Big story this week on US government cyber security spending. It is controversial but ultimately wonderful, reallocating more than a billion dollars in US cyber security spending over the next 36 months. If you need a copy of the NASA memo, email me at firstname.lastname@example.org. If you want to know more about the US State innovation, try to get a seat (they are free) at the Government Executive Magazine Cyber Insider breakfast on June 15 (register at http://www.govexec.com/cyber%5Finsider/) Otherwise email me and I'll try to connect you.
************************************************************************* SANS NewsBites May 22, 2010 Volume: XII, Issue: 40 *************************************************************************
**************** Sponsored By Trusted Computer Solutions **************** Is your IT organization struggling to keep your enterprise servers in compliance with security policy? Could your organization pass a surprise security audit today? Security Blanket performs fast, consistent, and repeatable operating system lock down to industry or custom security settings in minutes, not days. Audit ready, all the time! Try Security Blanket for FREE.
TRAINING UPDATE -- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report http://www.sans.org/sansfire-2010/
-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat http://www.sans.org/rocky-mountain-2010/
-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 39 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives http://www.sans.org/network-security-2010/
Plus Amsterdam, Kuala Lumpur, Canberra and Taipei all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *************************************************************************
TOP OF THE NEWS
NASA Shifts Cyber Security Focus and Money From Certification and Accreditation to Real-Time Threat Reporting (May 19 & 20, 2010)
NASA deputy chief information officer Jerry Davis has issued a memo instructing all NASA CIOs and CISOs to "shift [their focus and contracts ] away from cumbersome and expensive C&A [certification and accreditation ] paperwork processes, in favor of a value-driven, risk-based approach to system security." The Federal Information Security Management Act (FISMA), which had never mandated C&As the way they were implemented by NIST, has been facing increasing criticism for being a paperwork sinkhole, requiring agencies to commit time and money to creating reports that assess compliance, but not requiring any actions to secure systems. C&As are still required before new systems are authorized for operation, but the wasteful 3-year C&A updates, consuming 85% of the C&A budgets are no longer allowed. Davis took his lead from a list of security requirements released by the Office of Management and Budget (OMB) last month. -http://www.nextgov.com/nextgov/ng_20100519_6677.php?oref=topstory -http://cybersecurityreport.nextgov.com/2010/05/ca_now_weightless_at_nasa.php?ore f=latest_posts Memo: -http://www.govexec.com/pdfs/051910j1.pdf [Editor's Note (Schultz): Good for NASA! The motivation behind FISMA was good, but the mechanisms and processes have been badly flawed since day one. (Pescatore ): There is a lot of inaccurate wording here. Last year NIST took the lead in updating 800-53 and 800-37 to require more continuous monitoring. OMB is requiring that the output from the continuous monitoring be submitted through a tool called Cyberscope - which simplifies the top level compilation of agency submissions, but doesn't really change much for each individual agency. OMB is just requiring a different reporting channel and adding some benchmarking questions and adding potential on-site interviews - all in addition to the usual Office of Inspector General audits each agency will still go through. This is just another OMB unfunded mandate that most agencies that don't have budgets the size of NASA's will struggle to meet. (Paller): After more than 12 years of terrible oversight by the lower-level security staffers at OMB, it's reasonable that John and others might think this is just another unfunded mandate by OMB. But that characterization would be wrong. The NASA innovation is the breath of fresh air that every CIO and every major program manager in government has been (secretly) hoping for. They had to be secretive, because the security underlings at OMB would bite their heads off if they expressed aloud their concern with the waste OMB's policies and NIST's documents were forcing on them. Vivek Kundra and Howard Schmidt (CIO and Cyber Coordinator for the U.S., respectively) have worked wonders enabling the agencies to move money away from the waste and to make rapid risk reduction possible. This is a fully funded mandate to implement the State Department's near real time (updated every 36-hours) security monitoring innovation. State proved that risk, reliably measured, can be reduced across the globe, by more than 90%, using the system. Rapid implementation of the State Department innovation (using money freed up by the NASA innovation) will finally allow the federal government to lead by example in showing how effective security can be implemented. And it is spreading. Three large US agencies and four companies in the Defense Industrial Base have already moved definitively to adopt the State Department iPost system. It's time for celebration! ]
