DFIRCON - Live Online: The ALL Digital Forensics, Threat Hunting and Incident Response Training Event. Save $300 thru 10/7.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #18

March 06, 2009

"The verdict is in" on the CAG: Government Computer News ran a story implying the CAG should be used to replace the NIST guidance and then ran a second story entitled "Consensus Audit Guidelines no substitute for FISMA guidance." This second story was distributed widely across government and in companies that support the government and was interpreted by many high level people as GCN saying NIST guidance should be the base for federal security auditing - and might be augmented by elements of the CAG. Now the editor of Government Computer News, who assigned reporters to write both earlier stories, has weighed in. Wyatt Kash wrote in his editorial that will appear in the paper on Monday, "We have high regard for NIST's work. However, the problem for organizations trying to follow NIST's guidelines amid today's increasing cyberthreats is akin to confronting a raging new pandemic with an encyclopedic field guide to holistic health care." http://gcn.com/articles/2009/03/09/editors-desk-cag-security-triage.aspx

Speaking of the CAG, the first and last weeks of April, you can get the first two looks at how agencies have implemented key elements of the CAG. "What Works in Log Management and Analysis" Summit in Washington on April 6-7 is the first opportunity to learn how the log-related controls of the CAG are actually being implemented. Fourteen of the key actions needed to implement the CAG Guidelines (as published in Draft 1.0 on Feb 23, 2009) will be targeted at the Summit being held in Washington DC on April 6 & 7. Five of the key actions are labeled as "quick wins," so, any ISO or ISSM or consultant looking for a fast way to demonstrate actual security improvements should attend. In most cases you already have the tools in place; you may not yet have turned the right features on or targeted them in the right directions. Federal departmental level CISOs have free passes for the program; contact your CISO. Others may register at http://www.sans.org/logmgtsummit09/

And on April 29th, the Application Security Summit, also in Washington, will focus on federal and financial institution experience with tools for CAG Control 7.


The White House Cyber Review is Being Reviewed
DNSSEC Deployed on Top-Level .gov Domain


Five Sentenced in Connection with Attempted Cyber Bank Theft
Court Order Bars Spammer From Accessing Facebook Network
Convicted Cyber Criminal Will Continue Working
German Police Shutter Cyber Crime Forum
Obama Appoints Vivek Kundra as First Federal CIO
Government Seeks "Game-Changing" Cyber Security Research Ideas
Microsoft to Issue Three Security Bulletins in March
Mozilla Releases Firefox Update
Opera Software Releases Security and Stability Upgrade for Browser
Spotify Acknowledges Data Breach

*********************** Sponsored By Q1 Labs ****************************

Free, Downloadable, Virtual Appliance for Log and Compliance Management: Recognizing that enterprises of all sizes are required to collect and manage event logs - and in response to the challenging economic and business conditions facing organizations everywhere - Q1 Labs is providing a free, feature-rich log management solution called QRadar SLIM Free Edition (FE).



- - Phoenix 3/23-3/30 (5 courses) http://www.sans.org/phoenix09/
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Plus Calgary, New Orleans, San Diego and more...
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org



The White House Cyber Review is Being Reviewed

A Congressional hearing is planned next week to review progress on the 60 day White House cyber review.

DNSSEC Deployed on Top-Level .gov Domain (March 5, 2009)

The US General Services Administration (GSA) has announced that as of February 28, 2009, DNSSEC (Doman Name System Security Extensions) is operational on the top-level .gov domain. The implementation became official one month after the January deadline, which the Office of Management and Budget (OMB) established last August. The extension was required because the testing process revealed the need for an additional feature in the software being used. DNSSEC allows "DNS queries and responses (to) be digitally signed so they can be authenticated and are harder to spoof or manipulate."
[Editor's Note (Liston): This is a very welcome first step in a process that cannot happen too quickly.
(Schultz): This is a major accomplishment, as implementing DNSSEC is complex. ]



Five Sentenced in Connection with Attempted Cyber Bank Theft (March 4, 2009)

Five men have been sentenced to between three and eight years in jail for their roles in a scheme in which they attempted to steal GBP 229 million (US $324 million) from the London branch of Japan's Sumitomo Mitsui Bank. Hugh Rodley, who appears to have masterminded the plot, received an eight-year sentence. Kevin O'Donoghue, a bank guard who allowed members of the cyber crime gang in after hours, received a sentence of four years and four months; Jan Van Osselaer and Gilles Poelvoorde, who entered the building and planted devices to steal information, received sentences of three-and-a-half and four years, respectively; and David Nash received a three-year sentence. After harvesting information from the bank computers, members of the group returned and attempted to make transfers of various sums to accounts set up in Spain, Turkey, Dubai and other countries around the world. The transfers failed because the would-be thieves filled out transfer forms incorrectly.

