SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #44
June 03, 2008
Three Useful New Initiatives for NewsBites Readers 1. What are the twenty coolest careers in cyber security? Where can they be found? What does it take to qualify for them? Those are the questions for SANS' new "Roadmaps To Great Careers In Cyber Security" project being led by Rob Scola. As a first step, in the last story in this issue, you will find a draft list of the twenty coolest cyber security jobs with brief descriptions. You can help move the project forward by answering either of the questions at the beginning of the cool job list.
2. Can you find security flaws in code samples published in college text books or popular programming books? Fortify's Chief Scientist, Brian Chess, has repeatedly shown that it is possible, often in under 15 minutes. SANS will pay $100 for each of the first 30 unique examples (one per book) plus $500 bonuses for each of the best three. Brian offered to help judge. If you want to try, and also see how Brian does it, as an example, email me (firstname.lastname@example.org) with the subject Security Errors In Programming Books.
3. SCADA and Control Systems Security. The US leads in identifying vulnerabilities in control systems and in persuading control system vendors to fix problems, but the Europeans are far ahead in private/public partnerships that lead to actual implementation of improved security in critical infrastructure organizations. The UK and European Information Exchanges are important models for the future of information sharing. Representatives of the governments of the UK, Netherlands, Switzerland, Sweden, Germany and the European Community, plus DHS and DoE and INL in the United States are pulling together the best speakers on control system security for a Summit and Workshops on SCADA Security in Amsterdam September 8-9. SANS is hosting the event. The program will be posted next week. I am telling you about it early because seats will be allocated by country, and the US gets 30. If readers of NewsBites want to know about the program early enough to get one of the seats, email me (email@example.com) with "European SCADA Summit" and I'll get you the program a few hours before it goes live on the net.
TOP OF THE NEWSMicrosoft Urges Users to Stop Using Safari Until Fix is Available for Flaw
Many UK IT Managers Support Mandatory Breach Notification
THE REST OF THE WEEK'S NEWSLEGAL MATTERS
Canadian Law Clinic Files Complaint Against Facebook
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Walter Reed Patient Data Exposed
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
More BNY Mellon Backup Tapes Lost
MediaDefender Accused of SYN Flood Attack on Revision3 Network
Stolen USB Stick with Patient Data Recovered
Belgian University Integrates Secure Coding in Computer Science & Engineering Courses
Philly Anchor's Computer Seized in Unauthorized eMail Access Case
Google Complies with Street View Take Down Requests
Attack on Russian Nuclear Info Sites Likely a Rumor
FUD Watch Column Launched
The Twenty Coolest Jobs In Cyber Security (Research Project)
LIST OF UPCOMING FREE SANS WEBCASTS
*********************** Sponsored By Sourcefire, Inc. *******************
Cornell University Intrusion Prevention System (IPS) Case Study Weill Cornell Medical College has to secure the records of more than 750,000 unique patients annually. Cornell uses a special system to assess risks and evaluate IT systems at any given time. Learn why Cornell chose the Sourcefire 3D(tm) System to see everything running on its network in real time.
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products: http://www.sans.org/info/26774
- - Denver (6/7-6/13) http://www.sans.org/rockymnt2008/
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
TOP OF THE NEWS
Microsoft Urges Users to Stop Using Safari Until Fix is Available for Flaw (May 30 & 31 & June 2, 2008)Microsoft's security team has issued an advisory recommending that users refrain using Apple's Safari web browser on Windows until a fix is available for a vulnerability that allows attackers to download and execute files without user interaction. The problem is due to a combination of the default download location in Safari and the way Windows desktop manages executables. The flaw affects all supported versions of Windows XP and Vista with Safari installed.
[Editor's Note (Grefer): Microsoft's Security Advisory clearly states under "Mitigating Factors: Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat." To do so, go to Edit > Preferences > General > Save downloaded files to (and pick a new location). ]
Many UK IT Managers Support Mandatory Breach Notification (May 29, 2008)A poll of more than 100 IT managers at April's InfoSec security show in London found that nearly 70 percent believe UK companies should be required to disclose security breaches. Eighty percent of respondents placed insider data leaks at the top of their list of security concerns, while just 17 percent said outside threats were more dangerous than internal ones. One third of those polled said they had made budget allocations designated to improving internal security and auditing.
[Editor's Note (Pescatore): In the US mandatory breach notification lead to an orgy of disclosures that I thought would lead to disclosures becoming so routine that business managers would just tune them out. That really didn't happen - turns out that the power of bad press is very impressive.
(Schultz): Statutes that require data security breach notification will in time be passed in most first world countries. The reason is that more citizens of these countries are starting to realize that the absence of such statutes greatly increases the probability that identity fraud will occur after such breaches occur.
