SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #72

September 12, 2008

TOP OF THE NEWS

Exploit Code Released for SCADA Vulnerability
Law Enforcement Officials Need Warrant to Access Stored Mobile Phone Company Data
SF SysAdmin's Lockout Attack on San Francisco City Network May Cost US $1 Million to Fix
Google Shortens Time it Will Keep User Search Data

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS
Student Gets Probation for Breaking Into School, Computer
Spyware Helps Nab Sexual Predator
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
UK Home Office Terminates Contract With Company That Lost Data
Most Data Shared Between NZ Government Agencies are Encrypted
UPDATES AND PATCHES
Apple Releases Updates for QuickTime, iTunes and iPod touch
Microsoft Issues Four Security Bulletins
DATA LOSS AND EXPOSURE
Man Wants Court Docs off Website, Posts Internal County eMail in Protest
MISCELLANEOUS
Fedora is Issuing Updates

---

************************** Sponsored By SANS ****************************

How are the latest forensic techniques used to help combat threats in organizations today? Which products are the best in the incident response and computer forensic community? Attend the Forensics & Incident Response Summit October 13-14 and learn the answers to these and other key Forensics & Incident Response questions.
http://www.sans.org/info/33064

*************************************************************************

TRAINING UPDATE

- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools expo; lots of evening sessions: http://www.sans.org/ns2008)
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Exploit Code Released for SCADA Vulnerability (September 10, 2008)

Attack code that exploits a known vulnerability in CitectSCADA software has been published. The person who published the code said he did so to raise awareness about security flaws in SCADA (Supervisory Control and Data Acquisition Systems) because the "vendors are not being held responsible for the software that they're producing." The code was released as a software module for Metasploit, which makes it easier to use. The vulnerability in CitectSCADA was disclosed in June 2008; a patch was released at the same time. Patching industrial systems presents a unique set of concerns; because these systems regulate elements of critical infrastructure such as power and water, downtime has the potential to cause significant problems.
-http://www.networkworld.com/news/2008/091008-computer-threat-for-industrial-syst
ems.html?hpg1=bn
[Editor's Note (Schultz): SCADA system vendors are indeed not being very responsive to customer needs in that they for the most part act oblivious to vulnerabilities found in their systems. Perhaps posting an exploit for the CitectSCADA vulnerability will help shake them out of their complacency, although I genuinely dread to think what might happen if attackers begin using this attack code in the wild.
(Guest Editor Raul Siles): We at Internet Storm Center are providing a snort signature to detect the attacks and the traffic peak from Dshield for the associated port. That means this vulnerable port is being targeted in the wild:
-http://isc.sans.org/diary.html?storyid=4997]

Law Enforcement Officials Need Warrant to Access Stored Mobile Phone Company Data (September 10 & 11, 2008)

The US District Court for the Western District of Pennsylvania has upheld a lower court decision that says law enforcement officers must obtain a warrant based on probable cause to access mobile phone companies' stored information that allows them to track a suspect's past movements. Earlier cases have established that law enforcement authorities must have a warrant based on probable cause to be able to track phone users' movements in real time. Prior to this case, however, "the government has routinely seized these (old) records without search warrants."
-http://www.securityfocus.com/brief/817
-http://www.eff.org/press/archives/2008/09/11
-http://www.eff.org/files/filenode/celltracking/lenihanorder.pdf
[Editor's Note (Northcutt): This makes perfect sense, getting a warrant is not that hard, but allowing law enforcement to access personal data with no audit trail can only lead to abuse of the privilege. ]

SF SysAdmin's Lockout Attack on San Francisco City Network May Cost US $1 Million to Fix (September 10 & 11, 2008)

The city of San Francisco (CA) Department of Technology estimates that costs associated with repairing damage done to a city computer network by a former system administrator will exceed US $1 million. Terry Childs allegedly locked his superiors out of administrative access to the FiberWan network by creating a super password. He disclosed the password only after the city's mayor visited him in jail; his bail had been set at US $5 million. San Francisco city officials are also trying to find a networking device called a "terminal server" that Childs installed. They do not know its physical location and have been unable to log in to the device, which appears to have allowed Childs remote access to the network.
-http://www.theregister.co.uk/2008/09/10/rogue_sf_sysadmin_may_cost_sf_1m/print.h
tml
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9114479&source=rss_topic17

Google Shortens Time it Will Keep User Search Data (September 9, 10 & 12, 2008)

