SANS NewsBites - Volume: XI, Issue: 15


Cool new gift to the security community from the folks at the Internet Storm Center: a daily summary of information security events as a 5-10 minute "stormcast". See: isc.sans.org/podcast.html , or search iTunes for "Stormcast". Each Stormcast is made available between 0 and 3am GMT so it is ready for many readers for a morning commute)

The sleeper story of the year is the first one. The CAG will revolutionize first federal and defense industrial base cyber security, then security product procurement, and then (very quickly) banking security and critical infrastructure security. If you work in any place with data that really matters, test your current controls against what is published in the CAG (don't check whether you have policies, rather use the measures of effectiveness in the CAG to test the quality of your controls.) For consultants, the biggest new business opportunities will go to the large consulting companies who are first to make the transition from FISMA reporting or ISO auditing to CAG implementation and testing.
Alan

*************************************************************************
SANS NewsBites                     February 24, 2009                    Volume: XI, Issue: 15
*************************************************************************
TOP OF THE NEWS

  US Consortium Releases Consensus Security Audit Guidelines
  Nevada Bill Will Be Amended to Avoid Criminalizing RFID Research
  Proposed Legislation Would Require Retention of Internet Use Data for Two Years
  Another Payment Processor Security Breach

THE REST OF THE WEEK'S NEWS

  LEGAL ISSUES
   Starbucks Facing Lawsuit Over Laptop Theft
  POLICY AND LEGISLATION
   Pending NZ Copyright Law Put On Hold
  VULNERABILITIES
   US-CERT Warns of Proxy Server Flaw
  DATA BREACHES, LOSS & EXPOSURE
   Three Breaches at Univ. of Florida Gainesville in as Many Months
  ATTACKS & ACTIVE EXPLOITS
   Targeted Attacks Exploit Unpatched Adobe Flaw
   Unauthorized Patch Posted for Adobe Flaw
  STUDIES AND STATISTICS
   More Than Half of Former Employees Took Company Data


************************* Sponsored By Q1 Labs **************************

Leverage Log Management to Boost Your Enterprise IT Security: Collect and manage event logs from your entire IT infrastructure; Effectively reduce and prioritize millions of network and security events; Quickly and easily search and report on events in real time and over an extended period of time. A COMPLIMENTARY WHITE PAPER FOR SANS READERS: https://www.sans.org/info/38964

*************************************************************************

TRAINING UPDATE

- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

TOP OF THE NEWS

US Consortium Releases Consensus Security Audit Guidelines (February 23, 2009)
A consortium of security experts from government and industry has released the Consensus Audit Guidelines (CAG), a list of 20 controls that government and private industry organizations must implement to protect against and mitigate the effects of cyber attacks. For each control, the CAG details attacks that it stops or mitigates, how to implement and automate the control, and how to determine whether the control is implemented effectively. The CAG consortium includes the organizations that know how actual attacks are being executed (NSA Red and Blue teams,US-CERT, DC3, DoE Nuclear labs, and more.) The CAG is available for public comment through March 23, 2009. The full guidelines may be found at:
-http://www.sans.org/cag/
-http://www.theregister.co.uk/2009/02/23/cybersecurity_gold_standard/
-http://news.cnet.com/8301-1009_3-10169583-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20

-http://fcw.com/Articles/2009/02/23/cyber-controls.aspx
-http://federaltimes.com/index.php?S=3957648
-http://www.informationweek.com/news/security/government/showArticle.jhtml?articl
eID=214502467&subSection=News

[Editor's Note (Northcutt): I hope you will take a few minutes out of your busy day and take a look at these. You are going to see some initials to the left of the controls. QW stands for Quick Win. The big suggestion I have is to look over the quick wins and see if you can get a few of those in place. Great job on these and I hope we start to see thought leaders take advantage of this. ]


Nevada Bill Will Be Amended to Avoid Criminalizing RFID Research (February 20, 2009)
A bill currently before the Nevada state legislature would effectively criminalize the activity of people researching radio frequency identification (RFID) security threats. The bill's sponsor plans to introduce amendments to ensure it will not affect people conducting legitimate research. Currently, the bill makes it a felony to "possess, read or capture another person's personal identifying information through radio frequency identification." Nevada hosts two well-known conferences, Defcon and Black Hat, at which demonstrations of RFID weaknesses are likely events.
-http://www.theregister.co.uk/2009/02/20/nevada_rfid_skimming_bill/
-http://news.cnet.com/8301-1009_3-10168749-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20

