SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XI - Issue #49
June 23, 2009
Interesting new initiative: Some of the most sensitive government organizations have been working with SANS all spring to create a program in which their system administrators become "human sensor networks" trained to notice anomalies and to know what to do when they find them. This initiative is aimed at finding the persistent presence, where attackers have placed malicious code in our systems and networks. The program is an initial short course plus quarterly on-line mini-courses to keep skills current as the threat changes. If you have at least 100 system administrators and want to help us get the program right, email email@example.com.
TOP OF THE NEWSNevada Law Requires PCI DSS Compliance
Proposed Law Would Give Canadian Law Enforcement and National Security Agencies Easy Access to ISP Subscriber Information
Criminalization of Hacking Software in Germany Withstands Test of Constitutionality
Heartland CEO Moving Forward With an Eye to Improving Industry Security
THE REST OF THE WEEK'S NEWSDATA PROTECTION & PRIVACY
Bozeman Backs Down on Demand for Job Applicants' Social Networking Site Logins
ATTACKS & ACTIVE EXPLOITS
Spam Spreading ZBot Masquerades as Outlook Update
RSPlug Trojan Variant Targets Macs
STUDIES AND STATISTICS
Just Half of Small Businesses Backup Daily
ICANN Committee Calls for End to DNS Redirections
US Formally Opposes China's Demand For Pre-Installed Filtering Software on PCs
STANDARDS & BEST PRACTICES
Fifty-Seven Percent of Irish Companies Have No eMail and Internet Use Policies
Things to Consider Before you Deploy Full Disk Encryption
STATISTICS, STUDIES & SURVEYS
Data Security Budget Allocations Out of Kilter
Personal Emergency Information Exposed on Utilities Site
US Gov. Could Use Airline Passenger Info. to Mine for More Data
The Art of Software Security: Interview
*********************** Sponsored By Symantec ***************************
Ponemon Report: Data Loss During Downsizing
According to a research study conducted by the Ponemon Institute, more than half of ex-employees admit to stealing company data. Download this report to view survey results and to see how you can protect your organization from being so vulnerable. Download report at http://www4.symantec.com/offer?a_id=81642
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses) http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - The Forensics Summit starts in three weeks on July 9, and has four courses http://www.sans.org/forensics09_summit/event.php:
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days http://www.sans.org/info/43118
Looking for training in your own community?
Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php
Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org
TOP OF THE NEWS
Nevada Law Requires PCI DSS Compliance (June 20, 2009)As of January 1, 2010, companies doing business in the state of Nevada that accept payment cards must be compliant with the Payment Card Industry Data Security Standard (PCI DSS). Nevada is the first state to require compliance. The law also requires that companies retaining personal data, including Social Security numbers (SSNs), driver's license numbers or account numbers together with passwords must use encryption if they send the information outside of the company.
[Editor's Note (Schultz): I expect what Nevada has done to become a trend. The PCI-DSS standard represents a very reasonable balance between good security and reasonable, achievable security. See blog.emagined.com for a series of blog postings that I have recently (e.g., within the last week and a half) written regarding this topic. (Pescatore): Since any merchant accepting credit card payments already has to demonstrate PCI DSS compliance, this amendment mainly serves as a "safe harbor" provision, exempting the merchant from damages if they could show PCI compliance. That is not a good thing. ]
Proposed Law Would Give Canadian Law Enforcement and National Security Agencies Easy Access to ISP Subscriber Information (June 18, 2009)Proposed legislation in Canada would allow police and national security agents "timely access" to information including names, street addresses and IP addresses of Canadian Internet service provider (ISP) subscribers. The law would require ISPs to install "intercept-capable" equipment on their networks. The information could be accessed without a warrant, although warrants would still be required if the agents wanted to intercept communication. ISPs would be expected to bear the costs of the new equipment. Systems would need to be compliant within 18 months after the law passes; smaller ISPs would have three years to comply.
Criminalization of Hacking Software in Germany Withstands Test of Constitutionality (June 20, 2009)The German Federal Constitutional Court has ruled as inadmissible an appeal that challenged the constitutionality of legislation criminalizing the use of hacking software. The plaintiffs, an IT company, an academic and a computer user, maintained that two clauses in the German Criminal Code would criminalize their actions because they use hacking programs in their work. The court said that the law applies only to tools that have been developed with criminal intent; those that serve a legal purpose, or that can be used for both benign and malicious intentions, are not covered by the law. In addition, people using those programs for legal purposes would not be subject to prosecution.
[Editor's Note (Ullrich): This ruling solidifies the current interpretation of this law that the intent matters, not the software. So far, nobody has been charged under these new laws. ]
Heartland CEO Moving Forward With an Eye to Improving Industry Security (June 17 & 22, 2009)Analysts have been favorably impressed by Heartland Payment Systems Inc. CEO Robert Carr's response to the company's massive security breach disclosed earlier this year. Instead of hiding, as many CEOs in similar positions have done, Carr has maintained his visibility and is taking steps to improve the overall climate of data protection in his industry. Carr says that the PCI DSS does not go far enough. At Heartland, Carr is implementing end-to-end encryption, an initiative that is expected to be complete by the end of the third quarter. The company is also "pushing for development of an industry-wide standard for encrypting data while being transmitted over networks," and is co-founder of the Payments Processing Information Sharing Council that will allow payment processors to share information about threats and vulnerabilities. Carr's head-on approach to necessary changes in the wake of the breach has been compared to that of Israeli airline El Al; in the 1970s, the airline experienced several hijackings that prompted it to "redesign its security from the ground up and (go) on to build a reputation, one that it holds to this day, as the world's most secure airline."
[Editor's Note (Schultz): It is difficult for a dedicated information security professional to not admire Robert Carr. His turnaround with respect to recognizing the value of information security will not only elevate Heartland Payment Systems much closer to best practices status, but will also serve as a positive role model for other CEO's who still do not recognize the value of information security. (Honan): We have to accept that at some stage our organizations will suffer a breach. How we react and respond to the breach will make the difference as to whether stakeholders, be they customers or shareholders, will continue to view the organization. This case shows that clear, open and timely communication from senior management is valuable for rebuilding trust. ]
************************** Sponsored Links: ***************************
1) Review: SANS SEC 617 - Surely You're Joking, Mr. Wright!
2) Be sure to register for the HP Tackles Cloud Application Security Webcast, Thursday, July 23rd
3) SANS Recommended Webcast Replay Featuring: AlertLogic - Is Log Management the Killer App for Cloud Computing?
THE REST OF THE WEEK'S NEWS
DATA PROTECTION & PRIVACY
Bozeman Backs Down on Demand for Job Applicants' Social Networking Site Logins (June 18 & 19, 2009)Facing criticism from citizens and unwanted media coverage, the city of Bozeman, Montana has called off its practice of asking job applicants to provide usernames and login information for any social networking sites they use regularly. Although it is becoming the norm for employers to conduct extensive online searches about job applicants to unearth potential areas of concern, Bozeman's practice was a potential violation of employment law.
[Editor's Note (Northcutt): People with extremist views will probably be hampered by their social media participation (except when applying for jobs with organizations that espouse extremist views). However, in the future, you can see people with lots of followers having social media as an advantage in the same way sales persons with large contact lists have and had an advantage in the past. We live in interesting times! ]
Spam Spreading ZBot Masquerades as Outlook Update (June 22, 2009)Spam masquerading as a Microsoft Outlook security and stability update actually infects computers with ZBot, a Trojan horse program that steals sensitive information. The malware contains a list of financial institution and social networking sites; if users visit any of these sites on infected machines, the malware steals login and credit card information and sends it back to a server controlled by the attacker. Earlier variants of ZBot infected computers through drive-by downloads.
[Editor's Note (Cole): One of the best ways to thwart email based attacks is to turn off HTML-embedded content in email clients. It is the main avenue attackers use. ]
RSPlug Trojan Variant Targets Macs (June 22, 2009)A Trojan horse program that infects Mac users has been detected on legitimate game download sites. Previous incarnations of the malware had been found only on sites offering pirated software or pornography. Users become infected when they click on a link that looks like it will take them to the game download, but that actually downloads the Trojan. Once it has infected a computer, the malware can change the machine's DNS settings, meaning that the attackers can then redirect the computer's users to any site they choose.
[Editor's Note (Pescatore): Apple has been slow in patching Mac vulnerabilities. Universities, with have a higher percentage of Mac desktops than businesses, have seen no shortage of malware aimed at Macs - - that's why most of them make Network Access Control policies apply to Macs as well as Windows PCs. ]
Just Half of Small Businesses Backup Daily (June 21, 2009)According to a survey of 945 IT managers at companies in Hong Kong, Singapore and Australia, 36 percent of respondents said they believed data loss had a significant effect on their business, but just seven percent of the respondents rated the impact of data loss as "high." Nearly half of the managers said their organizations had experienced data loss within the last two years. Among respondents at small businesses, those with 50 or fewer employees, 49 percent said they do not back up their data daily, and just 45 percent of those same respondents said their companies had formal data retention policies.
[Editor's Note (Ranum): Anyone who has suffered a critical systems failure usually understands that backups are the one place not to save money. ]
ICANN Committee Calls for End to DNS Redirections (June 10 & 22, 2009)A report from the Security and Stability Advisory Committee (SSAC) of the Internet Corporation for Assigned Names and Numbers (ICANN) says that DNS redirections present risk of "erosion of trust relationships (and) the creation of new opportunities for malicious attack." Top level domains (TLDs) are increasingly adopting the practice of redirecting queries for inactive domains to their own pages; some Internet providers have also been redirecting such queries to their own portals. The SSAC report recommends that ICANN "prohibit (the) use of redirection and synthesized responses by new TLDs."
[Editor's Note (Pescatore): There are some positive uses of top level DNS redirect, where the revenue from redirecting unresolvable queries to advertising pages subsidizes free security features. However, there are also many negative aspects that weaken security overall, like email related issues. While I'd really like to see DNS services be as tightly controlled as wired telephone number lookup services, I think the world has changed. We are probably better off seeing ICANN recommend some strict guidelines around TLD DNS redirection rather trying to outright ban the practice. ]
US Formally Opposes China's Demand For Pre-Installed Filtering Software on PCs (June 22 & 29, 2009)The US government has officially opposed China's mandate that filtering software be installed on all PCs sold in or shipped to that country. While China maintains that the filtering software is aimed at preventing children from viewing pornography, others see it as a means to allow government censorship of the Internet. The software, known as Green Dam Youth Escort, has also met with criticism for being unsophisticated and for possibly containing stolen code. Some US companies have been chastised for providing Chinese authorities with information about users of their services and they are pleased with the government's stance which they say takes aim at censorship in China.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/