SANS NewsBites - Volume: XI, Issue: 90

Cyber warfare came out of the shadows this morning in a remarkable story from National Journal's national security reporter, Shane Harris. (The first story in Top of the News).

Also this morning the newest version of the Consensus Audit Guidelines (20 Critical Controls) was released by CSIS and also posted at SANS. The new version contains actual tests auditors and inspectors general can use to test the *effectiveness* of each of the controls.

https://www.sans.org/critical-security-controls/

At the same site you'll find a list of tools that have been user-vetted for automating many of the controls.

The second story in this issue provides provocative new data on why 40% of government agencies and many large companies have begun using the 20 critical controls for their security compliance testing. The breakthrough enabling this change was the published proof that the 20 controls are a perfect, risk-based subset of the NIST 800-53 Priority One controls, and that they measure security effectiveness. Focusing on the 20 controls fully meets the FISMA requirement of risk-based testing within the NIST 800-53 framework.

Alan

*************************************************************************
SANS NewsBites                     November 13, 2009                    Volume: XI, Issue: 90
*************************************************************************

TOP OF THE NEWS

   Cyber War Expose
   Fixing Federal Cybersecurity: C&A Reports Cost $1,400 Per Page And Are Out Of Date When Signed
   For One-Third of US Government Agencies, Security Incidents Are a Daily Occurrence

THE REST OF THE WEEK'S NEWS

   Researchers Describe Weakness in Government Wiretap Technology
   UK Considering Raising Maximum Data Breach Fine
   Indian Outsourcer Arrested for Selling British Patients' Medical Files
   Modified Xbox Consoles Banned From Xbox Live
   Apple Issues Safari Update
   Eight Indicted in Massive, Coordinated ATM Fraud
   Microsoft Issues Six Security Bulletins
   Windows Kernel Flaw Likely to be Exploited Soon
   iPhone Data Stealing Exploit Released
   Bank Fraud Linked to Stolen Employee Data
   Microsoft Investigating Reports of Zero-Day SMB Flaw in Windows 7 and Windows Server 2008 R2


************************* Sponsored By Q1 Labs *************************

*** FREE WEBINAR November 17 - Utility Companies: Improve Your Network Security Through Log, Threat and Compliance Management ***

Numerous government agencies have stepped up regulations (like NERC) to significantly improve the overall security of the infrastructure that supports the delivery of energy in North America and Europe.

Learn how to meet compliance requirements and substantially reduce the risk of network-based threats and cyber-terrorism.

REGISTER TODAY:
10 AM ET Session
https://www.sans.org/info/50678
OR 2 PM ET Session
https://www.sans.org/info/50683

*************************************************************************

TRAINING UPDATE

-- SANS Vancouver, November 14-19
https://www.sans.org/vancouver09/
-- SANS London, UK, November 28-December 6
16 courses, bonus evening sessions: Hex Factor, Forensics Mini Summit and more
https://sans.org/london09/
-- SANS CDI, Washington DC, December 11-18
https://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010
19 courses, bonus evening presentations
https://www.sans.org/security-east-2010/
- -- SANS AppSec 2010, San Francisco, January 29-February 5, 2010
https://www.sans.org/appsec-2010/
- -- SANS Phoenix, February 14 -February 20, 2010
https://www.sans.org/phoenix-2010/
- -- SANS 2010, Orlando, March 6 - March 15, 2010
https://www.sans.org/sans-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
Plus New Delhi, Tokyo and Geneva all in the next 30 days.
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

TOP OF THE NEWS

Cyber War Expose (November 13, 2009)

The covers are off the cyber warfare story. Shane Harris provides data about where and how cyber warfare has and is being used. He also has a fascinating discussion of how Mike McConnell employed potential financial cyber attacks as a game changer in military cybersecurity.
-http://www.nationaljournal.com/njmagazine/cs_20091114_3145.php

Fixing Federal Cybersecurity: C&A Reports Cost $1,400 Per Page And Are Out Of Date When Signed (November 12, 2009)