-http://www.leg.state.nv.us/75th2009/Bills/SB/SB125.pdf


Proposed Legislation Would Require Retention of Internet Use Data for Two Years (February 20, 2009)
US legislators have introduced a bill that would require extensive logging of Internet use. The proposed legislation aims to help police with investigations. All ISPs and wireless access point operators would be required to retain logs of users' activity for a minimum of two years. The law would apply not only to large ISPs, but also to private homes that have wireless access points or wired routers that use the Dynamic Host Configuration Protocol as well as small businesses, libraries, schools and government agencies.
-http://www.cnn.com/2009/TECH/02/20/internet.records.bill/index.html?eref=rss_tec
h

[Editor's Note (Northcutt): That is really nifty, an economic stimulus package for disk drive manufacturers! Seriously, this is a dumb idea, fraught with problems, how are we going to collect that volume of information, then how do we protect it and what do we do when it is misused.
(Ranum): Absurd. Basically, they are proposing to require extensive logging of usage patterns for every single internet access point in the US. It amounts to an enormous unfunded mandate to home users, cybercafes, airport wireless terminals, hotels, etc. The malefactors targeted by this law - presumably child porn traders and terrorists and whatnot - would be able to easily hide their actions anyway.
(Ullrich): At the ISC, this issue has been the focus of our reader comments this week. I would like to quote one of them, provided by Jerry Rose: "This is like the difference between policies and procedures. The law needs to be like policies. It must be worded to stand the test of time - independent of changing technologies. Procedures must change often in order to keep up with technological changes. This would be represented by the method of prosecution of a defendant. ]


Another Payment Processor Security Breach (February 23, 2009)
Advisories on the websites of several financial institutions suggest that a cyber security breach has occurred at an as yet unnamed card payment processor; this incident is separate from the Heartland Payment Systems breach. The Tuscaloosa Federal Credit Union issued a statement saying that "while it has been confirmed that malicious software was placed on the processor's platform, there is no evidence that accounts were viewed or taken by the hackers." The compromised data in this breach include account numbers and expiration dates of payment cards used in card-not-present transactions over the course of the last 12 months. Visa and MasterCard have started notifying banks affected by the breach.
-http://www.securityfocus.com/brief/913
-http://www.databreaches.net/?p=1686
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9128429&source=rss_topic17

-http://www.alabamacu.com/moreServices/idTheft.html
-http://www.tvacu.com/tvacu/News.asp?111



********************* SPONSORED LINKS *********************************

1) What are the ten technical tips most penetration tester don't know but should. Penetration Testing and Ethical Hacking Summit June 1-2. http://www.sans.org/info/38969

2) Read Stephen Northcutt's interview with John Pirc of IBM on the topic of Securing the Intelligent Network. http://www.sans.org/info/38974

*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES


Starbucks Facing Lawsuit Over Laptop Theft (February 23, 2009)
A Starbucks employee has filed a class action lawsuit against the company in response to a data security breach that occurred on October 2008. A laptop containing the names, addresses and Social Security numbers (SSNs) of approximately 97,000 Starbucks employees was stolen last fall; the suit alleges fraud and negligence, and seeks an extension of the one year of credit monitoring the company offered as well as unspecified damages and assurances that Starbucks will be required to undergo regular third party security audits.
-http://www.networkworld.com/news/2009/022309-starbucks-sued-after-laptop-data.ht
ml



POLICY AND LEGISLATION


Pending NZ Copyright Law Put On Hold (February 20 & 23, 2009)
New Zealand Prime Minister John Key has delayed the effective date of an impending copyright law by one month due to physical and digital protests that the proposed legislation goes too far. The law would require Internet service providers (ISPs) to sever the connections of individuals suspected of repeat copyright infringement. Prime Minister Key is hopeful that by March 27 a "voluntary code of practice' can be worked out; if not, Section 92A, as the amendment to the Copyright Act is known, will be suspended.
-http://news.cnet.com/8301-1023_3-10169519-93.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9128330&source=rss_topic17



