6 days to save $250 for SANS Crystal City 2014 - ends August 6

SANS NewsBites - Volume: XI, Issue: 20

SANS NewsBites                     March 13, 2009                    Volume: XI, Issue: 20

  Application Security Best Practices: A New Maturity Model for Building Security In
  BBC Criticized for Acquiring Control of and Using Botnet in Report
  House Subcommittee Hearing Focuses on DHS Role in Federal Cyber Security


   Two Arrested in Alleged Bribery Scheme
   College Student Faces Additional Charges in Palin eMail Break-in Case
   Russian Youth Group Member Boasts of Role in 2007 Estonian DDoS Attacks
   Microsoft Fixes Critical Windows Kernel Flaw
   Adobe Issues Updates to Address Flaw in Reader 9 and Acrobat 9
   Soldiers' Info May Have Been Compromised
   Wikileaks eMails Sen. Coleman Campaign Donors About Data Leak
   Sprint Notifies Some Customers That Their Account Data Were Compromised

******************* Sponsored By IBM Rational AppScan ******************

Improving the security of web applications starts by building software securely. IBM Rational AppScan is a suite of Web application vulnerability scanners that include dynamic and static analysis capabilities. Now you can engage more testers earlier in the development cycle. Try it for yourself. Download and evaluation copy of IBM Rational AppScan Developer Edition.



- - Phoenix 3/23-3/30 (5 courses) http://www.sans.org/phoenix09/
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- - Amsterdam and Melbourne, too. See www.sans.org
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Plus Calgary, New Orleans, San Diego and more...
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org



Application Security Best Practices: A New Maturity Model for Building Security In (March 9 & 10, 2009)
The Building Security in Maturity Model (BSIMM) is "a set of best practices developed by Citigal and Fortify" that draws together data from nine software security initiatives to help software developers build more secure products. The model "breaks down" the best practices into 12 areas, including strategy and metrics, security features and design and configuration and vulnerability management.


[Editor's Note (Pescatore): Good stuff, but the real value is in the listed best practices and being able to see which are common practice and which are best practice, vs. the idea of maturity levels.
(Paller): John Pesactore is exactly right (as usual). The value here is in the common, best practices that can instruct other organizations that want to learn from these leaders. We talked at length with two of the biggest participants to better understand what they have learned about security education for programmers. They explained that security awareness training was not helpful at all unless it was complemented by actual secure coding training often including the use of libraries that make secure coding easy. ]

BBC Criticized for Acquiring Control of and Using Botnet in Report (March 12, 2009)
Security experts are speaking out against a BBC Click investigation for purchasing a botnet and using it to send spam to several email accounts created deliberately for the investigation. The purpose of the report was to demonstrate the dangers of botnets. BBC warned the owners of the PCs that had been infected with bot software and offered advice on cleaning their machines of the malicious programs, but chose a questionable method of notification: changing the people's screensavers. Some security experts say that the investigation ran afoul of the law, perhaps even violating the UK's Computer Misuse Act.

[Editor's Note (Pescatore): This is really no different than hiring an arsonist to burn down an unused building to have good video of the flames. Doesn't matter whether it is illegal or not, it is unprofessional and silly.
(Skoudis): Serious stuff. Repeat after me: "Never use a botnet for nefarious purposes, even if you are just 'testing' or 'researching' its capabilities." ]

House Subcommittee Hearing Focuses on DHS Role in Federal Cyber Security (March 10 & 11, 2009)
The US House Committee on Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology heard testimony this week regarding DHS's effectiveness as the locus of federal cyber security efforts. Former director of the DHS National Cyber Security Division Amit Yoran spoke of DHS's "inefficiency and leadership failure" regarding implementation of effective cyber security policy. Director of IT management issues at the Government Accountability Office (GAO) David Powner said that his organization believes that the country's needs would be better served if another agency were to take the cyber security lead, with DHS involved in an operational capacity. The GAO also supports a White House role in cyber security policy. The National Security Agency is already taking an increasing role in federal cyber security.



************************** SPONSORED LINKS ******************************

1) Join GW's MFS program with concentrations in High Technology Crime Investigation and Security Management! http://www.sans.org/info/40238

2) Visit the SANS Vendor Demo resource page to see the latest INFOSEC products & solutions in action! http://www.sans.org/info/40243




Two Arrested in Alleged Bribery Scheme (March 12 & 13, 2009)
Two men have been arrested in Washington D.C. in connection with an alleged bribery scheme. One of the men, Yusuf Acar, is an information systems security officer at the D.C. government's Office of the Chief Technology Officer. The other man, Sushil Bansal, is a former D.C. government employee and presently a contractor with the D.C. Office of the CTO. Acar is facing charges of financial conflict of interest, money laundering and conspiracy. FBI agents took away boxes of documents from the office, which was until earlier this month headed by Vivek Kundra, President Obama's appointed chief information officer.


