SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #75

September 23, 2008

TOP OF THE NEWS

Stronger Identity Theft Act Awaits Presidential Signature
Nevada Data Encryption Law Takes Effect October 1
North Carolina to Use Scanners to Ensure Voters Receive Proper Ballots
Survey Shows Two-Thirds of Organizations Have Experienced Cyber Attacks

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS
Former State Dept. Intelligence Analyst Pleads Guilty to Passport File Snooping
VULNERABILITIES
Citect Acknowledges Seriousness of SCADA Flaw
Clickjacking Talk Cancelled
UPDATES AND PATCHES
Adobe Will Fix Clipboard Vulnerability in Flash 10
VMware Issues Fixes for Critical Buffer Overflow Flaws
ATTACKS
Palin eMail Attack Linked to Tennessee College Student
Palin Should Not Have Used Unsecure eMail for State Business Communication
MISCELLANEOUS
Network Provider's Negative Reputation is its Downfall
Apple's Patching Process Debated

---

******************** Sponsored By Palo Alto Networks ********************

Attention Cisco PIX Users: Now that Cisco announced "end of life" for its PIX Security Appliances, consider a transition to award-winning next generation firewalls from Palo Alto Networks. Get unprecedented visibility and control of all applications, users, and content -and get instant rebates of up to $6,000! Learn more, watch this short webcast.
http://www.sans.org/info/33404

*************************************************************************

TRAINING UPDATE

- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big security tools expo; lots of evening sessions: http://www.sans.org/ns2008/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Stronger Identity Theft Act Awaits Presidential Signature (September 17 & 20, 2008)

The Identity Theft Enforcement and Restitution Act of 2008 has been approved by both houses of US legislature and now goes before the president to be signed into law. The bill clarifies what constitutes identity and information theft and increases the penalties for those found guilty. The act does away with the minimum level of damages required for charges to be filed against information thieves. In addition, victims of identity theft would have the right to sue the culprits for restitution.
-http://www.vnunet.com/vnunet/news/2226560/identity-theft-bill-set
-http://www.eweek.com/c/a/Security/Congress-Approves-Computer-Fraud-Bill/

Nevada Data Encryption Law Takes Effect October 1 (September 19, 2008)

A Nevada law requiring that businesses encrypt all transmissions of personal, identifiable information over the Internet becomes enforceable as of October 1, 2008. An attorney who has been keeping a close eye on the issue has expressed concern that the statute is overly broad in its definition of what constitutes encryption, does not address industry standards, and is not clear about how those who violate the law will be penalized.
-http://blog.baselinemag.com/bottom_line/content/security/nevada_deadline_on_emai
l_encryption_looming.html
[Editor's Note (Schultz): Interestingly, many of the criticisms of this law have also previously been leveled against SB 1386. SB 1386 nevertheless has had a huge impact on data security notification in most states within the US. ]

North Carolina to Use Scanners to Ensure Voters Receive Proper Ballots (September 19, 2008)

This November, voters in North Carolina will have an increased level of confidence that they are receiving the correct ballot on which to record their votes thanks to the use of scanners. The state uses more than 100 different ballots; voters in North Carolina mark their choices directly on their ballots. Poll workers will scan each voter's voter authorization form as well as the associated ballot; the process should catch any anomalies. The scanners were tested in several municipalities in the state's May primary election and will be used in all precincts in November's election.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=210602730

Survey Shows Two-Thirds of Organizations Have Experienced Cyber Attacks (September 22, 2008)

According to the US Department of Justice's 2005 National Computer Security Survey, over two-thirds of the more than 7,800 companies responding to the survey experienced at least one cybercrime incident during that year. The incidents were classified as cyber attacks, cyber theft, or other. Three-fourths of the cyber attacks originated from outside the organizations; the same percentage of cyber thefts originated from within the organizations. More than half of the cyber thefts were reported to authorities, while just six percent of cyber attacks were reported.
-http://www.securityfocus.com/brief/825
The actual survey results:
-http://www.ojp.usdoj.gov/bjs/pub/pdf/cb05.pdf

---

************************** Sponsored Links: ***************************

1) Join your peers and other professionals at the Forensics & Incident Response Summit October 13-14. http://www.sans.org/info/33409
2) ALERT: Forrester Webcast: Web 2.0 Browser Exploits- What Hackers know that you don't http://www.sans.org/info/33414

