SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XI - Issue #16
February 27, 2009
Now that it is becoming clear that the CAG (Consensus Audit Guidelines) will affect people in industries and countries far beyond US government and defense industrial base organizations, it makes sense for NewsBites to start chronicling CAG progress and spread as a continuing (last) section of the newsletter. Senator Tom Carper (Chairman of the Senate Subcommittee responsible for redrafting FISMA) and Karen Evans (outgoing e-Gov Administrator) this week made public statements... (story continues at CAG CHRONICLE at the end of the newsletter).
TOP OF THE NEWSHeartland CEO Says Company Was PCI Certified
Proposed 2010 Budget Allocates US$355 Million for DHS Cyber Security Efforts
FCC May Fine Telecoms for Failure to Prove Adequate Customer Data Protection
THE REST OF THE WEEK'S NEWSLEGAL ISSUES
UK Declines to Prosecute McKinnon
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Employees Peek at UK Work and Pensions Database
FAA Will Use Crawler to Find Sensitive Data on its Systems
SPAM, PHISHING & ONLINE SCAMS
Phishing Scheme Spreads Through IM Services
Microsoft Advisory Warms of Excel Vulnerability
UPDATES AND PATCHES
Microsoft Update Corrects AutoRun Disabling Measure
Adobe Update Addresses Critical Flaw
STUDIES AND STATISTICS
February 2009 MessageLabs Intelligence Report
******************** Sponsored By Q1 Labs *******************************
Leverage Log Management to Boost Your Enterprise IT Security: Collect and manage event logs from your entire IT infrastructure; Effectively reduce and prioritize millions of network and security events; Quickly and easily search and report on events in real time and over an extended period of time. A COMPLIMENTARY WHITE PAPER FOR SANS READERS: https://www.sans.org/info/39273
- - Phoenix 3/23-3/30 (5 courses) http://www.sans.org/phoenix09/
- - Washington DC (Tysons Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- - Plus Calgary, New Orleans, San Diego and more...
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
TOP OF THE NEWS
Heartland CEO Says Company Was PCI Certified (February 25, 2009)Heartland Payment Services Chairman and CEO Bob Carr said his company will fight any lawsuits it faces as a result of a data security breach that exposed payment card data. In a quarterly earnings call, Carr noted "that Heartland passed its PCI certification last April, and assessors are currently on-site for 2009 certification." Carr said it was not possible to determine the number of accounts affected by the breach because his company does not think the malware discovered on their computers was active the entire time. Heartland, which disclosed the breach in January, is also the subject of formal investigations and inquiries by the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC) and other federal agencies.
[Editor's Note (Pescatore): They are trying to deflect the problem here. Compliance does not equal security. I went to the doctor in January and he certified my health was fine - but who knows since then? Plus, saying "well, gee - if they required data to be encrypted internally, the fact that our servers were compromised wouldn't have been a problem" is wrong on many, many levels.
(Paller): We have also been told, repeatedly, that companies can shop for "friendly" PCI auditors. It may not be true, but before a court accepts Heartland's PCI compliance as even a partial defense, an independent auditor, not selected by Heartland, ought to double check the quality and thoroughness of testing that was done. ]
Proposed 2010 Budget Allocates US$355 Million for DHS Cyber Security Efforts (February 26, 2009)President Obama's proposed budget for fiscal 2010 includes US $355 million for Department of Homeland Security's (DHS) National Cybersecurity Division and its efforts as part of the Comprehensive National Cybersecurity Initiative. The funds would be "targeted to make public- and private-sector cyber infrastructure more resilient and secure." The requested amount marks a 21 percent increase over the US $294K designated for cyber security in the fiscal 2009 budget.
[Editor's Note (Pescatore): I hope the bulk of that goes to in creasing the security of public-sector systems, software and services. Especially to accelerate the government focus from reacting to incidents towards preventing them.
(Paller) I have been enormously impressed with the transformation in federal cyber leadership since Admiral Brown came to DHS and Mischel Kwon took over US-CERT and made it a proactive source of real-time actionable information for the feds, and the Trusted Internet Connection got moving and the Software Assurance Project brought out the Top 25 and NCSD's helping to tune the CAG - all of which is already starting to make federal cybersecurity measurably better and more proactive. ]
(Northcutt): Let's hope they spend it wisely. The URL for the budget is below and page 71 is where the discussion begins. What caught my eye is that in the highlights cyber security comes before terrorism:
(Weatherford): This is good news and while I'm not typically one to have my hand out, state and local governments are facing the same threats and challenges as the feds and equally as important, much of the same regulatory environment. In addition, cyber security for much of the nation's critical infrastructure is beyond the feds' control and resides at the state level so any funding "...targeted to make private- and public-sector cyber infrastructure more resilient and secure" would be very welcome.
