SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #34
April 29, 2008
Yesterday in a presentation to the Commission on Cyber Security for the 44th President, the US national Y2K Czar, John Koskinen, shared an insight that may explain why some standards and audit techniques are more useful than others. He told the Commission members that, near the end of the Y2K process they were able to tell organizations exactly what needed to be done and how much was enough. He got all the experts to agree on what needed to be done by first finding which threats actually mattered and then focusing the work on making sure those were eliminated. This is relevant in security because PCI does that (identifying which attack vectors are actually being used) and other standards organizations, like NIST, fail to do that. PCI isn't perfect, but a PCI audit is widely seen as much more effective than the unreliable audits done under the looser standards. This may also by why the NSA Blue Teams do so much better assessments than other auditors. They know how the real attacks are being carried out so they measure what matters.
TOP OF THE NEWSPCI Update Requires Both Network and Application Penetration Testing
Microsoft Says SQL-Injection Attacks Not Due to Flaws in Their Products; Rather Due To Application Programming Errors
Researchers Call for Microsoft to Revamp Patch Distribution System
FBI Wants ISPs to Retain User Data for at Least Two Years
THE REST OF THE WEEK'S NEWSWORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
New Zero-Day Flaw in QuickTime
Malware Authors Invoke Licensing Agreements
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
30,000 Bank of Ireland Customers Affected by Laptop Theft
SCSU Faces Another Data Breach
Maryland State Highway Administration Employee Data Exposed
Banking Details Stolen from NY WiseBuys Store
Lockheed-Martin Moves To Ensure Programmers on Federal Projects Have Proven Secure Coding Skills
LIST OF UPCOMING FREE SANS WEBCASTS
******************** Sponsored By Sourcefire, Inc. **********************
SC Magazine Names Snort(r) "Best Network Security."
Learn how Snort is the engine powering the Sourcefire 3D(tm) System. This IPS is different from others because it shows you everything running on your network in real time. It also gives you context for your security events. Know more real threats. No more wild goose chases. Call 1.800.917.4134 today.
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products:
- - London (6/2-6/7) and Amsterdam (6/16-6/21)
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org
TOP OF THE NEWS
PCI Update Requires Both Network and Application Penetration Testing (April 22 2007)The Payment Card Industry Data Security Standards, which are being closely followed by tens of thousands of governments and commercial organizations and schools around the world, were updated to clarify what the required penetration testing must cover: "Penetration testing is different than the external and internal vulnerability assessments A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing should include network *and* application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network. The Dark reading article also explains where best practices for penetration testing can be learned.
[Editor's Note (Paller): PCI does the best job anywhere of analyzing attacks and updating its standards to ensure the newest attack vectors are being adequately blocked. They did it again last week by adding application security penetration testing to network pen testing. Sadly, network pen testing techniques consistently fail to uncover important application security; app pen testing requires different skills. The best place to learn those skills is at the Web Application Security Summit and the associated Web Application pen Testing Course in Las Vegas in late May. The course:
The overall Summit :
Microsoft Says SQL-Injection Attacks Not Due to Flaws in Their Products; Rather Due To Application Programming Errors (April 27 & 28, 2008)Microsoft maintains that the SQL-injection attacks spreading to hundreds of thousands of web pages are not due to new or unknown vulnerabilities in its Internet Information Server (IIS) or SQL Server. The Microsoft Security Response Center's Bill Sisk said the attacks are the result of SQL injection exploits and proffered a set of industry best practices for organizations to follow to protect themselves from such attacks.
[Editor's Note (Paller): The Microsoft guidance for programmers on how to avoid programming errors that enable SQL Injection attacks (posted at
) is excellent. These guidelines reflect the skills that are now being tested for Java and soon for .NET programmers. If you have more than 300 programmers, you can have up to 10 of them use the free online skills assessment to find their skills gaps. Email firstname.lastname@example.org]
Researchers Call for Microsoft to Revamp Patch Distribution System (April 23 & 25, 2008)Computer science researchers from Carnegie Mellon University, the University of California at Berkeley, and the University of Pittsburgh are urging Microsoft to redesign its patch distribution system. The four researchers have developed a technique that they call automatic patch-based exploit generation (APEG) for comparing vulnerable and patched versions of programs to create attack code. This technique could be exploited to create attack code. The group offers several suggestions for making such an attack more difficult, "including obfuscating the code, encrypting the patches and waiting to distribute the key simultaneously, and using peer-to-peer distribution to push out patches faster."
