SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XI - Issue #22
March 20, 2009
Important project if your organization uses contractors and outsourcers to design, build or deploy important applications. Jim Routh, CISO at Depository Trust and Clearing Corporation (and one of the top CISOs in implementing application security), leads a broad industry team identifying leading practices in improving supply chain resiliency -- specifically in the area of procurement for outsourcing software development and services. They have asked for your help in finding sources of information in the public domain and/or descriptions of a practice or control that you have used that actually mitigates one or more risks. If you have experience or knowledge of security controls and practices specific to the outsourcing of application development through service providers please send a note to Mason Brown at email@example.com. This can include things like sample contract language or URLs information/resources you have seen or used. We will provide a summary of the information to anyone who contributes or expresses and interest in seeing the results.
TOP OF THE NEWSEPIC Asks FTC to Investigate Google's Cloud Computing Services Security
Visa Sets Deadline for Bank Fraud Claims in Heartland Breach
Jurors Admit to Accessing Internet to Research Cases
THE REST OF THE WEEK'S NEWSARRESTS, CHARGES, CONVICTIONS & SENTENCES
FBI Agent Allegedly Accessed Confidential Database Without Authorization
IT Contract Worker Indicted for Sabotage
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Senate Committee Holds Hearing on Cyber Security Vulnerabilities and Defense
POLICY AND LEGISLATION
UK May Start Retaining Social Networking Site Data
Critical Buffer Overflow Flaw in WordPerfect Library
STUDIES AND STATISTICS
Cyber Squatting and Brand Abuse a Growing Problem
Microsoft Releases IE 8
Australian Internet Blacklist
******************** Sponsored By IBM Rational AppScan ******************
Improving the security of web applications starts by building software securely. IBM Rational AppScan is a suite of Web application vulnerability scanners that include dynamic and static analysis capabilities. Now you can engage more testers earlier in the development cycle. Try it for yourself. Download and evaluation copy of IBM Rational AppScan Developer Edition. http://www.sans.org/info/40768
- - Phoenix 3/23-3/30 (5 courses) http://www.sans.org/phoenix09/
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- - Amsterdam and Melbourne, too. See www.sans.org
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Plus Calgary, New Orleans, San Diego and more...
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
TOP OF THE NEWS
EPIC Asks FTC to Investigate Google's Cloud Computing Services Security (March 18, 2009)The Electronic Privacy Information Center (EPIC) has filed a complaint with the Federal Trade Commission (FTC) asking the agency to investigate whether Google's cloud computing services, including Gmail, are taking adequate steps to protect users' privacy. Several weeks ago, a flaw in Google Docs allowed unauthorized users to access others;' documents. That problem has reportedly been addressed. EPIC is seeking to force Google to make its security practices more transparent.
[Editor's Note (Liston): I don't understand this case at all. There are hundreds of online storage solutions out there, each of which brings with it a plethora of security concerns. Should the FTC be investigating them all? Or should it be up to the businesses and consumers using the services to make their own decisions? Honestly, this seems pretty simple: if Google isn't "transparent" enough in its security practices for you, then DON'T STORE YOUR DATA WITH THEM.) ]
Visa Sets Deadline for Bank Fraud Claims in Heartland Breach (March 16, 2009)Visa has established May 19, 2009 as the deadline for banks to file fraud claims resulting from the Heartland Payment Systems data security breach. Last week, Visa announced that Heartland and RBS WorldPay, which also recently acknowledged a significant data security breach, were no longer on its list of Payment Card Industry Data Security Standard (PCI DSS) compliant service providers. Heartland is considered to be on probation; both Heartland and RBS WorldPay are undergoing the process of recertification. Heartland was last certified as PCI DSS compliant in April 2008; RBS WorldPay was reportedly certified as compliant in June 2008..
[Editor's Note (Schultz): One of the most serious problems with PCI-DSS certification is that banks and merchants too often devote considerable effort to achieving certification, but then afterwards do little if anything to maintain the security state that they established earlier.
(Ranum): Meanwhile, the real victims - people who suffer from identity theft, lost time, or credit fraud - get a nice little letter telling them "We made a mistake and it's your problem to clean it up. Have a nice day." To me, the banks and payment companies who are suing each other and finger-pointing are a side-show; they're in business and are simply incurring an unexpected cost for mistakes made. Let's not overlook the victims: real human beings.
(Honan): There has been a lot of discussions claiming how these breaches demonstrate how ineffective PCI DSS is. Lets not forget that before PCI DSS was introduced many companies paid little or no heed to securing credit card details. PCI DSS has set a minimum benchmark for companies to achieve, but it should be remembered that PCI DSS should be considered a minimum baseline and not a target. And for those who have not paid attention previously, compliance to a standard does not equate to being secure. ]
Jurors Admit to Accessing Internet to Research Cases (March 18, 2009)The pervasiveness of connectivity through Blackberrys, iPhones and other devices is causing problems in court cases around the country. A judge in a federal drug trial in Florida was forced to declare a mistrial after nine of the jurors admitted they had been researching the case on the Internet. An Arkansas company asked to have a US $12.6 million judgment against it overturned because a juror had allegedly sent updates via Twitter during the trial. And the defense team in the corruption trial of a former Pennsylvania state legislator asked for a mistrial because a juror allegedly posted updates about the case on Facebook and Twitter. In that case, the judge declined and the defendant was found guilty. The postings will have a prominent place in the appeal. While jurors may believe that finding out more information helps them do a better job, it is a clear violation of the rules of evidence, which require that the facts a jury hears have to be "subjected to scrutiny and challenge from both sides" in the case. Jurors doing research could find themselves faced with evidence that has been excluded from the case.
[Editor's Note (Schultz): Mobile computing devices have opened Pandora's box in more ways than introducing remotely exploitable vulnerabilities. As this news item so nicely shows, the fact that so many people use them in so many different contexts has, among other things, provided the ability to circumvent restrictions concerning information access.
(Liston): IT professionals oftentimes think of "user education" as the punch line to a long-running joke. User education fails in instances where we try to change behavior by providing some new, meaningless motivation (i.e. we ask users to choose between the fun they'll have when they install a dancing gerbils screensaver on "their" computer versus the potential that it might cause some unspecified bad thing to happen to the "company" network). In this case, the juror's motives are clearly aligned with those of the court. (Why are they researching the case? They want to do a good job as a juror.) This is a perfect example of a situation where user education WILL work. ]
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES, CONVICTIONS & SENTENCES
FBI Agent Allegedly Accessed Confidential Database Without Authorization (March 18, 2009)An FBI agent in New York has been suspended without pay following charges that he accessed a confidential law enforcement database without authorization. William H. Shirk III also allegedly maintained contact with an informant despite their professional relationship having ended. Shirk allegedly used the database to find information about the informant and to access information about an investigation in the Tucson, AZ FBI office, where he used to work, even though he had been warned to stay away from the case.
IT Contract Worker Indicted for Sabotage (March 17 & 18, 2009)Mario Azar, who was formerly employed as an IT consultant at an oil and gas production company, has been charged with illegally accessing and compromising a computer system that was used to monitor offshore oil platforms. Before his employment with Pacific Energy Resources Ltd. (PER) ended last may, Azar had established multiple user Accounts on the system; after he left, he was able to use those accounts to gain access to the system and cause problems that rendered it unavailable. His activity did not result in environmental damage. Azar actions were allegedly spurred by PER's refusal to hire him on a permanent basis. He faces a maximum prison sentence of 10 years.
[Editor's Note (Skoudis): Here's yet another story representing the tip of the iceberg of computer attacks against systems that control physical devices that could pose a threat to life or limb. The threats and vulnerabilities here are real, and someday we may very well have a tragedy. ]
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Senate Committee Holds Hearing on Cyber Security Vulnerabilities and Defense (March 19, 2009)On Thursday, March 19, 2009, the US Senate Committee on Commerce, Science, and Transportation held a hearing titled Cybersecurity: Assessing Our Vulnerabilities and Developing an Effective Defense. Among the witnesses offering testimony was Dr. Joseph Weiss, a nuclear engineer with extensive experience in the commercial power industry who spoke about the security of the control systems used in securing the country's critical infrastructure. Dr. Weiss said that industrial control systems had suffered security breaches at least 125 times during the past decade. The effects include environmental damage, mechanical damage and in once case, death. He said that a coordinated attack could have devastating consequences, "taking months to recover."
[Editor's Note (Skoudis): We have here more hints about that iceberg. It's truly vast. ]
Kundra Reinstated (March 17, 18 & 19, 2009)Vivek Kundra is back at work as federal chief information officer (CIO). Kundra was placed on a temporary leave of absence from his position following the arrest of the District of Columbia's acting chief information security officer, Yusuf Acar; Kundra had held that position before he became the country's first CIO. A second man, a contractor at the office, was also arrested, and an investigation is ongoing. Kundra is not implicated in the case. A total of four DC Tech officers have been placed on administrative leave and 23 consultants have been fired.
POLICY AND LEGISLATION
UK May Start Retaining Social Networking Site Data (March 18 & 19, 2009)UK Home Office Security Minister Vernon Coaker says that the EU Data Retention Directive does not go far enough because it does not include communications on social networking sites like Facebook and Bebo. As of March 15, 2009, UK ISPs are required to retain user traffic information for 12 months. Coaker said that future Interception Modernisation Programme proposals could include retention of social networking site data.
[Editor's Note (Honan): I am concerned Mr. Coaker is undertaking a task similar to King Cnut trying to stop the ocean tides. Trying to capture all communications within all social networks will be a similar futile task. ]
Critical Buffer Overflow Flaw in WordPerfect Library (March 18, 2009)The SDK Autonomy KeyView library used by the WordPerfect office suite is susceptible to a critical buffer overflow flaw. The library is used by IBM's Lotus notes, some Symantec email scanners and other programs. The vulnerability could be exploited though maliciously crafted email attachments to inject and execute arbitrary code.
STUDIES AND STATISTICS
Cyber Squatting and Brand Abuse a Growing Problem (March 17, 2009)A study from MarkMonitor found that the practice of cybersquatting increased 18 percent during 2008. Cybersquatting involves the use of a domain name associated with a company to lure users to sites for the purposes of preying on another company's good name or other malicious purposes. Eighty percent of the sites identified in 2007 were created to take advantage of brand abuse are still active.
Microsoft Releases IE 8 (March 19, 2009)Microsoft has released Internet Explorer 8 (IE 8), the first major update for the browser since 2006. Among the new features in IE 8 are Accelerators and Web Slices. Accelerators reduce repetitive actions to one right click; Web Slices allows users to create links on their toolbars that bring up small portions of web pages, such as weather reports. The browser also has a privacy mode that does not retain browsing histories or cookies, and a feature that lets users block advertisements from companies conducting behavioral targeting. IE 8 has been in beta testing for just over a year.
[Editor's Note: (Honan): And within days of its release the first security vulnerability is discovered
Australian Internet Blacklist (March 17, 2009)People who hyperlink to websites on the Australian Communications and Media Authority's blacklist could find themselves fined AU $11,000 (US $7,600) a day. The list includes several Wikileaks pages, added because Wikileaks published a document that listed websites banned in Denmark. The ACMA has the authority to require sites hosted in Australia to remove pages on the list as well as links to those pages. Civil liberties activists are concerned that the list is so easily expanded. Australia was recently placed on the Reporters Without Borders watchlist of countries that are placing anti-democratic restrictions on the Internet.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/