SANS NewsBites - Volume: XI, Issue: 61


Good news on adoption of the 20 Critical Controls (CAG) - see the first story. The next step is to change HIPPAA and GLB to allow them to use the 20 Critical Controls as a minimum standard of due care.


Alan

*************************************************************************
SANS NewsBites                     August 04, 2009                    Volume: XI, Issue: 61
*************************************************************************
TOP OF THE NEWS

  NIST Issues Final Version of SP 800-53; Enables Rapid Adoption of the Twenty Critical Controls (Consensus Audit Guidelines)
  DoD Revisiting Social Media Policy
   Contractor Repays Government for Inadequate Security

THE REST OF THE WEEK'S NEWS

  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
   Hathaway to Step Down
  ARRESTS, INDICTMENTS & SENTENCES
   Man Faces Felony Charges for Allegedly Stealing and Reselling Domain Name
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
   Boston Univ. Student Fined US $675,000 for Filesharing
  UPDATES AND PATCHES
   Adobe Issues Critical Updates for Reader and Acrobat
   Apple Issues Fix for SMS Vulnerability
  DATA BREACHES, LOSS & EXPOSURE
   Data Security Breach Compromised Personal Data of 27,000 US Commerce Dept. Employees
  MALWARE
   Twitter Filtering Some Malicious Links
  MISCELLANEOUS
   Suspicious ATMs at DefCon


************************* Sponsored By Oracle ***************************

FREE Database Security Resource Kit

Learn how Oracle can help you address data privacy, insider threats, and regulatory compliance. Request your free resource kit with technical white papers, step-by-step tutorials, as well as analyst reports, expert webcasts, and a self-assessment tool to get you started today.
https://www.sans.org/info/46929

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition https://www.sans.org/ns2009
- - SANS Virginia Beach August 28 - Sept. 4. 11 full-length courses plus short courses: https://www.sans.org/vabeach09/
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days https://www.sans.org/info/43118
Looking for training in your own community? https://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand
For a list of all upcoming events, on-line and live:
http://www.sans.org

*************************************************************************

TOP OF THE NEWS

NIST Issues Final Version of SP 800-53; Enables Rapid Adoption of the Twenty Critical Controls (Consensus Audit Guidelines) (August 3, 2009)
The National Institute of Standards and Technology (NIST) has published the final version of SP 800-53, Revision 3, "Recommended Security Controls for Federal Information Systems and Organizations." The document is the first major revision of guidelines for implementing the Federal Security Management Act (FISMA) since 2005. Among the changes in this updated version are "A simplified, six-step Risk Management Framework; Recommendations for prioritizing security controls during implementation or deployment; and Guidance on using the Risk Management Framework for legacy information systems and for external information system services providers." The new version of 800-53 solves three fatal problems in the old version - calling for common controls (rather than system by system controls), continuous monitoring (rather than periodic certifications), and prioritizing controls (rather than asking IGs to test everything). Those are the three drivers for the 20 Critical Controls (CAG). In at least five agencies, contractors that previously did 800-53 evaluations are being re-assessed on their ability to implement and measure the effectiveness of the 20 Critical Controls in those agencies. One Cabinet-level Department has proven that implementing the 20 Critical Controls with continuous monitoring reduced the overall risk by 84% across all departmental systems world-wide.
-http://gcn.com/Articles/2009/08/03/NIST-release-of-800-53-rev-3-080309.aspx
-http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf
[Editor's Note (Paller): This is very good news. John Gilligan reports that a new version of the 20 Critical Controls document will be released next week with a table, put in the document at NIST's request, showing how the 20 Critical Controls are a proper subset of the priority one controls in the revised 800-53. A course on implementing and testing the 20 Critical Controls will be run in San Diego next month and in Chicago in October
-https://rr.sans.org/ns2009/description.php?tid=3467.]