Google has responded to concerns voiced by the European Union's Article 29 Working Body about data privacy by cutting in half the amount of time it will store user search data before starting to anonymize them. Google had previously reduced the amount of time it kept data from 24 to 18 months before beginning the anonymization process; under the new arrangement, Google will begin anonymizing the data after nine months. EU Justice and Home Affairs Commissioner Jacques Barrot called Google's move "a step in the right direction," but would like to see the company reduce the length of time it stores the data to six months.
-http://news.bbc.co.uk/2/hi/technology/7605801.stms
-http://news.smh.com.au/technology/eu-justice-chief-welcomes-google-privacy-move-
20080222-1tt6.html
-http://www.nzherald.co.nz/feature/story.cfm?c_id=1501833&objectid=10531528
[Editor's Note (Pescatore): Six months is certainly way better than 18 months, but why isn't the data anonymized immediately? ]

---

************************** SPONSORED LINKS: *****************************

1) Visit the SANS Buyers Guide for updated listings and useful information when selecting the latest in IT security technologies. http://www.sans.org/info/33069
2) Protecting Your Highly-Distributed Retail Network: Why PCI Compliance May Be No Bargain http://www.sans.org/info/33074

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS

Student Gets Probation for Breaking Into School, Computer (September 10, 2008)

Tesoro High School (Orange County, CA) senior Tanvir Singh has been sentenced to three years of probation and 200 hours of community service for breaking into the school and gaining unauthorized access to a teacher's computer. Singh reached a plea deal with prosecutors that dropped some of the charges against him; he could be called on to testify against another student, Omar Khan, who is believed to have orchestrated the scheme. In addition to his sentence, Singh will pay all court fees and restitution.
-http://www.ocregister.com/articles/felony-khan-school-2153228-singh-counts

Spyware Helps Nab Sexual Predator (September 9 & 10, 2008)

The father of a teenage girl, concerned about sudden changes in his daughter's behavior, placed spyware on her computer. It revealed that she had been in communication with a former coach who had previously signed an agreement that prevented him from having contact with the girl. The IM conversations were enough evidence for police to arrest Nicholas Lovell for violating the earlier agreement. Lovell went to trial, where he was found guilty of engaging in sexual activity with a minor and sentenced to four-and-a-half years in jail.
-http://www.theregister.co.uk/2008/09/10/web_monitoring_traps_child_abuser/print.
html
-http://www.getbracknell.co.uk/news/s/2035089_spyware_on_girls_email_snared_her_o
lder_man
[Editor's Comment (Northcutt): Yayyyyyy dad! Children should not have an expectation of privacy when using a computer. Though the years I have heard some heart-wrenching stories from parents. This is not about trusting your kids, it is about expecting a 15 or 16 year old child to have the tools and experience to withstand a deviant person twice their age.]

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

UK Home Office Terminates Contract With Company That Lost Data (September 10 & 11, 2008)

The UK Home Office has terminated a GBP 1.5 million (US $ 2.63 million) contract with PA Consulting, the company that lost a memory stick containing information about 84,000 prisoners in England and Wales. PA Consulting had been hired "to administer the prisoner-tracking JTrack system." Home Secretary Jacqui Smith said that after reviewing the incident, it was evident that by failing to handle the data in a secure fashion, PA Consulting violated the terms of its contract. The PA Consulting staff member who was responsible for the memory stick has been fired. Other contracts PA Consulting has with the Home Office are currently under review.
-http://www.zdnet.co.uk/misc/print/0,1000000169,39486549-39001093c,00.htm
-http://www.vnunet.com/computing/news/2225776/government-concludes-pa
-http://www.theregister.co.uk/2008/09/11/pa_consulting_home_office_plea/print.htm
l
-http://www.silicon.com/publicsector/0,3800010403,39286267,00.htm?r=1
[Editor's Note (Pescatore): While the contractor in this case says the breach was due to one employee acting improperly, if a post-incident review shows process and performance failures then losing the contract should be the consequence.
(Honan): When outsourcing work to a third party ensure that your contract states clearly what the security requirements are that you are imposing on the outsourcing company and the penalties, including up to termination of the contract, for breaches of the contract. You should also ensure that terminating these contracts is one of the scenarios that should be built into your business continuity plan. ]

Most Data Shared Between NZ Government Agencies are Encrypted (September 9, 2008)