DHS Supports NASA Transformation (May 20, 2010)
Matt Coose, the Director of Federal Network Security at DHS (and the person to whom OMB's Vivek Kundra delegated primary responsibility for FISMA compliance measurement and enforcement) reinforced NASA's decision to move money from out-of-date 3-ring binder production to continuous (every 36 hours at most) automated monitoring as the US State Department is doing. Said Coose, "Other agencies should follow their lead and many are." -http://techinsider.nextgov.com/2010/05/right_along_with_security_experts.php?ore f=latest_posts
Microsoft Program Will Share Early Vulnerability Info With Governments (May 19, 2010)
Microsoft plans to pilot a program with national governments around the world that will provide some organizations with technical details of security flaws before patches are made available. The Defensive Information Sharing Program (DISP) is aimed at helping protect critical infrastructure. The program will begin this summer, with a full scale launch planned for later in the year. The goal of providing the government with more time is to allow the organizations to prioritize their actions. Microsoft also has another government program in the works; the Critical Infrastructure Partner Program will share information with governments about security policy to help protect critical infrastructure. -http://fcw.com/articles/2010/05/19/web-microsoft-patch.aspx [Editor's Note (Paller): This is a good thing if you assume that none of the governments around the world that get the early information have malicious interests and that they would not use the early data for quick-hit penetrations of sensitive sites. That's a bad assumption. ]
German Authorities Launch Investigation Into Google Wi-Fi Data-Gathering (May 19 & 20, 2010)
The Google data-gathering issue is gaining widespread attention. Google has acknowledged that it inadvertently gathered personal information, including scraps of websites and personal email messages, from unprotected Wi-Fi networks while gathering images for Google Street View. German prosecutors have opened an investigation into Google's collection of data from Wi-Fi networks. German officials have asked that Google turn over a hard drive containing some of the data. Google has said it will destroy the data. US legislators are also questioning the legality of Google's data collection and have asked the Federal Trade Commission (FTC) to investigate. France and Italy are launching investigations as well. The Irish Data Protection Commissioner requested that data gathered there be destroyed and Google has complied. The UK Information Commissioner's Offices (ICO) have asked Google to delete the data it has collected there and declined to launch an investigation, although there are groups pushing for the data to be retained for an investigation. -http://www.nytimes.com/2010/05/20/business/global/20google.html?ref=technology -http://voices.washingtonpost.com/posttech/2010/05/the_anger_is_growing_over.html -http://www.pcworld.com/article/196770/google_street_view_privacy_breach_lawmaker s_get_mad.html -http://www.v3.co.uk/v3/news/2263320/ico-calls-google-delete-private [Editor's Note (Pescatore): Good to see the FTC investigate this. They have been using existing laws for years to go after private industry abuses of privacy and have quietly been very effective - without needing new laws or regulations. I'd like them to see them proactively do this to all the companies like Google that sell advertising around other people's information. ]
THE REST OF THE WEEK'S NEWS
Keystroke Logger Spreading Through Twitter (May 20, 2010)
Malware spreading through zombie Twitter accounts installs a keystroke logging Trojan horse program on users' systems. In some cases, the link that people receive claims to be the Twitter iPhone app; there are also reports of a tagline about "the funniest video I've ever seen." The link has received more than 1,630 clicks. The malware also disables Windows Task Manager, regedit, and Windows Security Center notifications. -http://www.guardian.co.uk/technology/blog/2010/may/20/twitter-funniest-video-sec urity-threat-malware -http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=22490050 2 [Editor's Note (Pescatore): The generic title for this kind of news piece is "Malware Will Spread Through Every Web Site Users Ever Visit." The only change is which web site is popular -Twitter is really just a really popular web site. If you don't have in-bound malware filtering between your users (including mobile users) and the web then you are at risk. (Paller): Some products that have shown strong performance in blocking web malware include M86, McAfee and Zscaler, in alphabetical order. ]
Facebook Fixes Data Exposure Flaw (May 18 & 19, 2010)