The US State Department cracked a vexing cybersecurity problem through continuous monitoring and a focus on the 20 critical controls (the most important defenses based on actual attack data compiled by NSA and other agencies). Result: measurable, major improvement of security while lowering the cost. Justifying the transformation: State had paid for 95,000 pages of certification & accreditation and follow-up reports at a cost of $1,400 per page, totaling $130 million over six years, and much of the data was outdated by the time it is printed.
-http://gcn.com/articles/2009/11/12/state-department-it-security-pilot.aspx
[Editor's Note (Paller): This is the cyber equivalent of the 1983 expose of the $605 toilet seat. Shifting some of the $1.3 billion per C&A cycle to continuous automated monitoring is a great way for the federal government to lead by example and make huge improvements security while saving hundreds of millions of dollars. ]

For One-Third of US Government Agencies, Security Incidents Are a Daily Occurrence (November 10 & 11, 2009)

A CDW-Government survey of 300 US government IT professionals found that 44 percent of agencies noted an increase in the number of security incidents over last year. Thirty-one percent of respondents said their agencies experienced at least one cyber security incident every day. The top areas of concern reported by respondents were malware, inappropriate employee activity or network use, managing access for approved remote users, and data encryption.
-http://www.govinfosecurity.com/articles.php?art_id=1931
-http://www.nextgov.com/nextgov/ng_20091110_7510.php?oref=topnews
-http://www.informationweek.com/news/government/security/showArticle.jhtml
articleID=221601320


************************ Sponsored Links: ***************************

1) Be sure to REGISTER NOW for the upcoming webcast: Cloud Security 101: Web Application Security Trends & Why It Should Be Top Priority Now!

https://www.sans.org/info/50688

2) What open source tools are the best-kept secrets? Find out - the Incident Detection Summit December 9-10.

https://www.sans.org/info/50693

***********************************************************************

THE REST OF THE WEEK'S NEWS

Researchers Describe Weakness in Government Wiretap Technology (November 11 & 12, 2009)

Researchers at the University of Pennsylvania say they have discovered a vulnerability in the technology the government uses to conduct wiretaps. The surveillance communication is transmitted between telecommunications companies and government agencies over a 64-Kbps data channel. People who think they are being monitored could effectively launch a denial-of-service (DoS) attack by sending a glut of text messages or VoIP calls, which could overwhelm the system. The researchers discovered the vulnerability by examining ANSI Standard J-STD-025, which "defines how switches should transmit wiretapped information to authorities."
-http://www.wired.com/threatlevel/2009/11/calea
-http://www.computerworld.com/s/article/9140717/How_to_DDOS_a_federal_wiretap?tax
onomyId=17

UK Considering Raising Maximum Data Breach Fine (November 12, 2009)

The UK Ministry of Justice is considering raising the maximum penalty for violations of the Data Protection Act that result in serious data breaches to GBP 500,000 (US $830,000). The Information Commissioner's Office (ICO) presently has the authority to impose a maximum fine of GBP 5,000 (US $8,300) for serious Data Protection Act violations. The possible significant increase in the maximum penalty is seen as a deterrent to lax security provisions, as is the fact that proceedings following a breach would be conducted publicly according to a recently added clause to the law. The Ministry of Justice is also looking at jail sentences for malicious breaches and pending legislation would allow the ICO to conduct data protection inspections.
-http://news.zdnet.co.uk/security/0,1000000189,39875322,00.htm

Indian Outsourcer Arrested for Selling British Patients' Medical Files (November 10 & 12, 2009)

Police in India have arrested the chief of an outsourcing company for allegedly selling British patients' medical records. Vikas Dhairyashil Bansode and his accomplices claimed to have obtained the data from IT companies in India that were hired to computerize medical records. According to the UK's Data Protection Act, it is illegal to send this sort of information outside the country unless its security can be guaranteed. The compromised information includes addresses, dates of birth and details of medical conditions. The police began to investigate Bansode and his accomplices following a documentary that aired in October in which the filmmakers posed as individuals who wanted to buy medical information so they could market health-related products pertinent to the individuals' situations.
-http://www.dailymail.co.uk/news/worldnews/article-1226934/Indian-police-arrest-c
ompany-boss-accused-selling-medical-records-British-patients.html
-http://timesofindia.indiatimes.com/city/pune/Director-of-BPO-unit-held-for-data-
theft/articleshow/5217216.cms
[Editor's Note (Schultz): If outsourcing to India has in many cases turned out to cause serious security problems, think of the security problems that cloud computing does and will cause. ]