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS

Former State Dept. Intelligence Analyst Pleads Guilty to Passport File Snooping (September 17 & 22, 2008)

A former US State Department intelligence analyst has pleaded guilty to unauthorized access to a State Department computer for snooping on passport records of well known people. Lawrence Yontz could face up to a year in prison for accessing the files, which include those of major players in the current presidential race. A recent audit found "a general lack of policies, procedures, guidance and training" at the State Department's passport bureau. Yontz admitted to having perused the files of approximately 200 well-known individuals and their families; he will cooperate with the government's continuing investigation.
-http://blog.wired.com/27bstroke6/2008/09/idle-curiosity.html
-http://www.cnn.com/2008/POLITICS/09/16/passport.snooping/

VULNERABILITIES

Citect Acknowledges Seriousness of SCADA Flaw (September 19, 2008)

Citect has replaced its advisory about a flaw in its CitectSCADA (Supervisory Control and Data Acquisition) software. The original advisory downplayed the seriousness of the flaw, but after exploit code for the flaw was published last week, the company replaced the advisory with a more strongly worded version. The person who released the code, said he did so because he did not believe Citect was taking the threat seriously enough; he is pleased that the company has acknowledged the severity of the flaw. Citect released a patch for the flaw in June 2008.
-http://www.theregister.co.uk/2008/09/19/scada_advisory_pulled/
-http://www.citect.com/documents/news_and_media/CitectSCADA-security-response.pdf
[Editor's Note (Skoudis): Sadly, SCADA vendors usually have to be forced into disclosing the significance of security flaws and the importance of their patches. As an industry, we really need to keep the pressure on the SCADA vendors for quickly and thoroughly fixing flaws, and then warning their customers about the issue. If your organization relies on SCADA devices for your operations, make sure your security personnel are in touch with your main SCADA vendors to get vulnerability information in a timely fashion.
(Debate) A small difference of opinion arose among NewsBites editors on whether to list the name of the person who disclose the vulnerability "because he did not believe (the vendor) was taking the threat seriously enough." Editor and security pioneer, Marcus Ranum, had the last word: The people who do exploit and vuln releases do it for attention. Naming them in newsbytes plays right into their hands; I generally recommend that we not reward disclosure, as a matter of policy. Feed cockroaches and you just get more cockroaches. ]

Clickjacking Talk Cancelled (September 19, 2008)

A talk on a type of vulnerability dubbed "clickjacking" scheduled to be delivered at the OWASP Conference has been cancelled. The people presenting the talk became concerned that the flaws are serious enough that it would be irresponsible to disclose them without first giving vendors time to fix them. The experts scheduled to give the talk have contacted vendors whose products are believed to be vulnerable to the type of exploit they had planned to speak about. "Clickjacking" involves a number of flaws that could be exploited to trick users into clicking on a link that is never or perhaps only briefly visible.
-http://www.heise-online.co.uk/security/Is-clickjacking-the-next-threat--/news/11
1570
-http://ha.ckers.org/blog/20080915/clickjacking/
[Editor's Note (Skoudis): Kudos to Rsnake and Jeremiah Grossman for acting responsibly here and explaining so clearly their reasons for doing so. They have set an effective standard for us all. ]

UPDATES AND PATCHES

Adobe Will Fix Clipboard Vulnerability in Flash 10 (September 22, 2008)

Adobe Systems Inc. says it will fix a vulnerability in Flash when it releases the next version of Flash 10. The flaw has been actively exploited to place URLs that link to malicious websites on users' clipboards. The new version of Flash will lock the setClipboard command so that it can only be called through user initiated action; remote calls will not be allowed. The availability date for the fix is not known.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9115269&source=rss_topic17
-http://www.heise-online.co.uk/security/Adobe-to-prevent-clipboard-attacks-via-Fl
ash-Player--/news/111581
-http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html
-http://labs.adobe.com/technologies/flashplayer10/

VMware Issues Fixes for Critical Buffer Overflow Flaws (September 19 & 22, 2008)