FBI Wants ISPs to Retain User Data for at Least Two Years (April 23, 2008)At a hearing last week, FBI Director Robert Mueller told the US House Judiciary Committee that Internet service providers (ISPs) should be required to retain user activity data for at least two years. The idea has bipartisan support in the legislature. Despite the recent hearing and earlier efforts to mandate ISP data retention, it is still unclear what sort of information would be retained. A data retention law could require ISPs to keep information about IP addresses assigned to users, but could also mean that the companies have to hold on to information related to email, instant messaging, and which web sites were visited. Current practices have ISPs discarding data that are not required for business reasons; exceptions are made when law enforcement authorities are conducting an investigation.
********************** Sponsored Links: *******************************
1) Top 10 Security Vulnerabilities in your .NET configuration files: Are your web applications vulnerable? Find out!
2) By converging networking and security, StillSecure provides intelligent networks that are easy to manage and protect.
3) Listen to SANS Special webcast, Security Insights with Dr. Eric Cole. This month's topic: Data Leakage prevention
THE REST OF THE WEEK'S NEWS
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
New Zero-Day Flaw in QuickTime (April 28, 2008)Security consultants at GNUCitizen say they have notified Apple of a flaw in its QuickTime media player that can be exploited to take control of vulnerable PCs. Attackers would need to manipulate users into visiting a maliciously crafted website, or opening a malicious email attachment or media file. The remotely exploitable vulnerability reportedly affects Windows Vista Service Pack 1 and Windows XP Service Pack 2; other versions may be vulnerable as well.
Malware Authors Invoke Licensing Agreements (April 28, 2008)In a strange twist on copyright enforcement, malware authors are taking steps to protect their products. According to help files that accompany one malware package, the organization selling it says that if those using the malware violate the licensing agreement, the organization will send code samples to anti-virus companies. The licensing agreement also requires purchasers to pay for product updates that do not address bugs and forbids them from reverse engineering the malware code or sharing it with others.
[Editor's Note (Schultz): The provision that if license agreements are violated, malware authors will turn code samples over to anti-virus vendors seems very contrary to malware authors' interests. The more code from a malware tool that anti-virus vendors have, the better their ability to detect and eradicate the tool is. I would think that this would greatly diminish the potential attractiveness of the tool in the eyes of potential buyers.
(Schmidt): I wonder if we will see them in front of "Judge Judy" someday (A daytime US TV show where people resolve their legal disputes in a "TV Court"). ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
30,000 Bank of Ireland Customers Affected by Laptop Theft (April 28, 2008)The theft of four laptops containing Bank of Ireland customer information is now believed to affect as many as 30,000 people; the figure was initially given as 10,000. The compromised data include medical records, bank account information, names and addresses. The breach affects both life assurance customers as well as mortgage holders and affects customers at 29 branches, instead of just seven, as was initially reported.
SCSU Faces Another Data Breach (April 25 & 28, 2008)Southern Connecticut State University is notifying approximately 11,000 individuals that their personal data were compromised when an intruder gained access to a university server holding their Social Security numbers (SSNs) and other personal information. The intruder was using the server to help run a spam scheme. This is the second data security breach that SCSU has faced in recent weeks; a laptop stolen from a consultant held personally identifiable information of students at 18 colleges and universities, including SCSU.
[Editor's Note (Schmidt): These are happening so frequently I do not know why this is even "News" anymore. All the more reason not to permit social security numbers to be used as personal identifiers. ]
Maryland State Highway Administration Employee Data Exposed (April 25, 2008)Maryland's State Highway Administration (SHA) is informing approximately 1,800 employees that their personal information was compromised. An employee transferred the data, which include names and SSNs, from a secure drive to a shared drive. The SHA is removing SSNs from personnel files.