(Honan): Despite tough data protection laws within the EU there is a growing recognition that data disclosure laws are required to ensure companies protect customer data entrusted to them. The Irish Data Protection Commissioner recently highlighted this issue claiming that Ireland may soon introduce such legislation
THE REST OF THE WEEK'S NEWS
Canadian Law Clinic Files Complaint Against Facebook (May 30 & June 2, 2008)The Canadian Internet Policy and Public Interest Clinic (CIPPIC) has filed a complaint alleging that the social networking site Facebook violated numerous aspects of the Canadian Personal Information Protection and Electronic Documents Act. The complaint alleges that Facebook failed to let users know how their information is shared with third parties and failed to obtain permission to disclose information. Facebook maintains that the complaint missed the mark, as nearly all Facebook data are willingly shared by users. Facebook has said it "will continue ongoing efforts to educate users and the public around privacy controls on Facebook."
[Editor's Note (Pescatore): The definition of "willingly shared" in advertising-supported sites is often quite different from what many people understand. Facebook's out-of-the-box privacy settings are a confusing mix of what can and cannot be shared with Friends or Networks and Friends. Now, it may not be confusing to people who use Facebook to share everything with Friends and whatever Networks are, but for anyone who is aghast at the idea of calling hundreds of people "friends," the sharing of too much information happens by default. ]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Walter Reed Patient Data Exposed (June 2, 2008)Walter Reed Army Medical Center has acknowledged that personally identifiable information of approximately 1,000 patients was inadvertently exposed on the Internet. Officials at Walter Reed learned of the breach on May 21 from a data mining company that was doing work for another client. When the company found a file containing the patient data, they contacted Walter Reed. The compromised data include names, Social Security numbers (SSNs) and other information, but no medical records. Walter Reed is in the process of notifying affected patients.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
More BNY Mellon Backup Tapes Lost (June 2, 2008)Bank of New York Mellon has acknowledged the loss of more customer records. Backup tapes lost on April 29 contain 4.5 million customer records from approximately 47 companies, including Disney and Eastman Kodak. Those affected by the breach are believed to be shareholders rather than commercial customers. BNY Mellon is still dealing with the loss of another set of backup tapes in late February. Both tapes were in the possession of couriers when they were lost; BNY Mellon has terminated its business relationship with one of the couriers. BNY Mellon says it has instituted a new policy requiring data on storage devices to be encrypted and limiting the amount of confidential data held on tape drives.
MediaDefender Accused of SYN Flood Attack on Revision3 Network (May 30, 2008)In late May, video-content creation firm Revision3 came under a SYN flood attack that prevented the company from sending email, displaying advertisements on its website and serving video content to site visitors. It was three days before Revision3 had a reliable Internet connection. The attack apparently came from MediaDefender, an independent anti-piracy company. MediaDefender had discovered that a vulnerability allowed miscreants to post pirated copies of content on Revision3's BitTorrent directory. Rather than notify Revision3 of the problem, MediaDefender instead posted phony listings in an attempt to find out who was trafficking in pirated content. Revision3 made some changes to prevent other people from listing content on its server, and MediaDefender kept trying to access the files, which ultimately overwhelmed Revision3's network.
[Editor's Comment (Northcutt): Nicely written article and this may help set a precedent. MediaDefender's web site is not flashy, this might be a fairly innocent mistake, if I was Revision3, I would be working hard to preserve every log and bit of data:
Stolen USB Stick with Patient Data Recovered (May 30, 2008)Police in New Glasgow, Nova Scotia have recovered a stolen USB stick that contains sensitive personal formation of approximately 150 children and adolescents who have received mental health treatment in Pictou County. Although someone has admitted to stealing the device, no charges are expected to be filed. Officials have begun notifying affected patients, and are conducting an investigation, as health district policy forbids having such data on a device if they are not encrypted.
Belgian University Integrates Secure Coding in Computer Science & Engineering Courses (May 2008)DistriNet, the security research group of the Department of Computer Science at the Katholieke Universiteit Leuven is moving to enhance the security curriculum of students by including secure coding in computing and engineering courses and to exchange teaching practices in the field of secure programming. They are partnering with SANS Secure Software Institute to provide easy access for European companies to SANS-SSI knowledge and certification.
Philly Anchor's Computer Seized in Unauthorized eMail Access Case (June 2, 2008)A Philadelphia news anchor is off the air following an FBI raid at his home prompted by allegations that someone had been accessing private emails of his former co-anchor. Authorities seized a computer and other related equipment from Larry Mendte's home. The allegations of unauthorized access came from former co-anchor Alycia Lane, who was fired in January. Information from her private emails was somehow being leaked to the media. Lane's lawyer said the emails were allegedly intercepted while she was getting ready to sue her former employer for wrongful termination.
Google Complies with Street View Take Down Requests (June 1 & 2, 2008)The private community of North Oaks, Minnesota sent Google a letter in January demanding that it take down Street View images of its neighborhoods. The roads in North Oaks are privately owned, meaning that whoever obtained the images did so by trespassing on private property. Google complied with the town's request. Google has faced other complaints about the Street View service. Earlier this year, a Pittsburgh couple sued Google when images of their home appeared on Street View; they maintained that a sign designating a private road was ignored. Google has removed the images in question and has filed a motion to dismiss the lawsuit, which seeks damages.