VMware has released patches to address two buffer overflow vulnerabilities in some of its products. The flaws affect the openwsman component in ESXi and ESX 3.5 and could be exploited to allow remote code execution. VMware also released two other patches to address additional vulnerabilities in libpng, bind, net-snmp and perl for ESX 3.5 servers.
-http://www.theregister.co.uk/2008/09/19/vmware_critical_vuln_patched/print.html
-http://www.zdnetasia.com/news/security/0,39044215,62046380,00.htm
-http://www.vmware.com/security/advisories/VMSA-2008-0015.html
[Editor's Note (Veltsos): As organizations increase their deployment of virtual environments, attackers will focus on weaknesses in virtualization technology implementations. The security community has already pointed out the limitations and problems one faces when running firewalls, IDS/IPS, or incident response in virtual environments.
-http://www.cio.com/article/360713/Today_s_Virtualization_Security_Tools_One_Hidd
en_Risk_?contentId=360713&slug]

ATTACKS

Palin eMail Attack Linked to Tennessee College Student (September 21 & 22, 2008)

The FBI has served a warrant at the apartment of a University of Tennessee student who is believed to be involved with the intrusion into Governor Sarah Palin's Yahoo! email account. No charges have yet been filed, but three roommates of the man under suspicion, David Kernell, have been served with court summonses. Kernell was pegged as a possible culprit when his email address was linked to a posting to a bulletin board about having broken into Palin's account. The man who runs Ctunnel, a proxy service that was used by the attacker, initially said the IP address information he has regarding the attack does not point to Kernell. However, he has since acknowledged that the IP address used to break into the account was traced to an Illinois-based internet service provider (ISP) that provides service to the housing complex where Kernell lives.
-http://www.theregister.co.uk/2008/09/22/palin_hack_suspect_search_warrant/print.
html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9115238&source=rss_topic17
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9115289&source=rss_topic17
-http://blog.wired.com/27bstroke6/2008/09/fbi-raid-apartm.html

Palin Should Not Have Used Unsecure eMail for State Business Communication (September 22, 2008)

Government Computer News (GCN) columnist William Jackson does not dispute that breaking into Governor Palin's email account was wrong, but also observes that Palin should have known better than to use unsecured email accounts to conduct state business, ostensibly to prevent the communications from being subject to disclosure laws.
-http://www.gcn.com/online/vol1_no1/47187-1.html?topic=security&page=1

MISCELLANEOUS

Network Provider's Negative Reputation is its Downfall (September 22, 2008)

California based network provider Intercage, also known as Atrivo, has had its last upstream Internet provider pull the plug after coming under fire for supplying service to the company that has been branded a source of malware on the Internet. Atrivo had reportedly been turning a blind eye to spammers and other Internet malware purveyors who were its clients. After reports surfaced in the media several weeks ago about the prevalence of malware emanating from the Atrivo network, most of its upstream providers severed their business relationships with the company. The last remaining provider was pushed to the brink after Spamhaus blacklisted more than 1,000 of its IP addresses. Once the provider, Pacific Internet Exchange (PIE), stopped providing Atrivo with service, Spamhaus removed virtually all of the blocks. Atrivo president and owner Emil Kacperski says he is being treated unfairly and that he received an average of just five complaints a week about malicious domains on his network. While the community is in agreement that consistently problematic customers need to be dealt with, some have voiced the opinion that what occurred with Atrivo was the equivalent of vigilante justice.
-http://voices.washingtonpost.com/securityfix/2008/09/internet_shuns_us_based_isp
_am.html?nav=rss_blog
-http://www.theregister.co.uk/2008/09/22/intercage_goes_dark/print.html

Apple's Patching Process Debated (September 22, 2008)

A number of security experts have said that Apple's unpredictable patching process is problematic, possibly putting companies in a position to decide not to patch because they don't know when the next one will be coming. Others say that it is unfair to compare Apple to Microsoft, which releases patches on a predictable schedule; instead, it should be compared to other Unix vendors. In addition, Apple's tendency to issue patches as soon as they become available gives attackers a smaller window of opportunity than does Microsoft.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9115288&intsrc=hm_ts_head
[Editor's Note (Skoudis): I understand the arguments of both sides, but I really would prefer to see more predictable patch releases from Apple, which would greatly help operations in the enterprise space. Also, it seems to me that the comparison with Unix hardly matters if Apple is gunning for higher market share on corporate desktops by grabbing market share from Windows. ]

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/