SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #64
August 15, 2008
The US and European consensus procurement specifications for control systems security have been updated to include wireless security in addition to all the other aspects of control systems and SCADA security that are already included. These are great specifications. Any organization buying control systems that doesn't use the consensus specifications is probably leaving the front and back doors open. All the major control systems vendors are being briefed on how to adapt to the new specifications on September 7th in Amsterdam at the beginning of the European SCADA Security Summit and users will be briefed on the vulnerabilities and specifications during the Summit. If you would like an invitation to the free vendor briefing or information on the entire Summit, email me (with a description of would like and where you work) at firstname.lastname@example.org. Also, see the second story below for more on the upcoming Summit. Alan
TOP OF THE NEWSUS Power Grid Better Equipped to Deal With Problems That Led to 2003 Outage
Government Officials To Discuss New Strategy For Protecting Systems That Control Power and Oil & Gas and Other Critical Industries (August 15, 2008)
Federal CISOs Lack Budgetary and Management Enforcement Authority
Prevalent Use of Behavioral Tracking by ISPs May Lead to Digital Privacy Legislation
Jobs Acknowledges Application Kill "Lever" for iPhones
THE REST OF THE WEEK'S NEWSLEGAL ISSUES
Judge Lets Gag Order Stand Against MIT Students
AOL Spammer Draws Seven-Year Sentence
European Court May Hear McKinnon Appeal
Man Hopes to Fund Start-up by Charging for Vulnerability Details
Mandiant Team Wins Race to Zero Contest
UPDATES AND PATCHES
VMware Fixes Bug in ESX and ESXi 3.5 Update 2
August's Patch Tuesday Offers 11 Security Bulletins
Microsoft Issues Updates for Mac Office
Hospital Manager Loses Job Over Stolen Laptop
STUDIES AND STATISTICS
Software Security Market Looks Strong
Howard Schmidt Appointed Information Security Forum President
***************** OWASP NYC AppSEC 008 Conference *********************
Our friends at OWASP have put together a focused event September 24-25 in New York City. OWASP (www.owasp.org) is a not-for-profit community organization that does a lot of good in getting attention and developing solutions for the growing web application security issue. Proceeds from the event help fund many related projects and grants. You will see lots of familiar faces like Jeremiah Grossman, Howard Schmidt, Robert 'RSnake' Hansen and Jeff Williams. To learn more
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools expo; lot's of evening sessions: http://www.sans.org/ns2008
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: http://www.sans.org/index.php
TOP OF THE NEWS
US Power Grid Better Equipped to Deal With Problems That Led to 2003 Outage (August 12, 2008)Although the US power grid is better able to withstand an event like the one that caused a major outage in August 2003, federal officials, power grid operators and consultants still have some serious concerns. New standards and systems are in place to maintain and monitor the power grid. However, the US is behind in the number of power plants and transmission lines needed to meet the growing demand for power. In addition, cyberterrorism threats focused against the power grid need to be prevented without making the counter measures taken public knowledge.
[Editor's Note (Ranum): So, how do we respond if some kids from a university decide to publish a paper at DEFCON outlining how to mess with the power grid? That is a legitimate question. ]
Government Officials To Discuss New Strategy For Protecting Systems That Control Power and Oil & Gas and Other Critical Industries (August 15, 2008)At the European SCADA Security Summit, a senior leader from the UK's Centre for the Protection of. National Infrastructure, will outline a five-part strategy by which government and industry can move to protect the critical infrastructures on which all industrial societies depend for survival. The new strategy ranges from how vulnerabilities will be disclosed and mitigated to how top executives of power and other critical industries will be engaged in the process. The meeting will also show how these systems are being penetrated, how to prioritize defenses, and how to buy control systems with security baked-in. A large number of corporate users will be there along with leaders from other nations to discuss the new strategies. The meeting is open to all IT security and control systems managers from critical industries, government officials responsible for critical infrastructure protection, and service providers who can help secure these systems. The full agenda will be published early next week. In the mean time, registration information can be found at
Federal CISOs Lack Budgetary and Management Enforcement Authority (August 11, 2008)Chief Information Security Officers (CISOs) at US government agencies lack the budgetary and enforcement authority to make the changes they know would improve their agencies' information security posture. CISO responsibilities lean toward policy and compliance reporting rather than network testing and monitoring. Mandates and legislation place the responsibility for security failures squarely on the shoulders of the CISO, yet they lack "a comprehensive view of their IT infrastructure," making it difficult for them to pinpoint areas of concern. The CISO "has little authority because each office within an agency claims ownership over its IT systems and data, making it hard for the CISO to require security standards and policies." One former federal CISO notes that making sure agencies are compliant with "mandates and regulations and laws and requirements ... takes
down a path toward compliance for the sake of compliance, not overall improved security."