College Student Faces Additional Charges in Palin eMail Break-in Case (March 9 & 10, 2009)
David Kernell, the Tennessee college student who allegedly broke into Governor Sarah Palin's Yahoo! mail account has pleaded not guilty to three new felony charges. Kernell now faces charges of intentional access without authorization; fraud; unlawful electronic transmission of material outside the state; and attempts to conceal records to impede an FBI investigation. If he is found guilty on all counts, Kernell could face up to 20 years in prison and a fine of up to US $250,000.
[Editor's Note (Schultz): I hate to think of someone going to prison for 20 years as the result of a cyberprank, yet at the same time the events surrounding this story point directly to the risks individuals incur when they engage in unauthorized computing activity.
(Skoudis): Given this story and the one about Senator Coleman below, both associated with politics, we seem to have entered the age of hacking for political advantage by embarrassing an adversary or drying up their contributions through a breach. You know, ironically, I fully accept the militarization of cyber space, but somehow the politicization of the hack just doesn't sit well with me. If this continues and grows, having our politics distorted by breaches would be a scary thing. ]


Russian Youth Group Member Boasts of Role in 2007 Estonian DDoS Attacks (March 11 & 12, 2009)
A member of a Kremlin-backed youth group called Nashe has said that he was an active participant in the May 2007 distributed denial-of-service (DDOS) attacks on computer networks in Estonia. Konstantin Goloskokov defended the attacks as "cyber defense;" the attacks were launched in retaliation for a decision made in Estonia to move a memorial statue for the Red Army. Goloskokov said his group acted independently and did not launch the attacks on orders from the government. ISC:


Microsoft Fixes Critical Windows Kernel Flaw (March 11, 2009)
On Tuesday, Microsoft released three security bulletins to address eight vulnerabilities in Windows. The most serious, MS09-006, fixes a critical flaw in Windows kernel that could be exploited to allow remote code execution. The other two bulletins address spoofing vulnerabilities and are rated important. The critical bulletin is the first to address a flaw in Microsoft's Windows 7 beta. In addition to the security bulletins, Microsoft issued an updated version of its Malicious Software Removal Tool that now includes definitions for the Koobface worm.




Adobe Issues Updates to Address Flaw in Reader 9 and Acrobat 9 (March 10 & 12, 2009)
Adobe has released a patch for a vulnerability in Reader 9 and Acrobat 9 that attackers have been exploiting for the past few months. The patch addresses the "no-click" version of the flaw as well as the one that requires users to click on maliciously crafted PDF files. The flaw could be exploited to cause the application to crash and possibly gain control of vulnerable machines. Presently, only version 9 for Windows and Mac have been patched; Adobe expects to release fixes for Windows and Mac versions 7 and 8 by March 18, and for version 9 for Unix systems by March 25. ISC:




Soldiers' Info May Have Been Compromised (March 12, 2009)
The US Army is notifying approximately 1,600 soldiers that their personal information may have been compromised during a database security breach. The incident affects soldiers who registered with and/or participated in the service's Operation Tribute to Freedom, which allows soldiers to share their stories publicly. The compromised data include names, email correspondence, addresses, awards received and dates of deployment and return.

Wikileaks eMails Sen. Coleman Campaign Donors About Data Leak (March 11 & 12, 2009)
Wikileaks.org has posted information it says was leaked from the campaign web site of Minnesota Republican Norm Coleman, a candidate for the US Senate. The data include information belonging to about 51,000 Coleman campaign donors and supporters; 4,721 of those also had several digits of their credit card numbers exposed. Wikileaks said it published the information to substantiate claims that the website had suffered a data leak earlier this year. Legal counsel for Coleman maintains that the data were stolen, and that the campaign will "fully pursue all legal options available." Wikileaks has emailed all the donors whose information is in the files to let them know about the breach.



Sprint Notifies Some Customers That Their Account Data Were Compromised (March 11, 2009)
Sprint has sent letters to several thousand customers warning them that their account information was sold or shared without their permission. The breach occurred several months ago when a Sprint employee accessed the account information. The employee, who appears to have given the information to a third party, has been fired. The compromised data include names, addresses, wireless phone numbers, account numbers and answers to security questions. Affected customers were urged to contact customer service and change their personal identification numbers and security questions.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/