FCC May Fine Telecoms for Failure to Prove Adequate Customer Data Protection (February 25 & 26, 2009)The US Federal Communications Commission (FCC) could potentially fine more than 600 telephone companies and voice over Internet protocol (VoIP) providers for failing to provide adequate proof that they are taking steps to safeguard customer data. The FCC requires that the companies submit annual certification that they have employed measures to guard customer data against exposure through pretexting; they must also prove that they have kept records of all instances in which they have provided customer data to a third party and of all customer complaints about information disclosure. Last year, 600 such operators either filed no reports or the reports they did file were noncompliant. The proposed fines would be US $20,000 for no report files, and US $10,000 for noncompliant reports.
[Editor's Note (Pescatore): Hmmm, fining them because the didn't file the paperwork isn't *quite* the same as fining them because the didn't adequately protect customer data. Let's hope they move to more active enforcement. The FCC and HHS (for HIPAA) have maintained "complaint-driven" enforcement regimes which just don't work. ]
********************** TWITTER ANNOUNCEMENT ***************************
New Twitter feeds from SANS and the Internet Storm Center provides a daily 'Tip of Day' and shares links to free content and resources and special training offers. http://twitter.com/SANSInstitute
The ISC Twitter feed provides updates on malicious activity and a variety of other great insights from Storm Center incident handlers. http://twitter.com/sans_isc
THE REST OF THE WEEK'S NEWS
UK Declines to Prosecute McKinnon (February 26, 2009)Gary McKinnon has lost another battle in the fight against his extradition to the US to face charges of breaking into government computer systems. McKinnon's legal team had proposed that he be tried for offenses under the UK's Computer Misuse Act in lieu of sending him to the US to be prosecuted, but British authorities declined to prosecute him. According to a Crown Prosecution Service spokesperson, the UK ceded jurisdiction in the case because the damage occurred in the US and not in the UK. McKinnon is still hopeful that his extradition will be prevented by a yet-to-be-scheduled judicial review of the government's decision to extradite him; McKinnon's legal team maintains his diagnosis of Asperger's Syndrome was not adequately considered in the decision.
[Editor's Note (Schultz): By fighting extradition, McKinnon apparently does not realize he may be missing out on an opportunity of a lifetime. Think of all the money he could make by speaking at information security meetings and conferences in the US! OK--I'm just kidding (sort of). ]
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Employees Peek at UK Work and Pensions Database (February 25, 2009)The UK's Department for Work and Pensions (DWP) says that since 2006, 33 people have accessed information contained in its Customer Information System (CIS) database outside the purview of their positions. The database is designated to be part of the National Identity Scheme; it contains a record for every person who has a national insurance number. In January, DWP warned local authorities that it might prosecute employees found breaching security if the local councils did not take steps to stop the illegal activity.
[Editor's Note (Northcutt): People like to peek, they looked up Britney Spears and George Clooney's medical records and the amazing thing is those folks got caught. Most of the peeking is not detected. If you create a national level database you have to build in protection from its authorized users from the get go. ]
FAA Will Use Crawler to Find Sensitive Data on its Systems (February 25 & 26, 2009)In the wake of a computer security data breach that exposed personal information of 45,000 current and former employees, the US Federal Aviation Administration (FAA) says it will use crawler software to search out personally identifiable data on its computer systems. The tool will help the agency gain a clearer picture of what kinds of information its systems hold so they can ensure it is protected or disposed of properly.
[Editor's Note (Schultz): The FAA has a great strategy; you have to determine where sensitive information is before you can adequately protect it. It is lamentable, however, that once again an organization has decided to get serious about protecting personal information only after a catastrophic data security breach has occurred. ]
SPAM, PHISHING & ONLINE SCAMS
Phishing Scheme Spreads Through IM Services (February 25, 2009)Phishers have been targeting people who use Internet chat services with an attack aimed at stealing account login information. The attack comes in the form of instant messages asking recipients to click on a TinyURL link to watch a video. The link leads users to a site that asks for login credentials. The messages appear to come from trusted friends. Users of Gmail, Yahoo, Microsoft and MySpace instant messaging programs have reportedly received the phony messages.
Microsoft Advisory Warms of Excel Vulnerability (February 24 & 25, 2009)Microsoft has issued an advisory saying that it is investigating reports of a remote code execution vulnerability in its Excel spreadsheet program. For the attack to work, users would have to be tricked into opening a specially-crafted Excel file. The flaw could be exploited to take control of vulnerable computers. The flaw is believed to affect Microsoft Office 2000, 2002, 2003 and 2007 as well as Microsoft Office 2004 and 2008 for Mac. Microsoft has received reports of limited targeted attacks exploiting the vulnerability through a Trojan horse program.