DoD Revisiting Social Media Policy (July 31 & August 3, 2009)
US Strategic Command is reviewing the safety of social media like Facebook, MySpace and Twitter to help reevaluate Defense Department (DoD) policy regarding their use. The primary concerns are attackers using the sites to get malware on DoD networks, and employees posting too much personal information online. Social media sites were once banned from DoD networks, but earlier this summer, the US Army ordered that all US bases must allow access to Facebook.
-http://fcw.com/articles/2009/08/03/dod-rethinking-social-media-access.aspx
-http://gcn.com/Articles/2009/07/31/DOD-ban-social-media-security-issues.aspx
-http://www.scmagazineus.com/DoD-might-reblock-Facebook-Twitter/article/141103/
[Editor's Note (Pescatore): It wasn't all that long ago when this same article came out saying "DoD Revisiting Internet Access Policy" and then "DoD Revisiting Blackberry Use Policy" and then "DoD Revisiting WLAN Use Policy" dot dot dot. If human beings start to use a technology, businesses and government agencies that employ human beings will inevitably move from blocking to containing to securing that technology. ]


Contractor Repays Government for Inadequate Security (July 25, 2009)
A US government contractor has repaid US $1.3 million of a US $5.4 million Pentagon contract after investigators found that the company's cyber security was inadequate and that a subcontractor's computer system was infiltrated through an Internet address based in China. The intruder gained "total access to the root network." Apptis Inc.'s contract involved "software maintenance, updates and testing for a Military Health System program."
-http://www.washingtontimes.com/news/2009/jul/25/contractor-returns-money-to-pent
agon/

[Editor's Note (Ranum): When the decision is made to contract out a capability "in order to save costs" there should be a public after-action assessment of the cost-consequences of that choice. I suspect that a vast number of outsourcing projects look like savings on paper but actually are financial black holes that haven't fully developed yet. ]



**************************** SPONSORED LINK******************************

1) WEBCAST: How Browser Exploits Lead to Web 2.0 Hacking with keynote from IDC
http://www.sans.org/info/46934

*************************************************************************

THE REST OF THE WEEK'S NEWS

Hathaway to Step Down (August 3, 2009)
Acting cyber security coordinator Melissa Hathaway has announced that she will step down from that position later this month for personal reasons. Hathaway, who conducted the 60-day cyber security review for President Obama earlier this year, had been considered to be a top contender for the as-yet unfilled permanent post. A White House spokesperson said that the reason the post remains unfilled is that the president has been occupied with "other pressing matters." Some former White House officials have wondered if people are reluctant to take on a job that requires answering to two bosses (the National Security and National Economic Council advisers) and has "no authority over the departments and agencies with regard to budget and operations." There are some in the security field who say that the position should not be filled at all.
-http://blogs.usatoday.com/ondeadline/2009/08/white-house-cyber-czar-quits.html
-http://online.wsj.com/article/SB124932480886002237.html?mod=googlenews_wsj
-http://www.computerworld.com/s/article/9136207/Report_Hathaway_resigns_as_acting
_cybersecurity_czar?taxonomyId=1

-http://www.wired.com/dangerroom/2009/08/white-house-cyber-czar-resigns-good-ridd
ance/

[Editor's Note (Paller): Another example of the gracious leadership of Ms. Hathaway. By leaving she provides quiet but effective pressure on the White House senior staff to announce the new Cyber Czar. ]


Man Faces Felony Charges for Allegedly Stealing and Reselling Domain Name (August 3, 2009)
A New Jersey man has been arrested and charged with theft by unlawful taking or deception, identity theft and computer theft for allegedly stealing the domain name P2P.com and selling it to a California man for US $111,000. Daniel Goncalves will be the first person to be prosecuted for domain name theft. The domain name was registered with GoDaddy.com.
-http://www.msnbc.msn.com/id/32270824/ns/technology_and_science-tech_and_gadgets/


Boston Univ. Student Fined US $675,000 for Filesharing (July 31 & August 3, 2009)
Boston University student Joel Tenenbaum has been fined US $675,000 for illegally downloading 30 songs and making them available to others. The jury found Tenenbaum guilty of willful copyright infringement and imposed a US $22,500 fine for each song, significantly less than the maximum allowable fine of US $150,000 per song. Tenenbaum's defense was dealt a major blow when the judge in the case issued a pre-trial ruling that disallowed Tenenbaum's planned "fair use" argument. Tenenbaum has asked that people not make donations to help him, saying he will declare bankruptcy if his appeal is unsuccessful. Money already donated will be paid to his legal team, many of whom worked for no pay.
-http://www.computerworld.com/s/article/9136159/Tenenbaum_hit_with_675_000_fine_f
or_music_piracy?taxonomyId=17