[Editor's Note (Pescatore): This is really another example of "willingly sharing" information. The next wave of issues will be around location info - mobile phone carriers know where we are, and will we find out we have all been "willingly" sharing that info?]
Attack on Russian Nuclear Info Sites Likely a Rumor (June 2, 2008)The reported coordinated attacks Russia's ASKRO nuclear incident notification system may be nothing more that a system overload from users responding to rumors of an incident planted on various blogs. Officials from Russia's state nuclear corporation said the downed sites were part of a two-pronged attack - the rumors and then the unavailable sites - but no evidence has emerged to support the claim of a deliberate attack.
[Editor's Note (Northcutt): Really hard to find the truth on this one and Kathy Bradford and I have been sending links back and forth. Don Jackson from SecureWorks has done the best job I think of sorting though the clutter. His work can be found here:
fline.pdf Also, some of the reports claim this caused so much fear, people ingested iodine to thwart the effects of radiation. Whew, iodine is one of those things where a little is good and more is not.
FUD Watch Column Launched (May 21, 2008)CSO Senior Editor Bill Brenner is launching a FUD Watch column. With the help of input from readers, Brenner will attempt to differentiate legitimate cyber security threats from those mired in hyperbole, as well as highlight threats that deserve more exposure than they are presently getting.
The Twenty Coolest Jobs In Cyber Security (Research Project)The 18 Coolest Jobs In Security
Here is a very preliminary list of the cyber security jobs that people have told us are often "wonderful," either because of the impact it can have, the kudos it gets, or the challenge (or a combination).
When you have reviewed the list below, please send us answer one of these two questions (if appropriate):
1. If you think another job should be added, tell us what it is and why it is cool.
2. If you have one of these jobs, please tell us what formal education, courses, certifications, experience, and personal/professional skills you would look for in a person you were hiring to help you do that job today. They don't have to have followed your path - how would they prepare if they wanted this job over the next decade?
Email your answers to firstname.lastname@example.org with subject Cool Careers
Network and System Security
1. System and Network Penetration Tester (Red Team member)
2. System and Network Assessor (Blue Team member) or PCI Assessor
3. Security-Skilled System and Network Administrator
4. Security Architect/Engineer
5. Firewall/IPS Administrator
6. Security Operations Center Analyst (Intrusion Detection/Log/SIEM Analyst)
7. Incident Handler
8. Cyber Forensics Analyst
9. Deep Dive Specialist (the people who find evidence of infections in systems that may have been compromised)
10. Technical Director and Deputy CISO
12. Security Auditor
13. Chief Security Auditor Application Security
14. Application Penetration Tester
15. Security Maven in the Application Developer Organization
16. Vulnerability Researcher Law Enforcement
17. Cyber Crime Investigator/Forensics Expert
18. Sworn Law Enforcement Officer Specializing in Cyber Crime
19. Prosecutor Specializing in Cyber Crime
(There are only 19, we are looking to you to tell us what's missing)
UPCOMING SANS WEBCAST SCHEDULESANS Special Webcast: Fourth Annual Log Management Survey
WHEN: Thursday, June 5, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Jerry Shenk and Anton Chuvakin
Sponsored By: LogLogic
The fourth annual Log Management Survey will compare and contrast how respondents use their log data, their challenges, and what they hope to derive out of their log data in the future.
SANS Special Webcast: Testing; vulnerabilities, defenses and configuration
WHEN: Tuesday, June 10, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Jerry Shenk
Sponsored By: Core Security
This webinar will arm you with all the necessary plans for using penetration testing to investigate your organization's vulnerabilities, defenses and configurations - including lab testing your processes - to help you understand what the finished product should look like.
Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, June 11, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
Tool Talk Webcast: A Million Little Pieces: Detecting Fraudulent Transactions
WHEN: Tuesday, June 17, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Brian Contos
Sponsored By: ArcSight
Today's business is digital across the board, relying on digital processes, communications, assets, and commerce. This has spawned a massive increase in fraud. We read about it nearly every week, and in almost every case, the problem seems obvious in hindsight. Societe Generale, with $7 billion in trading fraud, is the current poster child. Too often, fraud could have been detected and stopped if only someone noticed the connection between several activities, each of which was fine in isolation. Taken together, however, they paint a picture of fraud.
SANS Special Webcast: Endpoint Security: Point- Solution or Protection Platform
WHEN: Tuesday, June 24, 2008 at 3:00 PM EDT (1900 UTC/GMT)
FEATURING: Stephen Northcutt and Dan Teal
Sponsored By: CoreTrace
Join SANS President Stephen Northcutt as he reviews the key features in endpoint security that really matter, how to shop for the best products, and why implementing defense in depth on your organization's endpoint is a best practice.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/