SANS NewsBites - Volume: XI, Issue: 4


Next Wednesday (January 21) is the last day to save $30 on registration
for SANS 2009 in Orlando - SANS' biggest training conference/Expo.
http://www.sans.org/sans2009

*************************************************************************
SANS NewsBites                     January 16, 2009                    Volume: XI, Issue: 4
*************************************************************************
TOP OF THE NEWS

  Massachusetts Data Security Regulations Go Into Effect in May
  Many MoD IT Systems Do Not Meet Security Guidelines
  Two Reports Find Data Security Problems at IRS
  EDITORIAL: The Top 25 and Application Security Procurement Language

THE REST OF THE WEEK'S NEWS

  LEGAL ISSUES
   Angie's List Files Lawsuit Alleging Industrial Espionage
  ARRESTS, CHARGES & CONVICTIONS
   Former Help Desk Employee Admits Cyber Sabotage
   Wireless Hacking Braggarts Avoid Jail Time
  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
   NY Police Sergeant Admits Accessing FBI Database Without Authorization
  DATA PROTECTION & PRIVACY
   NIST Draft Publication Offers Guidelines for Safeguarding Personal Data
  VULNERABILITIES
   Pop-Up Phishing
  UPDATES AND PATCHES
   Microsoft Update Fixes Three Vulnerabilities in Server Message Block Protocol
  ATTACKS & ACTIVE EXPLOITS
   Downadup Worm Infects More Than 1 Million PCs in 24-Hour Period


*************************************************************************

TRAINING UPDATE

- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

TOP OF THE NEWS

Massachusetts Data Security Regulations Go Into Effect in May (January 15, 2009)
New data security rules in Massachusetts mean that companies doing business with Massachusetts residents have until May 1, 2009 to affect changes to comply with the stringent data protection requirements. The new rules apply not only to the companies themselves, but to their service providers as well; the rule applies to all organizations that retain personal information of Massachusetts residents. The Massachusetts Data Security Regulations defines personal information as an individual's first and last name in combination with an associated Social Security number (SSN), driver's license number or financial account number. The rules encompass administrative, technical and physical security issues.
-http://www.techweb.com/article/showArticle?articleID=212900788
[Editor's Note (Schultz): Massachusetts is clearly paving the way for what hopefully will be a trend within other states--passing laws that require better protection of personal and/or financial information.]


Many MoD IT Systems Do Not Meet Security Guidelines (January 14 & 15, 2009)
Nearly three-quarters of IT systems tested thus far at the UK Ministry of Defence (MoD) and associated agencies do not meet established security guidelines, according to a data handling review. The security guidelines were established last summer following a number of publicized and embarrassing data security blunders at government departments. The MoD has tested just 58 percent of its systems against the standards. In a separate but related story, the MoD has confirmed that malware infections have shut down "a small number" of IT systems, including networks on Royal Navy warships.
-http://news.zdnet.co.uk/security/0,1000000189,39591619,00.htm
-http://www.vnunet.com/computing/news/2234069/quarter-mod-systems-tested-far
-http://www.theregister.co.uk/2009/01/15/royal_navy_email_virus_outage/


Two Reports Find Data Security Problems at IRS (January 15, 2009)
According to an audit report from the Treasury Inspector General for Tax Administration, the US Internal Revenue Service (IRS) launched an on-line tax filing system despite known security concerns. Although testing of the fourth release of the IRS Modernized e-File system revealed 13 security vulnerabilities, the system was launched in January 2007. Among the concerns are lack of appropriate access controls on both the system and the database that stores filed documents, and the lack of a backup processing site should the main site be rendered unusable. A second report, this one from the Government Accountability Office (GAO), indicated that the IRS has mitigated fewer than half of the 115 vulnerabilities it had noted in an earlier report. Among the GAO's concerns are the lack of control over data access and the lack of encryption.
-http://www.nextgov.com/nextgov/ng_20090115_6302.php
-http://www.washingtonpost.com/wp-dyn/content/article/2009/01/15/AR2009011500955.
html

