Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #93

November 25, 2008

If you have ever been frustrated by security auditors who focused on unimportant flaws while ignoring important problems, or bothered that two security assessors reached totally different conclusions, you'll find the first story this week refreshing.
Separately, the top software security experts around the world have gotten together to work toward consensus on selecting the 25 most dangerous programming errors. Their goal is to help CIOs measure the security of the software they are buying and building and help schools ensure they are teaching secure coding effectively. For more on the top 25, see


Security Audit Guidelines Will Call on Agencies to Focus Attention on Frequently Exploited Flaws
NASA Internal Memo Addresses Removable Media Security Policy
NASA is Target of Ongoing Cyber Espionage
Symantec Report on Underground Economy


Conn. Teacher Cleared of Felony Endangerment in Pop-Up Case
Verizon Fires Employees Who Accessed Obama's Phone Records Without Authorization
Facebook Wins Record Judgment in Spam Case
Buffer Overflow Flaw in Windows Vista TCP/IP Stack
Microsoft Reports Tool Cleared Phony Security Software from 1 Million PCs
Apple Issues Update for iPhone, iPod Touch
London Hospital Computer Systems on Road to Recovery

************************* Sponsored By CA *******************************

Server Resource Protection: A Critical Element of IT Security Protecting server resources from internal and external access abuse and attacks is critical to maintaining a strong security posture. Incessant threats and attacks on enterprise security continue to challenge IT. A recent $7 billion French banking fraud case clearly illustrates the problem at hand. This IDC whitepaper analyzes common vulnerabilities in protecting server resources. Learn more



- - SANS CDI in Washington (12/10-12/16) 30 courses; big security tools expo; lots of evening sessions:
- - London (12/1-12/9)
- - Las Vegas (1/24-2/01)
- - Looking for training in your own Community?
For a list of all upcoming events, on-line and live:



Security Audit Guidelines Will Call on Agencies to Focus Attention on Frequently Exploited Flaws (November 21, 2008)

The Consensus Audit Guidelines (CAG) will enable federal agencies to focus their security expenditures on fixing the vulnerabilities that are most frequently exploited, before addressing those that are more hypothetical, and to enable agency inspectors general to verify that the most important problems are fixed first. Concentrating resources on known security flaws will improve the value of the current certification and accreditation process mandated by the Federal Information Security Management Act (FISMA) by ensuring the right things are being measured. The group developing the CAG, led by John Gilligan, who served as CIO of both the Department of Energy and of the US Air Force, is composed of experts from the key federal agencies involved in computer network attack and cyber intrusion investigations as well as their counterparts in the commercial world who do penetration testing and incident response for banks and other victims. The idea behind the initiative - one that also led to the Federal Desktop Core Configuration - is that "defense should be informed by offense."
[Editor's Note (Skoudis): Focusing defenses on the most widely used attack vectors is a good idea, one that can allow organizations with resource constraints to focus their energies on the most salient attack vectors. Of course, eventually the bad guys will innovate and use other vectors, but such guidelines can be updated as the attacks evolve.
(Paller): As Tom Donahue, the CIA's top cyber security threat analyst, is fond of saying "you have to manage the known bads." This is the first time government experts have worked together, across agency line, with the private sector, to define those "known bads," so they *can *be managed. The federal CIOs who know about this initiative expressed confidence that the CAG would allow them to more rationally allocate their security expenditures. One of them said it clearest, "It's just common sense." ]

NASA Internal Memo Addresses Removable Media Security Policy (November 21 & 24, 2008)

NASA Chief Information Officer Jonathan Pettus last week issued a memo clarifying agency policy on the use of removable media. The memo instructs employees not to use personally owned USB drives or other removable media on government computer systems; not to use government-owned removable media devices on personal machines or machines that do not belong to the agency, department or organization; not to put unknown devices into any systems; and to ensure that systems are fully patched and anti-virus software is updated. The directive is not as sweeping as that imposed by the US Defense Department, which temporarily forbids the use of USB drives and other removable media devices of all types. The DoD instruction was issued to mitigate the spread of detected malware.
[Editor's Note (Skoudis): I'm surprised it has taken this long for some organizations to act on this attack vector. Windows ships with autorun for CDs enabled, and USBs with U3 technology look just like a CD to a Windows box, making compromise trivial. Enterprises should address this threat with clear policy and instructions for employees, shored up with technical implementations that turn off autorun via Group Policy. Microsoft describes how to do the latter here:

NASA is Target of Ongoing Cyber Espionage (November 20, 2008)

An in-depth look at cyber attacks directed at NASA finds that the agency has been the target of computer network intrusions for at least a decade. Some of the problems can be attributed to the fact that NASA systems are designed to be accessible to outside researchers and contractors. A year ago, NASA Inspector General Robert W. Cobb issued a report that noted, "Our criminal investigative efforts over the last five years confirm that the threats to NASA's information are broad in scope, sophisticated, and sustained."

