SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XI - Issue #42
May 29, 2009
NEWSBITES FLASH 11:15 AM Today. Washington, DC. The White House The East Room in the White House is awash in sunlight - amplified by the klieg lights of TV cameras. More than 100 people who have played a role in the 60 day review are joined by 50 reporters and camera people. - all awaiting the arrival of President Obama to deliver the results of the Cyberspace Policy Review. The mood is appropriately subdued, but the energy is very high. The President arrives. "A transformational moment," he says. "Cyberspace is real and so are the risks." "I know about the problem personally," he continues. "During the general election, hackers managed to penetrate our campaign computer networks. They got access to [my] emails and policy papers and travel plans."
The President then laid out the scope of the problem ("one of the most serious challenges we face as a nation and we are not as prepared as we need to be") and then introduced his new "Cyberspace Policy Review" that presents 24 key actions. Most of the actions are policy and strategy based and won't, in themselves have a huge impact, but two of them will make all the difference. (1) Naming a single official in the White House, called the Cyber Security Coordinator, with "regular access to me" to oversee cyber security across the government (this corrects the biggest error made in the previous Administration). (2) Using government procurement to improve market incentives for secure and resilient hardware (the $70 billion on annual federal IT spending is the single most powerful weapon the nation has to improve security.)
You'll read hundreds of articles on the 60 day review - but we wanted Newsbites readers to get a first look. The bottom line is that this was a huge success for people who care about improving cyber security in the US.
PS The New York Times published a really good, related story earlier this morning outing the new DoD Cyber Command. http://www.nytimes.com/2009/05/29/us/politics/29cyber.html?hp
TOP OF THE NEWSBank Sues Company That Certified CardSystems Solutions Before Breach
Cyber Security Status Report Due Out Friday; President May Announce Cyber Czar Position
European Commission Suing Sweden for Failing to Implement Data Retention Law
THE REST OF THE WEEK'S NEWSARRESTS, INDICTMENTS & SENTENCES
Phisher Sentenced to Eight-and-a-Half Years in Prison
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Foreign Hacker Group Targeted Army Servers
Eighteen Percent of Computers at Interior Missing or Lost
DATA PROTECTION & PRIVACY
Information Commissioner Sends Harsh Letter to National Health Service Over Data Breaches
RIM Issues Advisory on PDF Vulnerability
DATA LOSS & EXPOSURE
Missing Laptop Holds Pension Data
Aetna Notifies 65,000 Current and Former Employees of Data Breach
ATTACKS & ACTIVE EXPLOITS
Microsoft Offers Workarounds for Zero-Day DirectX Flaw
STUDIES AND STATISTICS
Report: 90 Percent of eMail is Spam
Authorities Searching For Man Who Tried to Steal US $9 Million From Former Employer
- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - Pen Testing and Web Application Attack Summit - June 1-2 http://www.sans.org/pentesting09_summit
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses) http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - National Forensics Summit, July 6-14 http://www.sans.org/forensics09_summit/
Looking for training in your own community? http://sans.org/community/ Save 25% on all On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org
TOP OF THE NEWS
Bank Sues Company That Certified CardSystems Solutions Before Breach (May 26 & 27, 2009)Merrick Bank has filed a lawsuit against Savvis, alleging negligence because the company certified CardSystems Solutions as compliant with Visa and MasterCard security requirements less than a year before the payment processor suffered a massive data security breach. Merrick claims that fraudulent transactions resulting from the breach cost it US $16 million in payments to the credit card companies for using a non-compliant processor, payments to banks affected by the breach and legal fees. Attackers were able to steal information on 40 million credit card accounts because CardSystems stored unencrypted card data on its servers.
[Editor's Note (Pescatore): Making this charge stick will require proving that the non-compliant condition existed at the time of the audit and should have been discovered with reasonable diligence. But it will be good to see some external attention focused on the PCI audit process.
(Schultz): The issue concerning whether an organization is (but probably more importantly, *was* at the time of a data security breach) PCI-DSS compliant is becoming increasingly complex. If a bank, merchant, or other organization has passed a PCI-DSS audit, but then a security breach involving credit card information occurs sometime later, the PCI Consortium has increasingly suddenly declared the organization to be non-compliant. As good as they are, PCI-DSS standards do not require anything near perfect data security, and no audit is 100 percent comprehensive. Residual risk will always be present as long as systems are connected to any network. If PCI-DSS auditors are going to become legally liable for future data security breaches, the cost to perform these audits will, unfortunately, most likely skyrocket out of control.
(Hoelzer): While the legal system is an important tool when it comes to forcing organizations to be responsible, this may mark a dangerous time for PCI. PCI/DSS isn't perfect but it's a pretty good start. If lawsuits continue to pile on, however, we could see energy start to build for the elimination of standards of this kind since they may appear to be leading toward greater liability rather than reduced liability. ]
Cyber Security Status Report Due Out Friday; President May Announce Cyber Czar Position (May 26, 2009)The report on the 60-day review of the state of US government cyber security is scheduled to be released on Friday, May 29; President Obama will discuss the report at a press conference shortly before 11:00 am Eastern Time. According to an unnamed senior White House official, the announcement of a White house-level position in charge of national cyber security is imminent. While the precise rank and title for the job had not been decided, the new adviser will likely be a member of the National Security Council and will report to the National Security Advisor and senior White House economic advisor.
[Editor's Note (Skoudis): Unfortunately, private industry has not been able to improve our security stance as rapidly as attackers have ramped up their own capabilities, leaving us less secure, relatively speaking, over time. That's one of the major reasons the US Government is significantly and rapidly increasing its involvement in the information security space. ]
European Commission Suing Sweden for Failing to Implement Data Retention Law (May 26 & 27, 2009)The European Commission is suing Sweden for failing to implement data retention legislation. The European Union's (EU's) Data Retention Directive passed in March 2006; it requires member states to implement data retention laws by March 2009. The Swedish government plans to introduce the legislation in the next few months. Sweden has had to comply with the Intellectual Property Rights Enforcement Directive (IPRED), which requires telecommunications providers to surrender data in certain legal cases, since April of this year. Some Internet service providers (ISPs) have made an end-run around the requirement by deleting user data regularly; data retention legislation would make it illegal to delete the data too soon. There are some who say that the provisions of the legislation would be at odds with the European Convention on Human Rights.
THE REST OF THE WEEK'S NEWS
ARRESTS, INDICTMENTS & SENTENCES
Phisher Sentenced to Eight-and-a-Half Years in Prison (May 27, 2009)US District Court Judge John Tunheim has sentenced Sergiu D. Popa to eight-and-a-half years in prison for a phishing scheme in which he stole sensitive personal and financial information from thousands of people. Popa was originally from Romania but lived in Michigan when he committed the crime. Popa admitted that he used the stolen information to conduct approximately US $700,000 worth of fraudulent transactions between June 2000 and February 2007.
[Editor's Note (Schmidt): As more of these criminals are caught and get serious jail time, I hope many more will get the message that "if you can't do the time, don't do the crime".]
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Foreign Hacker Group Targeted Army Servers (May 28, 2009)A hacking group based in Turkey has allegedly gained access to at least two sensitive US Army servers. The US Department of Defense (DoD), the Army's Judge Advocate General's office and the US Computer Emergency Response Team are investigating the breaches. The first of the two breaches occurred on September 19, 2007 at the US Army Corps of Engineers' Transatlantic Center; the second occurred on January 26, 2009 at the Army's McAlester Ammunition Plant. Both attacks redirected users; the first to a site containing anti-American rhetoric and the second to a page about climate change. It is unclear if the group also accessed sensitive information as a result of the attacks. The attackers appear to have exploited an SQL injection vulnerability.
[Editor's Note (Pescatore): While headlines like to hype up the "who did it" part, every one of these ends up with the same "how they did it" - they exploited well known, easy to close vulnerabilities. While this will surely end up in statistics showing the volume of "foreign attacks" it should really show up in statistics of lack of operations due diligence.
(Northcutt): Mosted appears to be quite the active social cause hacking group, not sure I would want to end up inside a Turkish prison though:
Eighteen Percent of Computers at Interior Missing or Lost (May 28, 2009)According to a report from the US Department of the Interior's inspector general (IG), the Department cannot account for the whereabouts of 18 percent of its computers. The vast majority of the missing computers, 450 out of a sample of 2,500, belonged to the Fish and Wildlife Service. Just two of the department's eight bureaus have kept good records of their computer inventories, according to the report, and disposal procedures for machines from bureau to bureau. In addition, the majority of department's PCs are not encrypted.
[Editor's Note (Skoudis): If you don't know where a computing asset is or whose control it is under, you cannot secure it. Building and maintaining an asset inventory is difficult work, to be sure, but it is vital. An effective inventory maps each system to an employee, a manager, and an asset owner. Let's learn a lesson from this story, and double check our own asset inventories to make sure they are being maintained.
(Northcutt): It's 8 P.M. do you know where your computers are? Critical security control 1, quick win 1: "QW: Deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory of systems connected to the enterprise network. Both active tools that scan through network address ranges, and passive tools that identify hosts based on analyzing their traffic should be employed."
DATA PROTECTION & PRIVACY
Information Commissioner Sends Harsh Letter to National Health Service Over Data Breaches (May 25, 26, 27 & 28, 2009)The UK Information Commissioner (ICO) has sent a letter to the National Health Service directing the organization to tighten patient information security controls in the wake of numerous data security breaches. In the last four months alone, 140 data security breaches were reported at NHS. The ICO plans to monitor NHS's security practices with checks at various hospitals. There have also been reports circulating that HNS will allow patients to request that their medical records be deleted from the Summary Care Records (SRC) system, a national medical database. The rumors appear to be accurate, with the exception of records that have already been accessed for patient treatment; for legal reasons, those records will be archived rather than deleted.
RIM Issues Advisory on PDF Vulnerability (May 28, 2009)Research in Motion (RIM) has issued an advisory warning users that a vulnerability in the way BlackBerry servers handle malformed PDF files could be exploited to launch a code injection attack. For the attack to work, users would need to be tricked into opening an email message with a maliciously crafted PDF attachment. The flaw affects Blackberry Enterprise Server software version 4.1 Service Pack 3 (4.1.3) through 5.0 and Blackberry Professional Software 4.1 Service Pack 4 (4.1.4). While the company has issued an interim update for the vulnerability, RIM is encouraging customers to disable PDF processing on Blackberry servers until a more thorough fix is available.
[Editor's Note (Schultz): Once again, RIM deserves considerable credit for its candidness to users concerning vulnerabilities and solutions in its products.
(Skoudis): RIM's BES servers have had several vulnerabilities associated with PDF parsing in the last year, with major vulnerability fixes released in July 2008, January 2009, and now. Perhaps RIM should really re-do the code architecture and implementation associated with PDF parsing in BES servers. ]
DATA LOSS & EXPOSURE
Missing Laptop Holds Pension Data (May 28, 2009)A laptop computer stolen from an office of NorthgateArinso, the company that provides the Pension Trust's computerized administration system, contains personally identifiable information of 109,000 Pension Trust members. The compromised data include names, salary information and bank account details; the data are not encrypted.
Aetna Notifies 65,000 Current and Former Employees of Data Breach (May 28, 2009)Aetna has notified 65,000 current and former employees that their Social Security numbers (SSNs) and email addresses were compromised in a security breach. The job application website also contained email addresses of as many as 450,000 job applicants. Aetna became aware of the breach after people started complaining about phishing emails that appeared to come from the insurance company. The messages claimed they were related to job inquiries and asked the recipients for additional personal information. A computer forensics company is investigating how the breach was accomplished.
ATTACKS & ACTIVE EXPLOITS
Microsoft Offers Workarounds for Zero-Day DirectX Flaw (May 28, 2009)Microsoft is investigating reports of a remote code execution vulnerability in the DirectX Windows component that is being actively exploited through limited attacks. The exploit involves maliciously altered QuickTime files and can be exploited to gain control of vulnerable computers. Microsoft has not yet released a patch for the vulnerability, but the company has suggested several workarounds to help users protect their computers.
[Editor's Note to self (Northcutt): Open Quicktime files only on your Vista boxes for the next few weeks, not your XPs!]
STUDIES AND STATISTICS
Report: 90 Percent of eMail is Spam (May 26 & 27, 2009)According to a report from Symantec, nine out of every 10 emails sent over the Internet last month were spam messages. The findings mark a 5.1 percent increase over last month's figures. Most of the spam comes from social networking site profiles that were likely created with automated CAPTCHA (completely automated public Turing test to tell computers and humans apart) readers. Because the headers were not spoofed, filters were unable to detect them as spam. The report also indicates that spammers are most active during US business hours, suggesting that either most are based in the US or that spammers have found those hours to prove most fruitful.
Authorities Searching For Man Who Tried to Steal US $9 Million From Former Employer (May 26, 2009)State and federal officials are searching for a former California water utility employee who resigned late last month and hours later, gained physical access to the facility to transfer more than US $9 million from his former employer's bank account to accounts in Qatar. Abdirahman Ismail Abdi is believed to have fled to Canada after putting his wife and children on a plane to Frankfurt, Germany. Two of the wire transfers were blocked; funds from the third transfer are believed to be frozen. The incident illustrates the importance of implementing access controls.
Correction:In Tuesday's NewsBites (Volume 11, Number 41), we ran a story about a college student whose seized property was returned after a judge granted his request to quash a search warrant. The school was misidentified; the student attends Boston College, not Boston University. We apologize for any confusion this may have caused.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/