-http://news.bbc.co.uk/2/hi/technology/8177285.stm
-http://www.msnbc.msn.com/id/32236444/ns/technology_and_science-security/


Adobe Issues Critical Updates for Reader and Acrobat (August 3, 2009)
Adobe has released updates for Reader and Acrobat on Windows, Mac, and Unix to address critical flaws related to Flash content. The vulnerabilities are being actively exploited. Users are encouraged to update to Adobe Reader 9.1.3 as soon as possible. Those already running Reader version 9.x can update to 9.1.3 with the automatic update function. Users who download Reader for Windows from the Adobe site should be aware that the version they receive is 9.1. If they download that version, they will still need to update to version 9.1.3. Windows and Mac users will need to download completely new versions of Adobe Acrobat.
-http://www.h-online.com/security/Adobe-patches-vulnerability-in-Reader-and-Acrob
at--/news/113910

[Editor's Note (Northcutt): I think organizations should avoid Adobe if possible. Adobe security appears to be out of control, and using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products whenever you can. ]


Apple Issues Fix for SMS Vulnerability (July 31, August 1 & 3, 2009)
Apple has fixed a vulnerability that affects iPhones and other devices just one day after it was disclosed at the Black Hat security conference. The SMS (short message service) memory corruption flaw could be exploited to create a denial-of-service condition, rendering a device unable to connect to the Internet, or even to take control of the vulnerable device.
-http://www.theregister.co.uk/2009/07/31/iphone_sms_vulnerability_patch/
-http://www.scmagazineus.com/Apple-patches-iPhone-text-message-vulnerability/arti
cle/141078/

-http://www.h-online.com/security/Apple-closes-hole-in-iPhone-SMS--/news/113904


Data Security Breach Compromised Personal Data of 27,000 US Commerce Dept. Employees (August 3, 2009)
According to a letter sent to employees of the US Commerce Department, a National Finance Center employee sent an unencrypted Excel spreadsheet containing employees' personal information to a co-worker via email. The compromised information includes names and Social Security numbers (SSNs). The event occurred in mid-July. The Commerce Department is working out details of an agreement with a private company to monitor for potential cases of identity fraud and affected employees have been advised to set up alerts with credit agencies.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/08/03/AR2009080302013_
pf.html



Twitter Filtering Some Malicious Links (August 3, 2009)
Twitter has begun notifying users when they post links to known malicious websites. No formal announcement has been made, but researchers have noticed the change and applaud Twitter's decision. While the filtering is a step in the right direction, malicious URLs that were shortened or lacked the www subdomain were not caught.
-http://www.scmagazineus.com/Researchers-laud-Twitter-alerts-on-bad-links/article
/141114/

-http://www.theregister.co.uk/2009/08/03/twitter_applies_malware_filter/
-http://blogs.wsj.com/digits/2009/08/03/twitter-begins-filtering-links/
-http://www.computerworld.com/s/article/9136213/Twitter_now_blocking_bad_URLs_but
_imperfectly?source=rss_security

Apparently Twitter is using Google's blacklist of suspected phishing and malware pages.
-http://www.itpro.co.uk/613498/twitter-using-google-blacklist-to-filter-malicious
-links



Suspicious ATMs at DefCon (August 2 & 3, 2009)
The US Secret Service is investigating several automatic teller machines (ATMs) discovered in Las Vegas at the DefCon security conference. When cardholders attempted to make withdrawals, the machines allegedly debited their accounts, but did not dispense cash. Hotel staff declined to shut down the machines choosing instead to hang "out of order" signs on them. Another suspicious incident involving ATMs at the conference involved a machine that some people determined had a PC hidden inside. Law enforcement was notified and that machine was removed.
-http://www.theregister.co.uk/2009/08/03/fake_atm_scam_busted_at_defcom/
-http://www.computerworld.com/s/article/9136184/Security_analyst_Las_Vegas_ATMs_m
ay_have_malware?source=rss_security

-http://www.computerworld.com/s/article/9136179/Fake_ATM_doesn_t_last_long_at_hac
ker_meet?source=rss_security



**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/