-http://www.treas.gov/tigta/auditreports/2009reports/200920026fr.pdf


EDITORIAL: The Top 25 and Application Security Procurement Language (Alan Paller)
The Top 25 Most Dangerous Programming Errors list and the Application Security Procurement Guidelines released earlier this week garnered an amazing amount of support and media coverage. It is clear that this is a watershed event - one that is already changing the application development landscape. It is a great accomplishment by DHS and NSA and MITRE for the Top 25 and by New York State for the procurement language. But there is a problem. One article mischaracterized the procurement guidelines in ways that were both wrong and damaging. It talked about New York "demanding" and "planning to force" secure coding. I know the people in the New York State responsible for making security effective. They get things done through collaboration and partnership and they have achieved greater results that way than the people who tried to use a big stick. The end goal is the same-developing secure applications-however, in New York, the process of how you get there is as important as the end goal. The intention of New York's efforts is to take an important step in achieving more secure applications and minimizing vulnerabilities. The goal is that known security flaws are remediated before the custom software is delivered. The result will benefit both developers and consumers by facilitating a more secure environment for all of us collectively. The Guidelines are voluntary, best practices to facilitate the procurement of secure development of custom software. New York's philosophy is that we will only be successful if buyers and sellers of custom software approach these efforts in a collaborative and cooperative manner. The Guidelines have been distributed broadly throughout the public and private sectors for comment and the document will continue to evolve and improve over time. You can find the procurement guidelines at the New York state site (www.cscic.state.ny.us) or at SANS www.sans.org/appseccontract




************************ SPONSORED LINKS ******************************

1) Take part in the SANS 5th Annual Log Management Survey: A Leading Source for Actionable Data on Key Issues and Trends. http://www.sans.org/info/37163
2) Visit the SANS Vendor Demo resource page to see the latest INFOSEC products & solutions in action! http://www.sans.org/info/37168
3) REGISTER TODAY, Upcoming SANS Webcast on January 20th at 1pm EST: Startup Advice and ArcSight Logger Overview. http://www.sans.org/info/37173

*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES


Angie's List Files Lawsuit Alleging Industrial Espionage (January 14 & 15, 2009)
Angie's List, the Indianapolis-based consumer rating website has filed a lawsuit in Indiana state court accusing Christopher "Kit" Cody of industrial espionage. The suit alleges that while he was a paying member of the site, Cody used a bot to scrape 9,278 service provider files from the Angie's List site and used the information to start a competing site. Cody's attorney disputes the allegations. Angie's List members share information about various services.
-http://www.theregister.co.uk/2009/01/15/angies_list_lawsuit/
-http://www.indystar.com/article/20090114/BUSINESS/901140336
[Editor's Note (Pescatore): Spiders and bots are often consuming more web site resources than legitimate users are. It is hard enough to differentiate the spiders from the legitimate users - it is worse trying to stop "bad" spiders while letting the friendly ones through. Simply things like robots.txt only work with the friendly ones. ]


ARRESTS, CHARGES & CONVICTIONS


Former Help Desk Employee Admits Cyber Sabotage (January 14 & 15, 2009)
A man who used to work at the help desk at Eden Prairie, Minnesota-based Wand Corp. has admitted he placed malware on his former employer's computer system. David Ernest Everett Jr. put the malicious programs on the system after losing his job in March 2008. Wand Corp. provides IT systems and point-of-sale systems for fast food restaurants. The attack caused problems on 25 servers at a variety of locations; cleaning up the mess cost approximately US $49,000. Everett faces up to 10 years in prison when he is sentenced.
-http://www.theregister.co.uk/2009/01/15/malware_revenge_attack/
-http://www.startribune.com/local/north/37542054.html?elr=KArksD:aDyaEP:kD:aUbP:P
:Q_V_MPQLa7PYDUiD3aPc:_Yyc:aUU



Wireless Hacking Braggarts Avoid Jail Time (January 12, 2009)
Two men who bragged in a 2002 newspaper article about their success at breaking into wireless networks were caught in an FBI sting early the following year. Dana Arvidson and Gabriel Schaffer may have thought the incident was behind them. But in February 2008, Arvidson and Schaffer were indicted, and last week they were sentenced to six months of house arrest and three years of probation. Their bravado was prompted by a desire to be hired by companies to protect their wireless networks. The article caught the attention of the FBI; an undercover agent established a relationship with Arvidson and asked him to engage in a project that involved illegal activity - the theft of information from a defense contractor.
-http://www.cleveland.com/business/plaindealer/index.ssf?/base/business-11/123175
273238730.xml&coll=2