Banking Details Stolen from NY WiseBuys Store (April 24 & 25, 2008)Police in Canton, New York are investigating the theft of nearly US $100,000 that appears to stem from a computer intrusion at the Canton WiseBuys store. The attack occurred while the store was changing from one computer system to another in December 2007. The intruder was able to access sensitive personal information, including bank account numbers, of hundreds of the store's customers. The cyber thieves used the information to create clones of the customers' cards and stole funds from accounts at several Canton banks. The fraudulent transactions range from US $10 up to US $3,000.
Lockheed-Martin Moves To Ensure Programmers on Federal Projects Have Proven Secure Coding Skills (April 28, 2008)Lockheed Martin has set a new standard for federal contractors by moving to assess the secure coding skills of its programmers, provide training to improve their skills, and certify its developers through a rigorous certification exam.
UPCOMING SANS WEBCAST SCHEDULESANS Special Webcast: The Little Hybrid Web Worm That Could
WHEN: Wednesday, April 30, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Billy Hoffman
Sponsored By: HP
This webcast examines the possibility of hybrid web worms which use several methods to overcome the limitations of current web worms. Specifically the authors examine how a hybrid web worm: mutates itself to evade defenses; updates itself with new attack vectors while in the wild; and finds and exploits targets regardless of whether they are client web browsers or web servers.
WhatWorks in Intrusion Detection and Prevention: Easing the Pains of PCI Compliance at AirTran Airways:
WHEN: Tuesday, May 06, 2008 at 1:00 PM EDT (UTC/GMT)
FEATURING: Alan Paller and Michelle Stewart
Sponsored By: Lancope
Looking for a solution to ease the pains of PCI compliance, the data security manager for AirTran Airways needed a product that provided increased visibility into network behavior and accountability. It had to be behavior based and capable of collecting information from a widely dispersed network. She found a solution that was scalable, cost-effective and helps to quickly identify and resolve network and security issues.
****This Webcast was previously scheduled for 4/15/08****
NEW DATE/TIME: Wednesday, May 7, 2008 at 1:00pm EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole and Michael Yaffe
Sponsored By: Core Security
The information security world is taxing. We spend a lot of time fixing problems that often don't stay fixed. New vulnerabilities are discovered daily, and applying one update or patch sometimes exposes weaknesses elsewhere. We hope that our IPS and firewalls can cover while we try to keep up, but how do we really know that things are working the way they should be?
Ask the Expert Webcast: Enterprise Incident Management with Security Monitoring
WHEN: Thursday, May 8, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Adrien de Beaupre
Sponsored By: Prism MicroSystems
Some of the issues revolving around log management include privacy, storage requirements, and meeting regulatory or legislative requirements. Finally, integration of LM into an organization's overall security dashboard will be the focus of this presentation.
Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, May 14, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
Sponsored By: Core Security
The SANS Internet Storm Center (ISC) uses advanced data correlation and visualization techniques to analyze data collected from thousands of sensors in over sixty countries. Experienced analysts constantly monitor the Storm Center data feeds searching for trends and anomalies in order to identify potential threats. When a threat is identified, the team immediately begins an intensive investigation to gauge the threat's severity and impact. This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
Security Inside the Perimeter: Confronting the Gap Between Talking About the Threat and Doing Something About it
WHEN: Thursday, May 15, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Paul Smith
Sponsored By: PacketMotion
Most security and IT professionals agree that the corporate network "perimeter" is no longer viable due to laptops, tunneling applications, VPNs and wireless, etc. But network security conventional wisdom is still very perimeter oriented. Why the inconsistency? Perhaps people really don't think the problem is that significant and the risk is not that high. Or maybe they do think it's a real problem, but hesitate to act because of cost, complexity, and risk to application availability. This webinar will review the key aspects of this inconsistency and offer solutions to better manage the "inside risk."
Be sure to check out the following FREE SANS archived webcasts:
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
Sponsored By: Q1 Labs
SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/