Modified Xbox Consoles Banned From Xbox Live (November 11 & 12, 2009)

In an attempt to combat piracy, Microsoft is permanently banning modified Xbox consoles from accessing Xbox Live. The ban also applies to gamers who have played games downloaded in violation of copyright laws. The ban will affect between 600,000 and one million players. Users can recover their online profiles if they purchase another console. The plan raises concerns because it is the console rather than the player that is banned, so the people who purchase the devices second hand could find themselves unable to access Xbox live.
-http://www.msnbc.msn.com/id/33866696/ns/technology_and_science-games/
-http://news.bbc.co.uk/2/hi/technology/8356621.stm

Apple Issues Safari Update (November 11 & 12, 2009)

Apple has released Safari 4.0.4 for both Mac and Windows. The updated browser addresses seven security flaws; the vulnerabilities could be exploited to allow arbitrary code execution and disclosure of information and to cause unexpected application termination. The most serious of the vulnerabilities affects only Windows versions of the browser. One of the vulnerabilities fixed in the Windows version of Safari was patched for most Mac versions in September.
-http://www.h-online.com/security/news/item/Apple-fixes-critical-vulnerabilities-
in-Safari-857378.html
-http://www.computerworld.com/s/article/9140749/Apple_issues_week_s_second_patch_
set_fixes_7_Safari_flaws?source=rss_security
-http://download.cnet.com/8301-2007_4-10395874-12.html
-http://support.apple.com/kb/HT3949
[Editor's Note (Schultz): The updated browser addresses seven security flaws; the vulnerabilities could be exploited to allow arbitrary code execution, disclosure of information and to cause unexpected application termination. ]

Eight Indicted in Massive, Coordinated ATM Fraud (November 10 & 11, 2009)

A US federal grand jury in Atlanta, Georgia has indicted eight men in connection with the RBS WorldPay security breach. The men allegedly used a team of cashiers to steal more than US $9.5 million from ATMs in just a few hours. They allegedly broke into the RBS WorldPay network last November and stole information including account numbers for prepaid payroll cards and reverse engineered the associated PINs. They then allegedly raised the limits on the cards. Cashiers in 280 cities around the world withdrew the money from 2,100 ATMs in less than 12 hours. Those accomplices allegedly were allowed to keep 30 to 50 percent of the money they withdrew.
-http://www.wired.com/threatlevel/2009/11/rbs-worldpay/
-http://news.cnet.com/8301-27080_3-10394558-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.usatoday.com/tech/news/2009-11-10-atm-hackers_N.htm
-http://www.h-online.com/security/news/item/Indictment-for-cloned-debit-card-frau
d-856490.html
-http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID
=221601284
-http://www.theregister.co.uk/2009/11/10/rbs_breach_indictment/
-http://www.justice.gov/opa/pr/2009/November/09-crm-1212.html
[Editor's Note (Honan): Kudos to all the law enforcement agencies involved in this operation. ]

Microsoft Issues Six Security Bulletins (November 10 & 11, 2009)

On Tuesday, November 10, Microsoft released six security bulletins to address a total of 15 security flaws. Microsoft is recommending that users apply one of the fixes, MS09-065, immediately. It addresses three flaws in Windows kernel-mode drivers, one of which has been rated critical. It can be exploited simply by manipulating users into viewing infected web pages. Two of the remaining five bulletins also have maximum severity ratings of critical. The flaws affect Microsoft Windows and Microsoft Office.
-http://news.cnet.com/8301-27080_3-10394351-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.securityfocus.com/brief/1035
-http://voices.washingtonpost.com/securityfix/2009/11/microsoft_plugs_15_holes_in
_wi.html
-http://www.theregister.co.uk/2009/11/11/ms_nov_patch_tuesday/
-http://www.scmagazineus.com/Microsoft-fixes-15-flaws-with-six-patches/article/15
7541/
-http://www.computerworld.com/s/article/9140625/Microsoft_plugs_15_holes_includin
g_critical_drive_by_bug?taxonomyId=17
-http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx
ISC:
-http://isc.sans.org/diary.html?storyid=7564

