SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XI - Issue #50
June 26, 2009
The role of the CISO is changing. On Monday at Gartner's Information Security Summit, one of the main-tent sessions will address just how it is changing. I am looking for real-world examples to help make the session even better -- please share - anonymity is promised. Email email@example.com by Saturday at 5 PM EDT.
TOP OF THE NEWSGates Orders Creation of Unified Military Cyber Command
UK Releases National Security Strategy
Microsoft Limits Security Essential Beta Downloads to 75,000
THE REST OF THE WEEK'S NEWSARRESTS, INDICTMENTS & SENTENCES
Man Arrested for Stealing and Selling Client Data
Five Guilty Pleas in Stock Manipulation Spam Case
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Hard Drive Purchased in Ghana Contains US Military Contractor Data
Conference on Cyberwarfare Attendees Discuss Pros and Cons of Proactive Attacks
DATA PROTECTION & PRIVACY
Payment Card Industry Security Standards Council Seeks Input
Customers Worry About Defunct Registered Traveler Program Data Security
UPDATES AND PATCHES
Adobe Issues Shockwave Update to Fix Vulnerability
DATA LOSS & EXPOSURE
Stolen Laptop Holds Cornell University Staff and Student Data
ATTACKS & ACTIVE EXPLOITS
Green Dam Exploit Posted to Internet
TJX Agrees to $9.75 Million Settlement
********************** Sponsored By HP (SPI Dynamics) *******************
Tool Talk Webcast: HP Tackles Cloud Application Security
In this webcast, participants will learn about:
* The three most common delivery platforms for Cloud computing, IaaS, PaaS and SaaS.
* How to manage application keys and handle sensitive information for each platform.
* How the delivery platforms impact the software development lifecycle
* How we expect hackers to approach cloud applications
* How HP can help you secure cloud applications
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses)
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses)
- - The Forensics Summit starts in three weeks on July 9, and has four courses.
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days:
Looking for training in your own community?
Save on On-Demand training (30 full courses)
- See samples at http://www.sans.org/ondemand/spring09.php
Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days.
For a list of all upcoming events, on-line and live:
TOP OF THE NEWS
Gates Orders Creation of Unified Military Cyber Command (June 23 & 24, 2009)US Defense Secretary Robert Gates has given the official go-ahead to the creation of a unified military cyber command dedicated to managing Pentagon cyber warfare and network defense efforts. Gates recommends that the new organization, called US Cyber Command, be headed by the director of the National Security Agency (NSA); there will also be a deputy director. A memo from Gates directs the US Strategic Command to have an implementation plan complete by September 1, 2009, be prepared to start initial operations in October, and be fully operational by October 2010.
UK Releases National Security Strategy (June 25, 2009)According to the recently released National Security Strategy, the UK government plans to establish a new cyber security agency called the Office of Cyber Security (OCS) that will manage the government's cyber security program and act as a hub for information sharing between the public and private sectors. Another office, called the Cyber Security Operations Centre, will conduct cyber security operations, both defensive and offensive.
Microsoft Limits Security Essential Beta Downloads to 75,000 (June 23 & 24, 2009)Microsoft has halted downloads of its free Microsoft Security Essentials beta software. The software was first made available on Tuesday, June 23. The company reached its cap of 75,000 downloads in less than 24 hours. The final version of Microsoft Security Essentials is expected to be available by the end of the year. Initial testing of the beta version has had favorable results.
THE REST OF THE WEEK'S NEWS
Man Arrested for Stealing and Selling Client Data (June 25 & 26, 2009)Police in Tokyo have arrested Hideaki Kubo, a former Mitsubishi UFJ Securities Co. manager who is suspected of stealing customer data. The suspect is believed to have accessed the data without authorization and to have copied information pertaining to approximately 1.5 million customers. Kubo allegedly sold some of the data to mailing list companies for 320,000 yen (US $3,335). The company has received complaints from more than 15,000 customers. In a related matter, Japan's Financial Services Agency has issued a business improvement order against the company, alleging problematic information management.
[Editor's Note (Weatherford): It's a simple concept. The US Government calls it Need To Know (NTK) and they manage access to information based upon the concept. Until it becomes a universal maxim (see Security Maxims below), these type of unauthorized access incidents will continue. ]
Five Guilty Pleas in Stock Manipulation Spam Case (June 25, 2009)Five people have pleaded guilty to charges related to a spam scheme that artificially inflated the price of Chinese penny stocks. The email messages contained false or misleading information that prompted some recipients to purchase the stocks, thus driving up their price; the defendants then sold shares of the stock at a profit. The spam was sent using a variety of techniques aimed at evading spam filters. Alan M. Ralsky and Scott K. Bradley pleaded guilty to charges of conspiracy to commit wire fraud, mail fraud, and violation of the CAN-SPAM Act. John S. Bown, William C. Neil and James E. Fite all pleaded guilty to similar charges. All five will be sentenced in October, when they will face sentences of between two years and 87 months. Others were involved in the scheme as well; some have already entered their pleas, while others' cases are still pending.