[Editor's Note (Schultz): The amount of influence and recognition information security managers in government circles so often have after they leave their positions, despite their obvious lack of influence and power when they were in their government positions, puzzles me to no end.
(Weatherford): At the risk of engendering disapproval from some of my federal colleagues, I have many thoughts related to this article but will only share two. We all understand the bureaucracy that exists in federal government, but why would ANYONE work at a job where they had no authority, no control, and "don't feel empowered to make decisions?" Seriously! There are a lot of good security jobs available so why spend your time employed in such a depressing environment? Second, a huge chunk of a CISO's time is spent communicating and I believe that when my boss doesn't share my sense of urgency about security issues it's for one of two reasons: 1) It's my fault because I haven't effectively communicated or 2) She/he has higher priorities that I'm not aware of. That doesn't however change my responsibility as the head security guy and, if all else fails, nothing gets the boss's attention like a big security incident. Of course that might cost the CISO his/her job, but if they had no authority, control, or empowerment in the first place maybe ... ]
Prevalent Use of Behavioral Tracking by ISPs May Lead to Digital Privacy Legislation (August 12 & 13, 2008)Written responses to questions from the US House of Representatives Committee on Energy and Commerce indicate that nearly all of the 33 Internet providers contacted have gathered and analyzed data about customers' Internet usage without their permission and used the information for targeted advertising. Rep. Ed Markey (D-Mass.) says this is reason enough to "create a law that ... includes a set of legal guarantees that customers have with regard to their information." Markey says that consumers should be able to opt-in to online behavioral tracking rather than having to opt-out or be subject to undisclosed tracking. Some companies that tested deep packet inspection technology to target online advertising said they did so without the explicit consent of their customers. Providers' Responses:
[Editor's Note (Grefer): A European-style data-protection law stipulating an "opt-in" rather than the current US industry practice of an "opt-out" would be quite beneficial to privacy. The same would hold true for an equivalent of the European Union "Directive 95/46/EC on the protection of individuals with regard to the processign of personal data and on the free movement of such data" which specifies that data may only be used for the purpose it was collected for; any other use of the data requires the explicit consent of the data subject, i.e. the individual.
Jobs Acknowledges Application Kill "Lever" for iPhones (August 11, 2008)Steve Jobs has confirmed that Apple has in place a mechanism to remove software from the iPhone. Jobs said the technology is necessary in case the company allowed an application to be sold through the App Store that was later discovered to be malicious. The discovery of this particular technology on the iPhone has raised privacy concerns among bloggers; the individual who found it has managed to disable the deactivation functionality. Apple has also met with recent criticism for removing certain applications from its App Store with no explanation provided.
[Editor's Note (Pescatore): From a pure security perspective, having someone push a button and remove any malicious app is a great thing - as long as you trust whoever gets to push the button. What if Apple decides a competing application to iTunes is malicious? What if the kill mechanism, or (more likely) the process that leads to a kill decision has flaws and can be spoofed? If Apple fails to kill a malicious app and I suffer damage, will they cover my costs?
(Ranum): If it bothers you, buy a different phone.
(Skoudis): I've gotten a dozen e-mails from friends this week who wonder if this functionality could be combined with Dan Kaminsky's DNS poisoning to cause iPhones that rely on a given DNS server to kill all their apps. Although the kill URL uses SSL, it's not clear how the kill functionality works and whether/how the iPhone checks the cert. Still, the idea of combining this kill function with DNS poisoning seems to have popped into a lot of people's heads at the same time.
(Northcutt): Maybe the first step is to quit calling these computers phones. If it runs applications it is a computer right? How would we feel about Microsoft or Ubuntu being able to remove or add an application from our laptops without our express permission?]