Following a review of data transfer procedures between New Zealand government agencies, Privacy Commissioner Marie Shroff mandated that data shared between agencies must be encrypted. At the time of the review in February 2008, just 19 of 46 data sharing programs were using encryption; now just three of the 46 are not encrypted. Data are shared by tape, CD and floppy disk; one of the sharing arrangements has moved to an online system.
-http://computerworld.co.nz/news.nsf/scrt/CF22BCF7E17A0DEFCC2574BE007E4AFD
-http://www.nzherald.co.nz/feature/story.cfm?c_id=1501832&objectid=10531292
[Editor's Note (Pescatore): good to see high percentage of physical media are now encrypted but I'll bet there is all kinds of data sharing going on via email. ]

UPDATES AND PATCHES

Apple Releases Updates for QuickTime, iTunes and iPod touch (September 10, 2008)

Apple has released QuickTime 7.5.5, an update that addresses nine flaws that could be exploited to create denial-of-service conditions or run arbitrary code on vulnerable computers. So far this year, Apple has patched 30 vulnerabilities in QuickTime. Five of the QuickTime flaws affect both Mac and Windows versions; the remaining four affect only Windows. Apple Inc. has also issued security updates to address flaws in iTunes and iPod touch.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9114429&source=rss_topic17s
-http://news.cnet.com/8301-1009_3-10036849-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.securityfocus.com/brief/816
iTunes:
-http://support.apple.com/kb/HT3025
iPod touch:
-http://support.apple.com/kb/HT3026
QuickTime:
-http://support.apple.com/kb/HT3027
[Editor's Note (Honan): Apple's lack of transparency in how it is patching applications leaves a lot to be desired and could impact the use of Apple technology within a corporate environment. See the following insight into the latest patches; An inside look at Apple's sneaky iTunes 8 upgrade
-http://blogs.zdnet.com/Bott/?p=536]

Microsoft Issues Four Security Bulletins (September 9, 2008)

The four security bulletins Microsoft issued on Tuesday, September 9 include fixes for at least eight vulnerabilities in Windows Media Player, Windows Media Encoder, Microsoft Office and the Microsoft Windows GDI+ (graphics device interface). The most serious appears to be a series of flaws in GDI, the component that allows users to view JPEGs and other images. The five flaws could be exploited to install malware on vulnerable systems. All four bulletins have maximum severity ratings of critical. There are no publicly known exploits for the flaws.
-http://www.theregister.co.uk/2008/09/09/microsoft_sept_patch_tuesday/print.html
-https://www.microsoft.com/technet/security/bulletin/ms08-sep.mspx
-http://www.gcn.com/online/vol1_no1/47102-1.html?topic=security
-http://isc.sans.org/diary.html?storyid=5009

DATA LOSS AND EXPOSURE

Man Wants Court Docs off Website, Posts Internal County eMail in Protest (September 10, 2008)

An Arkansas man has posted internal email messages of Pulaski County clerk's office officials to protest the county's refusal to remove some public documents that contain Social Security numbers (SSNs) from its web site. Bill Phillips wants the county to remove Circuit Court records from the site because they contain sensitive personal information. The county blocked access to real estate records of county residents which had previously been available online after the state attorney general said the sensitive data must be redacted from the documents before they can be made publicly available, but the court records remain accessible. Pulaski County Clerk Pat O'Brien is not worried about the emails and other county clerk's office documents being made public. O'Brien says he is "a huge proponent of freedom of information and believe(s) that public records should be accessible online." Software has been purchased to redact the sensitive data from the real estate records, but it would not work for the circuit court documents. In any case, the Arkansas Supreme Court, not the county clerk's office, has jurisdiction over how the court records are managed.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9114438&source=rss_topic17

MISCELLANEOUS

Fedora is Issuing Updates (September 10 & 11, 2008)

The Fedora Project is once again issuing updates several weeks after an intruder broke into its network. The updates will switch users to new, secure update servers, from which they can download more updates. All of the Fedora Project's packages have been signed with a new key.
-http://www.zdnet.co.uk/misc/print/0,1000000169,39486961-39001093c,00.htm
-http://www.heise-online.co.uk/security/Fedora-8-and-9-updates-begin-to-flow-agai
n--/news/111505
-https://fedoraproject.org/w/index.php?title=Enabling_new_signing_key

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.


Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.


Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.


Roland Grefer is an independent consultant based in Clearwater, Florida.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/