VULNERABILITIES


US-CERT Warns of Proxy Server Flaw (February 23, 2009)
The US Computer Emergency Readiness Team (US-CERT) has issued a warning about an architectural flaw in some proxy servers that could be exploited by attackers to connect "to any website or resource the proxy can connect to," including Intranets that should be off limits. Several dozen products have been updated; administrators should ensure they have installed the most recent versions to secure their networks.
-http://www.kb.cert.org/vuls/id/435052
-http://www.theregister.co.uk/2009/02/23/serious_proxy_server_flaw/


DATA BREACHES, LOSS & EXPOSURE


Three Breaches at Univ. of Florida Gainesville in as Many Months (February 22, 2009)
The University of Florida in Gainesville has reportedly experienced three data security breaches in a three month period. The most recent incident involved a server that allowed faculty to host online course material and exposed personally identifiable information of 97,200 faculty, staff and students who were active at the university between 1996 and 2009. A breach in January of this year involved an LDAP Directory Server configuration error and exposed personally identifiable information of about 100 people. Finally, in November 2008, an intrusion compromised personally identifiable information of more than 330,000 current and former College of Dentistry patients who had been seen at the school since 1990.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=knowledge_center&articleId=9128398&taxonomyId=1&intsrc=kc_t
op



ATTACKS & ACTIVE EXPLOITS


Targeted Attacks Exploit Unpatched Adobe Flaw (February 19 & 20, 2009)
Targeted attacks exploiting an unpatched critical vulnerability in Adobe Reader have been detected. The flaw is known to affect Adobe Reader versions 8.1.3 and 9.0.0 running on Windows XP SP3; other versions of Windows are likely to be vulnerable as well. Adobe reader running on OS X and Linux machines was not tested. Adobe has issued an advisory warning of a critical buffer overflow vulnerability in both Reader and Acrobat. Adobe plans to have patches ready for version 9 of the programs by March 11, with patches for versions 8 and 7 to follow shortly thereafter.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9128278&source=rss_topic17

-http://www.theregister.co.uk/2009/02/20/adobe_reader_exploit/
-http://gcn.com/Articles/2009/02/20/PDF-zero-day-exploit.aspx
-http://news.cnet.com/8301-1009_3-10168266-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20

-http://www.adobe.com/support/security/advisories/apsa09-01.html
-http://www.us-cert.gov/cas/techalerts/TA09-051A.html


Unauthorized Patch Posted for Adobe Flaw (February 23, 2009)
A vulnerability researcher has posted an unauthorized patch for a critical buffer overflow flaw in Adobe Reader that is being actively exploited. Adobe acknowledged the vulnerability last week and said it would have a fix prepared by March 11. The homemade patch, a replacement .dll, addresses only the Windows version of Adobe 9.0 and offers no guarantees. The flaw affects versions 7, 8 and 9 of both Adobe Reader and Adobe Acrobat. Users can also protect themselves from attacks by disabling JavaScript.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9128428&source=NLT_PM

[Editor's Note (Ullrich): Aside from the patch, a number of sources posted scripts to disable javascript processing in PDFs. These scripts may be a safer method to mitigate this exploit and some can be implemented via group policy.
(Northcutt): This could be a very good time to try Firefox and NoScript:
-http://noscript.net/]


STUDIES AND STATISTICS


More Than Half of Former Employees Took Company Data (February 23, 2009)
The Ponemon Institute interviewed 945 US adults who had been laid-off, fired, or changed jobs within the last year and found that more than half took company information with them when they left their former positions. The rationales for taking the data included help getting another job, help starting their own business, or simple revenge. All of the participants in the survey had access to proprietary information, including customer data, employee information, financial reports, software tools and confidential business documents. The survey also found that just 15 percent of the companies examined the paper and/or electronic documents their former employees took with them when they left.
-http://news.bbc.co.uk/2/hi/technology/7902989.stm
-http://www.theregister.co.uk/2009/02/23/insider_threat_survey/
-http://news.cnet.com/8301-1009_3-10170006-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20

[Editor's Note (Schultz): What the Ponemon Institute's study did not show is just how bad ex-employee activity can get after a company folds. I have heard numerous accounts about computer crimes (including brazen thefts of servers) by ex-employees that ostensibly occurred after High Tower Software collapsed. Sadly, despite all the reported illegal activity, no complaints have been filed with law enforcement, nor has anyone been charged with any crime.]


**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/