[Editor's Note (Schultz): Something to note in this story is the fact that this crime was accomplished with the assistance of a "security supervisor." Once more this shows that although most insider attacks are committed by technical personnel such as system and network administrators, managers should not be above suspicion.
(Liston): They're smart enough to pull off a plan where they install a keystroke logger on a bank workstation and grab account and password info... and then THEY CAN'T FILL OUT A BANK TRANSFER FORM CORRECTLY!?!?]

Court Order Bars Spammer From Accessing Facebook Network (March 3 & 4, 2009)

Social networking site Facebook has obtained a court order barring known spammer Sanford Wallace and two alleged accomplices, Adam Arzoomanian and Scott Shaw, from accessing Facebook's network. According to court filings, the men allegedly accessed users' accounts and spammed their contact lists by writing on the contacts' "walls." The messages lured recipients to websites that would attempt to steal Facebook login information.
[Editor's Note (Liston): Sanford Wallace again? This guy is the archetypical "bad penny" that the Internet just can't get rid of. ]




Convicted Cyber Criminal Will Continue Working (March 5, 2009)

Jonathan Kenneth Schiefer of Los Angeles, CA has been sentenced to four years in federal prison for infecting 250,000 PCs with malware and stealing sensitive information when users accessed certain financially related websites. That information was then used to make fraudulent purchases and fund transfers. Schiefer has also been ordered to pay US $19,000 in restitution to a Dutch Internet advertising company for placing their ads on users' computers without consent, in violation of that company's policy. Schiefer's current employer, Mahalo.com, has chosen to allow him to work there until "the day that he goes to prison."


German Police Shutter Cyber Crime Forum (March 4, 2009)

German police have closed down a cyber crime forum and arrested several of its members. Cyber criminals had been using the codesoft.cc messageboard to share information on how to steal sensitive data including passwords and how to manufacture phony payment cards. The forum was also used to sell data-stealing malware.


Obama Appoints Vivek Kundra as First Federal CIO (March 5, 2009)

President Barack Obama has appointed District of Columbia chief technology (CTO) officer Vivek Kundra to be the first federal CIO (chief information officer). Kundra will work closely with a yet-to-be-appointed federal CTO. Obama said Kundra "will play a key role in making sure our government is running in the most secure, open and efficient way possible." Kundra will "direct the policy and strategic planning of federal information technology investments and (will be) responsible for oversight of federal technology spending." Vivek said he plans to make large quantities of non-sensitive government data available to the public on a web site, www.data.gov.


Government Seeks "Game-Changing" Cyber Security Research Ideas (March 2, 2009)

The US National Coordination Office for Networking Information Technology Research and Development has published a notice in the Federal Register seeking industry submissions of research concepts that will be "game-changing" in the efforts to protect government systems from cyber attacks. Submissions will be accepted through April 15, 2009. The request is part of the National Cyber Leap Year phase of the Comprehensive National Cybersecurity Initiative.


Microsoft to Issue Three Security Bulletins in March (March 5, 2009)

Microsoft will issue three security bulletins on Tuesday, March 11. One of the bulletins has been given a severity rating of critical; it addresses a remote code execution vulnerability; the other two bulletins have been given severity ratings of important and address spoofing vulnerabilities. All three bulletins affect Windows, and all thee will require a restart. Conspicuously absent from the patch lineup is a fix for a zero-day flaw in Excel for which Microsoft issued an advisory last week; that vulnerability is already being actively exploited.

[Editor's Note (Liston): This flaw is, unquestionably, critical enough to warrant an "out of band" patch release. ]

Mozilla Releases Firefox Update (March 4 & 5, 2009)

Mozilla has released Firefox version 3.0.7 to address a handful of security problems that troubled version 3.0.6. Three of the vulnerabilities are rated critical; some of the flaws, which cause the browser to crash, could potentially allow execution of arbitrary code. The flaws also affect Thunderbird and SeaMonkey.



Opera Software Releases Security and Stability Upgrade for Browser (March 3 & 4, 2009)

Opera has released an update to address a severe vulnerability in its browser. The flaw could be exploited with maliciously crafted JPEGs to crash the browser and execute arbitrary code. The update also fixes several other flaws and stability issues, including one vulnerability that could be exploited by malicious plug-ins to allow cross-site scripting. The update, Opera version 9.64, is available for download.


Spotify Acknowledges Data Breach (March 4 & 5, 2009)

Swedish music streaming company Spotify has acknowledged that a data security breach exposed users' registration information, including email addresses, dates of birth and passwords. The company does not believe that credit card information was compromised, as it is handled by a third party. Spotify recommends that users who registered on the site prior to December 19, 2008 change their passwords. Spotify discovered the vulnerability and fixed it in December, but only recently became aware that the flaw had been exploited. The company learned of the breach after attackers contacted them through third parties.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/