THE REST OF THE WEEK'S NEWS
Judge Lets Gag Order Stand Against MIT Students (August 14, 2008)US District Judge George O'Toole Jr. has let stand a temporary restraining order that prevented three Massachusetts Institute of Technology (MIT) students from revealing their research on the security of payment cards used by the Massachusetts Bay Transit Authority (MBTA). The MBTA sought the order to allow it time to address the vulnerabilities before the specifics of the flaws are disclosed. A hearing has been scheduled for Tuesday, when the temporary order expires; at that time, a decision will be made as to whether the order will be lifted altogether or amended to cover only "nonpublic" information. Some of the information has been available on the Internet for a while and some was made available to conference goers prior to the scheduled presentation.
[Editor's Note (Ranum): The effectiveness of the gag order appears to be minimal. Of course, the Internet's making it easy to flout a gag order does not mean that it protects you from any consequences. It took me very little time to find the slides here:
AOL Spammer Draws Seven-Year Sentence (August 13 & 14, 2008)Michael Dolan has received a seven year prison sentence for his role in a phishing scheme that targeted AOL members. Dolan and his cohorts used tools to harvest AOL screen names from chat rooms; those names were then targeted with phishing emails that appeared to be online greeting cards, but actually contained malware that ultimately led users to a site run by Dolan and others where the users were asked to provide information that included credit card and Social Security numbers (SSNs). Users were also directed to the site with emails that claimed to be from AOL's billing office. The scheme ran for more than four years, during which time prosecutors estimate the gang stole US $400,000 from 250 victims. Dolan pleaded guilty to fraud and aggravated identity theft last year.
European Court May Hear McKinnon Appeal (August 9, 12 & 13, 2008)The European Court of Human Rights has granted Gary McKinnon a two-week stay of extradition while it decides whether or not to hear his appeal. The ECHR is McKinnon's last hope for avoiding extradition to the US to face hacking charges. McKinnon has admitted that he gained unauthorized access to US government computer systems, but says he was just trying to find information about UFOs. The US government said the intrusions carried the hallmarks of a terrorist attack. Reports are mixed about the length of the sentence McKinnon would face if and when he is tried in the US.
Man Hopes to Fund Start-up by Charging for Vulnerability Details (August 11, 12 & 13, 2008)A man who claims to have found a number of vulnerabilities in the Java technology used on some Nokia handsets wants Nokia and Sun Microsystems to pay 20,000 euros (US $29,597) for a report that details the specifics of the flaws and includes two proof-of-concept exploits. Adam Gowdiak rejects the notion that he is blackmailing the companies, instead viewing his decision to charge for the information a means of gathering money to fund his start-up security research company. Gowdiak has briefed both companies about the vulnerabilities, so they are aware of the nature of the flaws.
[Editor's Note (Skoudis): A few times a year, I get asked by someone who has discovered a security flaw about how they can sell their discovery details to the vendor without looking like an ambulance chaser or extortionist. I regretfully respond that I just don't think there's a way of making that business model work from an ethical perspective. I encourage them to get funding *in advance* to look for flaws by building a reputation the old fashioned way -- delivering excellent service to their customers.
(Ullrich): Has been done a few times in the past with mixed success. There are well established (legal) vulnerability buyers. However, holding back a vulnerability and demanding cash is wrong.
(Honan): This use of vulnerability "research" is sickening. This is not fund raising for a company it is blackmail pure and simple. The security industry should take a stance against this type of activity by boycotting companies that follow such practices.
(Northcutt): Almost certainly Gowdiak is using fuzzing style testing tools and Nokia needs to do more of that; word on the street is this isn't the first time a researcher has reported problems to them. The next couple years are going to have a lot of this sort of stuff. The good news is that software will be better for it all when we emerge from the tunnel two to four years hence. ]
Mandiant Team Wins Race to Zero Contest (August 11, 2008)A trio of consultants from Mandiant won the Race to Zero contest. While they did not finish first, Nick Harbour, Steve Davis and Pete Silberman "managed to sneak all 10 virus and exploit samples past major antivirus scanners." The three said they participated in the contest to draw attention to the fact that organizations should not depend solely on antivirus tools to protect their systems. Harbour created obfuscation software that he and his team used in the contest. Another team brought custom packing software that allowed them to finish first, in just two hours and 25 minutes; the Mandiant team took just over six hours to complete the contest. Race to Zero is run by New Zealand security researcher Simon Howard. The contest was conducted on a closed network not connected to the Internet.