GOVERNMENT SYSTEMS AND HOMELAND SECURITY


NY Police Sergeant Admits Accessing FBI Database Without Authorization (January 14, 2009)
A New York City police sergeant is facing a year in prison and a fine of at least US $100,000 for illegally obtaining information from the FBI's National Crime Information Center (NCIC) database and giving it to an acquaintance for use in a custody battle. Haytham Khalil pleaded guilty to one misdemeanor charge. He does not have authorization to access the NCIC database, but a colleague who does have authorization left his login credentials available so co-workers could access the information while he was not there. The incident occurred in December 2007.
-http://www.theregister.co.uk/2009/01/14/ny_cop_gilty_plea/
-http://www.nytimes.com/2009/01/15/nyregion/15sergeant.html?ref=nyregion


DATA PROTECTION & PRIVACY


NIST Draft Publication Offers Guidelines for Safeguarding Personal Data (January 14, 2009)
The National Institute of Standards and Technology (NIST) has released a draft of Special Publication 800-122, "Guide to Protecting the Confidentiality of Personally Identifiable Information," to help government agencies decide how to best protect the information they retain. NIST makes several recommendations, including identifying and categorizing all personally identifiable information (PII) that the organization retains; limiting data retention to only what is necessary; applying a risk-based approach to data protection; and creating and implementing an incident response plan for breaches of PII. NIST is accepting public comment on the draft document through March 13, 2009.
-http://gcn.com/Articles/2009/01/14/NIST-on-securing-personal-data.aspx?Page=2
-http://csrc.nist.gov/publications/drafts/800-122/Draft-SP800-122.pdf
[Editor's Note (Northcutt): I am a big fan of NIST and if you can take a few minutes to read the draft and comment, broad input helps make the final work better. I think the title is wrong, however, there is less "protection" explained than "identification." They have a nice section on incident response for privacy incidents (section 5). There is a line in that section that government folks need to be aware of: PII incidents should be reported to US CERT within an hour. They also mention the OECD guidelines in Appendix D. To this day, the OECD guidelines seem to be the clearest, most well thought out guidance on privacy I have seen. ]


VULNERABILITIES


Pop-Up Phishing (January 12 & 14, 2009)
A security flaw in the JavaScript engines of all major browsers could allow attackers to phish for financial account login credentials through pop-up windows. Dubbed "in-session phishing," exploiting the flaw would involve planting malicious HTML code on legitimate websites that looks like a pop-up security alert window. The window would ask the target for login information and possibly other information used to gain access to financial accounts. The attack also requires that the targeted user is logged in to an online financial account program.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9125759&source=NLT_AM

-http://www.theregister.co.uk/2009/01/14/pop_up_phishing/
-http://www.heise-online.co.uk/news/Banking-details-can-be-stolen-through-a-new-J
avaScript-exploit--/112417

[Editor's Note (Ullrich): Sounds like an announcement from a company desperate to make the news somehow. The attack requires that one first defaces the-to-be phished website. Once you have that kind of access, popups are just one way to insert a plausible login dialog. ]


UPDATES AND PATCHES


Microsoft Update Fixes Three Vulnerabilities in Server Message Block Protocol (January 14, 2009)
The sole bulletin in Microsoft's monthly scheduled security release for January addresses three critical flaws in Microsoft Server Message Block (SMB) Protocol; the flaws could be exploited to allow remote code execution. All three have received ratings of 3 on Microsoft's exploitability index, meaning that functioning exploit code for the flaws is unlikely. The vulnerability affects all versions of Windows, although the severity rating is lower for Vista and Windows 2008 than for earlier versions of the operating system.
-http://www.theregister.co.uk/2009/01/14/black_tuesday/
-https://www.microsoft.com/technet/security/bulletin/ms09-jan.mspx


ATTACKS & ACTIVE EXPLOITS


Downadup Worm Infects More Than 1 Million PCs in 24-Hour Period (January 14 & 15, 2009)
A rapidly spreading worm has infected an estimated 1.1 million PCs in a 24-hour period, bringing the total number of infected computers to 3.5 million. The Downadup worm exploits a flaw in the Windows Server service used by all supported versions of Windows. The flaw was addressed in an out-of-cycle patch released in October 2008. The most recent version of Microsoft's Malicious Software Removal Tool, which was released on Tuesday, January 13, detects and removes the worm. The large number of infections is due to the fact that 30 percent of Windows systems have remained unpatched. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=5695
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9125941&source=rss_topic17



**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescactore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/