Windows Kernel Flaw Likely to be Exploited Soon (November 11, 2009)

Researchers are in agreement that in the next few weeks, cyber criminals are likely to exploit the Windows kernel vulnerability for which Microsoft released a fix earlier this week. The problem lies in the way the kernel parses Embedded Open Type fonts and can be exploited in drive-by attacks, meaning users do not have to take any action to become infected other than visiting a compromised or maliciously-crafted website.
-http://www.computerworld.com/s/article/9140688/Hackers_will_exploit_Windows_kern
el_bug_researchers_say
-http://www.microsoft.com/technet/security/Bulletin/MS09-065.mspx

iPhone Data Stealing Exploit Released (November 11, 2009)

The same vulnerability that was used to spread a relatively harmless worm is now being exploited to allow attackers to steal data from jailbroken iPhones. An estimated six to eight percent of iPhones are jailbroken, meaning they have been modified to allow applications and other code to run on the devices even if that code has not been signed by Apple. The attackers can access music, photos, email, text messages and other information. Both attacks gain access to iPhones through default SSH passwords; users who choose to jailbreak their iPhones are advised to change the default SSH password if they have installed that utility.
-http://www.scmagazineus.com/Attack-tool-can-hijack-data-off-unlocked-iPhones/art
icle/157587/
-http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=22160134
0&subSection=Attacks/breaches
-http://www.computerworld.com/s/article/9140699/Hackers_pillage_jailbroken_iPhone
s?taxonomyId=17
-http://www.theregister.co.uk/2009/11/11/iphone_hacking_tool/
[Editor's Note (Northcutt): This is just the beginning. It is the classic features versus security story. The iPhone rocks; it has the features people want; it has a far better interface than any other phone; so it will keep selling and keep ending up as a business PDA. Perhaps it won't be the standard, but rather the device allowed as an exception. Try to hold the line, the Blackberry is a far safer device, keep it as the standard. When exceptions are granted, ask those business folks not to put the entire company directory on their phones. It is just a matter of time until security applications start to become available for this platform, but we need to try to minimize data loss until then. ]

Bank Fraud Linked to Stolen Employee Data (November 10, 2009)

A data security breach of a server at the Vancouver (Washington) School District exposed employee information, including Social Security numbers (SSNs) and bank account information of employees who use direct payroll deposit. The district superintendent is urging all employees to let their financial institutions know about the breach so they can be monitored for suspicious activity and to contact credit reporting agencies to place fraud alerts on their accounts. The district notified all area banks about the breach as soon as they learned of it. Several employees say that their banks alerted them to suspicious account activity following the breach.
-http://www.columbian.com/article/20091111/NEWS02/711119935

Microsoft Investigating Reports of Zero-Day SMB Flaw in Windows 7 and Windows Server 2008 R2 (November 11 & 12, 2009)

Microsoft is investigating reports of a zero-day flaw in Windows 7 and Windows Server 2008 Release 2 that could be exploited to crash vulnerable computers. The flaw is in Windows Server Message Block and could be exploited to "trigger" an infinite loop on the SMB protocol rendering the entire system unresponsive. There is no evidence that the flaw could be exploited to compromise a system.
-http://news.cnet.com/8301-27080_3-10395891-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.h-online.com/security/news/item/DoS-vulnerability-in-the-SMB-client-o
f-Windows-7-and-Server-2008-R2-857756.html
-http://www.computerworld.com/s/article/9140704/Unpatched_SMB_bug_crashes_Windows
_7_researcher_says?source=rss_security
IS:
-http://isc.sans.org/diary.html?storyid=7573


**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/