UPDATES AND PATCHES
Microsoft Update Corrects AutoRun Disabling Measure (February 25, 2009)Microsoft has issued a non-security update that will allow administrators to properly disable the AutoRun function in Windows. Previous instructions for disabling AutoRun did not work for USB drives. The update will allow administrators to disable the function more effectively to protect systems from the Conficker worm and other potential threats.
[Editor's Note (Honan): Given the prevalence of USB related malware this is an update that you should ensure is applied to all Windows PCs and the corresponding AutoRun feature disabled.
(Northcutt): These are the moments working in security is tough. It was almost easier before when you could just say, sorry, Microsoft doesn't let us disable Autorun. Now if you do disable Autorun, everyone is going to know the "Security Guy" is the reason their CD doesn't automatically spin up when they put it in their machine. And if we don't disable Autorun, we give worms like Conficker a fair chance to spread. Conficker, by the way, is not yesterday's news any longer this B++ variant is going to stick more than a few companies:
Adobe Update Addresses Critical Flaw (February 24 & 25, 2009)Adobe has issued an update for Flash to fix at least five security flaws. Users whose systems run Internet Explorer in addition to Firefox, Safari and/or Opera will need to download two separate versions of the patch. At least one of the vulnerabilities could be exploited to gain control of users' systems; users must be tricked into downloading a malicious Shockwave file for the attack to be work. The flaw affects Adobe Flash Player versions 10.0.12.36 and earlier.
[Editor's Note (Northcutt): I would advise jumping on this one. Also, they did a really kind thing, they created a patched version 9 flash for people that had a legacy reason and could not upgrade to version 10]
STUDIES AND STATISTICS
February 2009 MessageLabs Intelligence Report (February 24, 2009)The February 2009 MessageLabs Intelligence Report says that at the beginning of the month, spam accounted for 79.5 of all email due to increased botnet activity and scammers' focus on the financial situation and the Valentine's day holiday. Overall, spam declined 1.3 percent over the month to 73.3 percent of all email.
Senator Tom Carper (Chairman of the Senate Subcommittee responsible for redrafting FISMA) and Karen Evans (outgoing e-Gov Administrator) made public statements this week about the CAG:Karen told Federal News Radio, "As a former CIO with operational responsibilities, I wanted to automate as much of the operations as I could. The CAG's recommendations would have greatly assisted me and they can assist you in today's environment. You don't want to always have to be consumed with configuration management activities. By embracing what the CAG is doing, you will have the opportunity to focus on finding things that should not be happening...maybe stop an attack if someone is inside a network and trying to exfiltrate data." (That was slightly reworded - by Karen. Hear Karen's full interview at
where she also discusses the joys and problems of using social networking sites and several other topics with WFED's Francis Rose )
Senator Carper sent the following: "I am encouraged to see the many groups held responsible for protecting our sensitive government information are coming together with a common purpose. The federal government needs to focus limited resources on protecting our networks from consistent cyber attacks that threaten our national security and the Consensus Audit Guidelines is a good first step."
What they saw immediately are the two key contributions of the CAG: focus to use limited resources effectively, and automation to make it work at scale. That's what has been missing from FISMA implementation for a decade and that's what will enable improved security, lower costs, and happier users.
CISOs and CIOs and others also spoke out this week:
"This is great! I think it will go a long way towards recalibrating the Federal cyber security efforts away from being what many have described as a report card driven paper-work exercise, to instead being now properly focused on meaningful efforts to improve the real security posture of our operational systems."
- - Dan Galik, Chief Information Security Officer, US Department of Health and Human Services
"I LOVE the CAG!"
- - Mark Weatherford, Chief Information Security Officer, State of California
"I have led teams investigating major attacks against DoD and commercial organizations. If these CAG recommendations had been implemented, they would have been able to prevent simple attacks and would have enhanced the response capability against massive breaches before sensitive data was lost."
- - Rob Lee, Mandiant
"What excites me is this approach allows often resource constrained organizations to both focus on the most critical priorities and to implement solutions that are both practical and important."
- - Dan Mintz, former CIO at the US Department of Transportation.
An in-depth review is underway at the State Department and two major conferences have asked CAG director John Gilligan to present the CAG to their audiences: the DoD/DHS Software Assurance Conference and the Information Processing Interagency Conference and the Federal. In addition entities in both Norway and Japan are undertaking review of the CAG to find the best way to use it across government and industry in those countries.
Comments and suggestions are coming in with overwhelmingly supportive statements and great suggestions for improvements. We'll provide a summary in a later CAG Chronicle.
If you have not reviewed the CAG against the controls you have implemented or against those you audit or assess, you can get started at any time. They are posted at SANS at www.sans.org/cag and at the Center for Strategic and International Studies at
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/