Facebook has fixed a cross-site request forgery vulnerability that discloses certain information, including birthdates, even if it has been classified as private. Attackers could exploit the flaw by enticing users to click on a specially-crafted link while logged into Facebook. The attackers would then be able to read and alter the users' profile pages. Although Facebook says the issue has been fixed, the researcher who reported the flaw to Facebook says there are still ways to exploit it. The problem lies in the way Facebook checks to ensure that the browser requesting an action, for instance, "like"ing a page, is actually the one through which the account is logged in. By removing a small piece of code, Facebook completely bypasses the checking function and allows the action. -http://www.theregister.co.uk/2010/05/19/facebook_private_data_leak/ -http://www.computerworld.com/s/article/9176952/Facebook_fixing_embarrassing_priv acy_bug?taxonomyId=85 [Editor's Note (Pescatore): But did Facebook fix the flaws in the software development cycle that allowed vulnerable web software to be running on their site? Probably more importantly, given that Facebook's CEO has claimed to be having internal meetings to emphasize privacy, has Facebook fixed flaws in their business model to value user privacy as much as advertising revenue? ]
Heartland Settles With MasterCard Over Data Breach (May 19 & 20, 2010)
Underground Cyber Crime Forum Data Stolen (May 18 & 19, 2010)
An online forum where criminals trade stolen financial account information has been attacked and information stolen. At least three files now being traded on a public site contain information stolen from Carders.cc, the German underground forum, including communications between members. Ironically, a poorly configured server allowed the attackers to steal information from the group's database. The culprits appear to be members of a group that says it wants to expose the forum's illegal activity. -http://krebsonsecurity.com/2010/05/fraud-bazaar-carders-cc-hacked/ -http://www.wired.com/threatlevel/2010/05/carderscc/
Dutch Transit Site Offline After Vulnerabilities are Demonstrated (May 18, 2010)
A Dutch transit website has been shut down after authorities were presented with evidence of a demonstration that allowed an attacker access to the personal information of 168,000 passengers. The website, Ervaar het OV, or Experience the OV, was designed to allow riders greater ease in using the transportation systems through smart cards, coupons and promotions. The SQL injection attack is the same type that was used to break into Heartland Payment Systems' and other companies' networks to steal payment card information. -http://www.theregister.co.uk/2010/05/18/transit_site_privacy_breach/
EXTRA: Five Ways to Keep Online Criminals at Bay: A Security Gift to Send On
EXTRA: Feedback on Secure Transfer Techniques from Stephen Northcutt
In our last edition (issue 39) we carried a story about employees at federal agencies using unsecure methods to transfer information and asked for your feedback and especially pointers to studies that might help. Stephen Northcutt has summarized the responses received in time to prepare the next edition below:
"'Nudge: Improving Decisions about Health, Wealth, and Happiness' by Thaler and Sunstein. Although it does not directly address the issue of encryption, it provides a study of behavioral economics that seems to apply here. In short, people don't encrypt because the default is not to encrypt."
I have read nudge and it is a good book. My biggest take away is that for someone to change they have to believe there is a substantial benefit and that they can change. As security professionals, system designers and developers, we have a responsibility to incorporate choice architecture into our work. By default, expect people to take the path of least resistance and also expect and build for error. So if SSH and FTP are both available and a user is familiar with FTP, what will they use? Our systems need to give feedback, if you hold down a key too long a system might beep at you, if we *have* to make FTP available, perhaps executing the program could stimulate some type of potentially unsafe warning. Is there anything we can do to help users understand the risks of not using encryption? Probably the best thing we can do is make it more complex to use the wrong tool than the right tool. You can use FTP if you need to, but you have to provide a fully qualified pathname to the executable. And of course there is the idea of incentives for doing the right thing. If everyone in a department is using FTP instead of SSH but one person, give that person the parking slot closest to the building and an appropriate title.
Several people wrote in saying the reason they do not use GPG/PGP is the interface is not as friendly as it could be. The biggest horror story was: " [Aside: the reason this isn't encrypted is that last week I installed a beta version of NOD32 for Mac and it hung my machine which uses filevault on my main account. Having been here before I restarted the machine and logged into my non filevault account and uninstalled it. But when I came back to my main account mail had lost all its customisations and I have not been able to get GPGmail going again. Time to make a full backup and reinstall I think, sigh.... ] "
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/