Symantec Report on Underground Economy (November 24, 2008)

Symantec's "Report on Underground Economy" says that some cyber criminals are breaking into companies' computer systems for one very specific reason: to check if stolen credit card information is valid. The intruders in these cases apparently do not steal any company data; they just want access to the companies' credit card payment processing systems. These services charge as much as US $10 a card to test validity for others who are not certain that the information is being sold on the Internet underground is useful. Of course, there are still cyber criminals plundering companies' databases for information as well.

************************* SPONSORED LINK ******************************

1) Hear what major government labs have implemented for Control Systems security at the SCADA & Process Control Security Summit February 2-3.




Conn. Teacher Cleared of Felony Endangerment in Pop-Up Case (November 21 & 24, 2008)

The case against Connecticut substitute teacher Julie Amero has finally come to a close. Prosecutors dropped the felony charges against her, but the agreement called for a guilty plea to a misdemeanor charge of disorderly conduct and surrender of her state teaching credential. Amero had previously been convicted of endangering minors and faced 40 years in prison. Prosecutors alleged that in 2004 she had surfed to dubious websites that displayed pornographic pop-ups on a computer in the classroom; when security specialists caught wind of the case, they pushed to examine the computer in question and found that the school district had inadequate anti-malware protection on that computer and the pop-ups were not Amero's fault.

[Editor's Note (Schultz): I feel terrible that this teacher pleaded guilty to even a lesser charge. We are truly in the dark ages when it comes to understanding what constitues computer crime. ]


Verizon Fires Employees Who Accessed Obama's Phone Records Without Authorization (November 22 & 24, 3008)

Verizon Wireless has fired an unspecified number of employees for looking at President-elect Barack Obama's cell phone records. The breaches occurred earlier this year. The employees would not have been able to access the contents of text or voice messages. The account they accessed was inactive. As soon as the problem was detected, all employees who looked at the records, even those who had the authorization to do so were put on paid leave.

[Editor's Note (Skoudis): I'm happy to see some high-profile firing associated with these cases. In many organizations, IT employees are trusted to be stewards of very sensitive information, including call records, tax information, e-mail, etc. If they abuse this trust, whether for celebrities, high-profile politicians, or even just random members of the public, they should be canned. ]


Facebook Wins Record Judgment in Spam Case (November 24, 2008)

Last week, the US District court for the Northern District of California ruled in favor of Facebook in a spam case, saying that Adam Guerbuez and his company Atlantic Blue Capital were guilty of violations of the CAN-SPAM Act. Guerbuez phished for Facebook log-in credentials and then used compromised accounts to send more than four million spam messages to friends associated with the accounts. The court also ruled that the defendants must pay Facebook damages of US $873 million; Guerbuez and his co-defendants are forbidden from accessing Facebook data in the future.


Buffer Overflow Flaw in Windows Vista TCP/IP Stack (November 21 & 24, 2008)

A buffer overflow flaw in the Windows Vista TCP/IP Stack could be exploited to hide rootkits on vulnerable computers or cause denial-of-service conditions. The researcher who found the vulnerability notified Microsoft in October; he was told that it would be fixed in the next Vista service pack.


Microsoft Reports Tool Cleared Phony Security Software from 1 Million PCs (November 21, 2008)

Microsoft said that the November version of its Malicious Software Removal Tool cleaned phony security software from almost one million computers in just nine days. The malicious software gets onto PCs either by stealth, or by users who are duped through misleading pop-ups into downloading the rogue products.



Apple Issues Update for iPhone, iPod Touch (November 22, 2008)

Apple has released an update for the iPhone and the iPod touch. In addition to new features, the update incorporates security patches for a dozen vulnerabilities, including two iPhone data exposure problems. The first of these was noted in August and allows someone with physical access to a passcode-locked device to launch applications without needing to know the passcode. The second is a vulnerability that exposes incoming SMS messages if the iPhone is set to emergency call mode. Other vulnerabilities addressed in the update include remote code execution flaws in the way the device handles image files and web pages.


London Hospital Computer Systems on Road to Recovery (November 21, 2008)

IT staff are beginning to restore access to computer systems at three London hospitals that were hit with a malware attack last week. The problem was detected on Monday, November 17; by Friday, November 21, Internet and email access were available "across key areas." Medical services were largely unaffected apart from a temporary return to handwritten medical charts and a short period of time during which ambulances were diverted.
[Editor's Note (Honan): An interesting lesson observed from this incident is to ensure that your information security incident response plan is tied into your business continuity plan and under what circumstances it can be invoked. ]

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit