initiatives more productive.
[Scott served as chief of the Computer Crime and Intellectual Property Section (CCIPS), Criminal Division, at the Department of Justice, from 1991 to 1999. Under his direction, CCIPS investigated and prosecuted national and international hacker cases, economic espionage cases, and violations of federal criminal copyright and trademark laws. Before joining the federal prosecutive ranks, Charney was an assistant district attorney in Bronx County, New York, ultimately serving as deputy chief of the Investigations Bureau. Today, Scott also serves as a co-chair of the Commission of Cyber Security for the 44th Presidency. ]
Northcutt Commentary On The Jammie Thomas Case
Capitol v. Thomas (formerly Virgin v. Thomas) is the first P2P copyright infringement case to work its way through the Federal courts. Jammie Thomas, a single mother of two, was fined $220,000 for making songs available on Kazaa. Thomas appealed. A large number of amicus briefings have been filed; this decision will help establish case law so the stakes are high for both sides. The defendant's appeal states the amount of damages exceeds the Due Process Clause of the Constitution. The RIAA and Department of Justice contend these were statutory damages and therefore are not covered by the Constitution. "Statutory damages compensate those wronged in areas in which actual damages are hard to quantify in addition to providing deterrence to those inclined to commit a public wrong" according to the DoJ.-http://arstechnica.com/news.ars/post/20071204-doj-says-222000-damages-in-capitol
-v-thomas-trial-not-unconstitutional.html
The RIAA just brought in a real heavy (Donald Verrilli, the man who argued Metro-Goldwyn-Mayer Studios Inc. v. Grokster, Ltd before the Supreme Court ((Grokster lost)) for this next stage of the case:
-http://news.slashdot.org/article.pl?sid=08/08/01/2251217
-http://beckermanlegal.com/Documents/virgin_thomas_080731MotProHacViceVerrilli.pd
f
The EFF feels the final decision will center on one of the jury instructions. "Jury Instruction #15: The act of making copyrighted sound recordings available for electronic distribution on a peer-to-peer network, without license from the copyright owners, violates the copyright owners' exclusive right of distribution, regardless of whether actual distribution has been shown." Seven months after the original trial, the judge decided he may have made an error with this provision and ordered this trial. "Making available" as copyright infringement is not yet proven. Arguments were heard in a different case (Elektra v. Barker), that may support this assertion, if Capitol v Thomas leads to the same conclusion this may become case law for P2P, but Perfect 10 v Amazon probably keeps it from applying to search engines ('Honest, honey, I was doing research on the Perfect 10 thing.'):
-http://www.eff.org/deeplinks/2007/10/capitol-v-thomas-key-appeal-issue
-http://beckermanlegal.com/Documents/virgin_thomas_080711DeftReplyBrief.pdf
-http://info.riaalawsuits.us/documents.htm#Elektra_v_Barker
-http://www.eff.org/deeplinks/2008/04/offering-distribute-distribution-says-elekt
ra-v-barker-ruling
-http://www.eff.org/files/filenode//Perfect10vGoogle9thCir12-2007.pdf
Another twist on the "Making Available" problem that may be resolved in this ruling is whether the fact that the RIAA detectives actually downloading 24 songs from Thomas share folder counts as proof of copyright infringement. Here is a pretty good list of all the documents in the case to date and also the most expensive 24 song playlist in history:
-http://recordingindustryvspeople.blogspot.com/2007/01/index-of-litigation-docume
nts.html#Virgin_v_Thomas
-http://blog.wired.com/27bstroke6/2007/10/trial-of-the-ce.html
And as a parting smile, there is even a Free Jammie website to commemorate her 15 minutes of fame:
-http://freejammie.freeforums.org/
-http://www.jammiethomas.org/
*************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/