[Editor's Note (Skoudis): I saw Nick Harbour present at Defcon, and found his research fascinating. The way he slices and dices executables to make them difficult or impossible to detect is quite impressive and scary. Based on his work and the work of many others, I believe the AV vendors will have to turn more and more to behavior-based detection. Signatures were cool fifteen, ten, and arguably five years ago. We shouldn't ditch them, but realize that we really need to augment them.
(Northcutt): The day of anti-virus products has passed; they had a good run. Save the money, run ClamAV to keep the auditors off your back and vigorously investigate one of the white list solutions. We did a webcast on this basic problem, but you don't need to invest the time to listen to the webcast. The powerpoint is posted with notes:
UPDATES AND PATCHES
VMware Fixes Bug in ESX and ESXi 3.5 Update 2 (August 13, 2008)VMware has released a patch for a bug in Update 2 for the ESX 3.5 hypervisor that prevented users from starting up ESX and ESXi 3.5 virtual machines earlier this week. VMware is also working on a fix for the Update 2 software which should be released soon. The problem was due to a license limitation that caused use of the code to expire at 12:00 am on Tuesday, August 12. Machines running continuously did not shut down, but those that had been in suspension mode were unable to be brought out of that mode.
[Editor's Note (Skoudis): Imagine your critical infrastructure devices all having a timebomb in them, ticking away the seconds to some date that you don't know about because your vendor never told you. I could understand this functionality if it were associated with a given enterprise license, but this issue was hard coded into their product, regardless of the license status or its expiration date. That's really bad software implementation, in my book, in software that supposedly is very carefully audited. ]
August's Patch Tuesday Offers 11 Security Bulletins (August 12, 2008)On Tuesday, August 12, Microsoft issued 11 security bulletins; six were rated critical and five were rated important. All six of the critical bulletins address remote code execution flaws; affected software includes Microsoft Windows, Internet Explorer and Microsoft Office. Two of the three important bulletins address remote code execution flaws; the other three address information disclosure flaws. Affected software includes Microsoft Windows, Outlook Express, Windows Mail, Windows Messenger and Microsoft Office. Microsoft also released an updated version of its Windows Malicious Software Removal Tool.
Microsoft Issues Updates for Mac Office (August 14, 2008)Microsoft has released updates for Mac Office 2004 and Mac Office 2008. The Office 2008 update addresses five remote code execution vulnerabilities in Excel as well as a number of stability and performance issues; the Office 2004 update fixes four Excel flaws and one stability issue.
[Editor's Note (Veltsos): Several patches did not make it in the current round, including some vulnerabilities that were initially reported more than 200 days ago - lightyears in terms of IT security. A critical vulnerability in Windows Media Player was delayed due to quality concerns. Details at:
Hospital Manager Loses Job Over Stolen Laptop (August 12, 2008)A Colchester University Hospital manager has been dismissed following a disciplinary hearing regarding a stolen laptop. The computer was stolen from the manager's car while he was on holiday; the data, which include personal information and medical treatment plans, were not encrypted. The Colchester Hospital University NHS Foundation Trust is compiling a list of organizations to perform an external evaluation of laptop security.
[Eitor's Note (Pescatore): There are a lot of potential security violations the manager could have committed, but we don't know the hospital's particular policies. The sacking may be justified, but corporate laptops without encryption installed by corporate are like data centers with policies prohibiting access rather than having locked doors. ]
STUDIES AND STATISTICS
Software Security Market Looks Strong (August 11, 2008)According to statistics compiled by Gary McGraw, the overall software security market for tools and services in 2007 was between US $275 million and US $300 million; application firewalls added an additional US $50 million. In the area of tools, the black box space was flat, while the source code analysis tools space grew significantly, indicating that companies are increasingly "looking to fix problems, not just identify them from the operations side."
[Editor's Note (Ullrich): Sadly, these stats seem to suggest that the solution to software security is purchasing a few black boxes and development tools. They are a part of it, but the real change has to happen in developers' brains, and they have to start using existing as well as new tools. ]
Howard Schmidt Appointed Information Security Forum President (August 12, 2008)Professor Howard A. Schmidt has been appointed the first President of the Information Security Forum. "The ISF is an independent, not-for-profit association of some 300 of the world's largest corporations and public sector bodies that harness their knowledge and experiences to resolve information security and risk management issues." Among Schmidt's previous roles in the information security world are White House IT security advisor, chief security strategist at eBay and chief security officer at Microsoft.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit