Take your cyber security skills to the next level with SANS training in Miami! Save $300 thru 11/20.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #38

May 15, 2009

IT security is changing this year for four groups: Federal IT executives; IT and security people in the defense industrial base and in the critical infrastructure; the contractors who support them; and the auditors and inspector generals who measure security: The shift to automated, continuous measurement of critical security controls is the biggest change coming in those worlds during the rest of 2009 and 2010. On June 22-23 in Washington, a workshop/short course will cover the "20 Critical Security Controls," how to automate them, and how to measure their effectiveness - including what tools are needed and what tests should be run. There are only about 40 seats. If you want one, register by the middle of next week. http://www.sans.org/dc0609/description.php

Also for federal agencies and their contractors: the US Department of Agriculture is leading the government in focusing on application security as a current threat - changing their contracting and establishing training programs for programmers (both employees and contractors) on secure coding in Java and in other languages. Their training programs are open to other agencies and contractors. Email me if you want info (apaller@sans.org).

BTW allowing programmers who have not proven they can write secure code to build your web and e-gov applications is *the single most critical* security problem you face, because it will embarrass your agency more than any other. Just as an example of what happens to agencies that allow untrained and untested programmers to write code e-gov code: http://www.theregister.co.uk/2009/05/05/virginia_medical_records_extortion/


Judge Dismisses Almost All Civil Claims Against Hannaford
Pentagon Official Charged with Espionage Conspiracy
BSA Says 41 Percent of Software on PCs Worldwide is Pirated


Former FBI Agent Gets Probation for Unauthorized Data Access
Guilty Plea in Scientology DDoS Case
DHS Information Sharing Platform Breached
DHS IG Report Says Data Centers Need Improvements
Microsoft Releases Fixes for PowerPoint Flaws in Windows
Adobe Issues Updates for Acrobat and Reader
Apple Issues Security, OS X Update
University of Toronto Programs Offer Cyber Intelligence Tools to Civil Liberties Groups



- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - Pen Testing and Web Application Attack Summit - June 1-2 http://www.sans.org/pentesting09_summit
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses) http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - National Forensiscs Summit, July 6-14 http://www.sans.org/forensics09_summit/
Looking for training in your own community? http://sans.org/community/ Save 25% on all On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org



Judge Dismisses Almost All Civil Claims Against Hannaford (May 13 & 14, 2009)

A US District Court Judge has thrown out all civil claims against Hannaford Bros. except one. Hannaford suffered a data breach in 2007 and 2008 that compromised the security of an estimated four million payment cards. The opinion from US District Court Judge D. Brock Hornby disallowed claims made by individuals who had not had fraudulent charges made to their accounts and claims made by individuals who had been reimbursed for fraudulent charges made to their accounts. The only claim he let stand was from a woman who had not been reimbursed for fraudulent charges made to her account.



[Editor's Note (Schultz): By all appearances, Judge Brock has severely impeded justice. His lack of knowledge about cybersecurity and cybersecurity legislation is the likely cause. ]

Pentagon Official Charged with Espionage Conspiracy (May 13 & 14, 2009)

A Pentagon official has been charged with espionage conspiracy for allegedly leaking confidential documents to a Chinese government operative. James Wilbur Fondren Jr. has been on administrative leave from his job as Deputy Director, Washington Liaison Office, US Pacific Command (PACOM) since February 2008. Fondren was allegedly able to access the sensitive information through his security clearance. If he is convicted of the charges against him, he could face five years in prison and a fine of US $250,000.

[Editor's Note (Northcutt): Limiting access rights based on roles is essential. ]

BSA Says 41 Percent of Software on PCs Worldwide is Pirated (May 12, 2009)

According to statistics from the Business Software Alliance (BSA), 41 percent of all software installed on PCs worldwide in 2008 was pirated. The resulting financial losses were estimated to be US $53 billion. The level of piracy around the world increased slightly from 38 percent in 2007 to the current figure for 2008 of 41 percent. BSA CEO and president Robert Holleyman said that while the percentage of pirated software is lower in the US than anywhere in the world, it is still a significant problem because more software is sold in the US than anywhere else, which means that "the US has the highest single dollar loss."

*************************** Sponsored Links: ****************************

1) InstantSecurityPolicy.com - Professional IT Security Policies, created and delivered online with innovative wizard, free samples available.

2) Read the Ethical Hacker Network review of the SANS SEC542 -Web App Pen Testing & Ethical Hacking course.

3) Zscaler EDUCATIONAL WEBCAST: Keynote by GARTNER'S Peter Firstbrook, "Newer Threats and Newer Defenses against Web 2.0"




Former FBI Agent Gets Probation for Unauthorized Data Access (May 14, 2009)

Former FBI agent Mark Rossini was sentenced to one year of probation for using agency computers to search for information about a Hollywood wiretapping case in which he was not involved. Rossini admitted that he gave the information to a woman he was dating who then gave it to an attorney for Anthony Pellicano, a private investigator who is presently serving a 15-year sentence for wiretapping celebrities' phones for clients. Rossini pleaded guilty to five counts of criminal computer access late last year. He also faces fines amounting to US $5,000.
[Editor's Note (Northcutt): The problem with a hand-slap type sentence at a time when the government is increasing access to private data about citizens, is that it sends the wrong signal. It needs to be clear that abusing lawful access is wrong. And the government needs to implement role-based access control. Far too often, if you have access, you have access to everything. ]

Guilty Plea in Scientology DDoS Case (May 12, 2009)

Dmitriy Guzner has pleaded guilty to charges that he used a botnet to launch a distributed denial-of-service (DDoS) attack against Church of Scientology websites in January 2008. He is scheduled to be sentenced in August; he will face up to a year-and-a-half in prison. Guzman is a member of a group that calls itself Anonymous and is involved in protests against the Church of Scientology. Apart from the DDoS attacks, Anonymous has allegedly made nuisance calls to the Church and staged peaceful protests outside Church facilities.

DHS Information Sharing Platform Breached (May 13, 2009)

A US Department of Homeland Security official has acknowledged a security breach of the platform the department uses to share sensitive, unclassified information with state and local authorities. Chief Information Officer for DHS Office of Operations Coordination and Planning Harry McDavid said that the US Computer Emergency Readiness Team detected two intrusions into the Homeland Security Information Network: one in March and one in April. The intruders managed to gain access to the system through an account belonging to a federal employee or contractor.
[Editor's Note (Pescatore): The new secretary of the Department of Energy, Steven Chu, was recently quoted as saying "well-meaning people" in the chief information officer's office and in the procurement and finance offices "whose job it is to protect the Department of Energy" actually hinder what the department can do." I hope he looks at this DHS incident to make sure that DoE increases, vs. decreases, building security into its systems and applications.
(Northcutt): ".. gained ACCESS through an account belonging to a federal employee." Maybe we could get a special holiday commissioned, "access control day." ]

DHS IG Report Says Data Centers Need Improvements (May 13, 2009)

A report from DHS Inspector General Richard Skinner said that two DHS data centers were established without adequate protection from physical threats. One of the centers was established on the Mississippi Gulf Coast without considering protection from hurricanes, vibrations from a rocket testing facility just a few miles away, and environmental contamination from its location at a former weapons plant. A site in Clarksville, Virginia was established in close proximity to two 25,000-gallon diesel fuel storage tanks. The data centers are supposed to safeguard information from other data centers and serve as disaster recovery backups for each other, but they lack the necessary interconnecting circuits and redundant hardware.


Microsoft Releases Fixes for PowerPoint Flaws in Windows (May 13, 2009)

Microsoft's decision to release a patch for just the Windows version of PowerPoint has met with criticism. On Tuesday, May 12, Microsoft issued a single security bulletin to address known vulnerabilities in PowerPoint. An Internet Storm Center (ISC) Handler diary entry questions Microsoft's commitment to responsible disclosure, which dictates that vulnerabilities not be publicly disclosed before patches are available to mitigate the possibility of exploits. Microsoft acknowledges in the bulletin that the flaws are easy to exploit, which leaves Macs running that software vulnerable to attack. Microsoft maintains that it has not seen exploits in the wild for the same flaws in the Mac version of PowerPoint.


Adobe Issues Updates for Acrobat and Reader (May 13, 2009)

Adobe has issued updates to address security flaws in its Acrobat and Reader products. One of the vulnerabilities is a critical buffer overflow flaw in a JavaScript function that could be exploited to crash or take control of vulnerable systems. For the attack to work, users need to be tricked into opening maliciously crafted PDF documents. Users are urged to upgrade to versions 9.1.1, 8.1.5, or 7.1.2 of Reader and Acrobat to protect their systems from such attacks. The update for UNIX versions of the products addresses another JavaScript vulnerability that could be exploited to cause denial-of-service conditions or execute arbitrary code. UNIX users are urged to upgrade to version 9.1.1.

[Editor's Note (Pesactore): Another busy patch week with Adobe, Apple and Microsoft issuing some biggies. The Adobe one appears to have some widespread exploit code planted on vulnerable websites - should be a priority patch for PCs. ]

Apple Issues Security, OS X Update (May 12 & 13, 2009)

Apple has issued Security Update 2009-002/Mac OS X v10.5.7 to address numerous security flaws and add hardware support. Among the flaws addressed are cross-site scripting vulnerabilities in Apache and buffer overflow flaws in Safari. Twenty-six of the 67 flaws could be exploited to inject and execute arbitrary code. Two of the vulnerabilities fixed in the update were discovered during a contest in March.



University of Toronto Programs Offer Cyber Intelligence Tools to Civil Liberties Groups (May 12, 2009)

The Information Warfare Monitor and Citizen Lab programs were established at the University of Toronto with the goal of providing civil liberties organizations and other similar groups with tools to conduct effective Internet intelligence research in their areas of interest; such tools are normally available only to law enforcement authorities and computer security investigators. The programs have already shown themselves to be effective. Last year, a researcher working for both groups discovered that a Chinese wireless carrier was using a version of Skype to eavesdrop, and this year, the same researcher uncovered a Chinese spy system that has been dubbed Ghostnet.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/