Hard Drive Purchased in Ghana Contains US Military Contractor Data (June 24 & 25, 2009)Canadian journalism students bought a hard drive for US $40 at a market in Ghana, only to discover that it contained unencrypted information about contracts between military contractor Northrop Grumman and the Pentagon. The students were researching electronic waste. Northrop Grumman said it believes "this hard drive was stolen after one of our asset-disposal vendors took possession of the unit." It is not unusual for outdated computers and other electronic equipment to be shipped to developing countries.
Conference on Cyberwarfare Attendees Discuss Pros and Cons of Proactive Attacks (June 21, 2009)People attending the Conference in Cyber Warfare in Tallinn, Estonia discussed the merits and drawbacks of conducting proactive cyber attacks. Two PhD students at the University of Bonn (Germany) have collected enough information about a quartet of established botnets that they say they could "successfully attack and dismantle the malicious networks." Two unnamed US government officials said that it is time to start creating policy that would allow for offensive cyber attacks. A scientist with the Defence Research and Development Organization at India's Ministry of Defence opined that multilateral development of cyber defense capabilities could create a situation similar to nuclear detente. But it is seldom possible to say with certainty who is behind a cyber attack. Booz Allen Hamilton consultant Ned Moran observed that "No single analogy tells the whole story."
Payment Card Industry Security Standards Council Seeks Input (June 24 & 25, 2009)The Payment Card Industry Security Standards Council (PCI SSC) is seeking "detailed and actionable feedback" from member organizations on versions 1.2 of the PCI DSS and Payment Application DSS. An online tool should be available soon to simplify the feedback process; the organization also plans to hold two community meetings - in Las Vegas and Prague - for stakeholders to offer suggestions for revision. Online feedback will be accepted between July 1 and November 1, 2009. The PCI DSS in facing increasing scrutiny over issues of cost and questionable effectiveness.
[Editor's Note (Pescatore): The PCI Security Standards Council is having an external audit firm look at potential new technologies to be mandated in the PCI DSS requirements but doesn't appear to be looking at the overall PCI audit process, a review that is badly needed. To its credit, the Council is holding some town meetings to get input along with this feedback. The National Retail Foundation has already provided recommendations, including a very important one: make it easier for merchants to never have to store the card data in the first place. Reducing vulnerability should be the goal, not mandating more ways to protect data that might not need to be stored in the first place.
(Schultz): A great percentage of those who whine about having to conform to the PCI-DSS standard is comprised of individuals from organizations that fail to appreciate the value of information security in the first place. One of the greatest benefits of the PCI-DSS standard is that it forces such organizations to improve their level of security to the point that they will be substantially less likely to suffer data security breaches involving credit card information. Without having to conform to PCI-DSS, data security breaches in these organizations would for all practical purposes be inevitable. ]
Customers Worry About Defunct Registered Traveler Program Data Security (June 23, 2009)Customers of the suddenly-defunct Verified Identity Pass (VIP) registered air travel service Clear have expressed concern about the security of the data they provided to the company. Membership in the Clear service allowed customers to navigate security at US airports more quickly than most other travelers. The company blamed its hasty decision to cease operation on its inability to "negotiate a settlement" with its main creditor. VIP issued a statement assuring customers that their data are being protected as required by Transportation Security Administration (TSA) standards and that it would "take appropriate steps" to destroy the collected data, but did not provide any specific information about the method it would use. Customers had provided the company with a virtual treasure trove of personal data, including Social Security numbers (SSNs), credit card numbers, driver's license numbers, iris scans and fingerprints. In a move already proving unpopular, the company said that because of its current financial situation, customers who have signed up for the US $199 a year service would not receive refunds. The company has more than 260,000 customers.
[Editor's Note (Pescatore): I think the failure of the service was more a business plan problem: not enough value at too high a price. But, the "your personal data is safe but we can't tell you how attitude" is a good reason on its own to run screaming from the service.
(Honan): If your organization has outsourced data handling to a third party now is the time to discuss with them how they protect that data and how they intend to handle YOUR data in the event they have to cease business.
(Weatherford): Now some people might be inclined to think that because of the visibility associated with the program, the Clear program would surely take appropriate measures to ensure that all of their former customer information is properly protected until completely destroyed. However, like the statement that "we're reasonably sure no information was exposed" following a data breach, the comment from Clear that they will "take appropriate steps" to delete the information collected for the Clear service leaves me a little uneasy, especially since there doesn't appear to be a lot of communication from the company to their former customers. The asset fire sales during the dot com bust come to mind. ]
Adobe Issues Shockwave Update to Fix Vulnerability (June 23, 24 & 25, 2009)Adobe has released an update for a critical flaw in its Shockwave Player. Version 18.104.22.1680 of the media player addresses a flaw that could be exploited to take control of vulnerable systems. For the attack to succeed, users would need to be manipulated into opening a maliciously crafted Shockwave file. The flaw affects Shockwave versions 22.214.171.1246 and earlier. Users will need to uninstall the older version of the program and restart their systems before installing the updated version. Adobe is not aware of any active exploits for the vulnerability.
Stolen Laptop Holds Cornell University Staff and Student Data (June 24, 2009)Cornell University in Ithaca, NY has notified approximately 45,000 current and former staff members, students and their dependents that a stolen laptop computer contains their unencrypted, personally identifiable information. The compromised data include names and SSNs. The theft occurred earlier this month; affected individuals were notified by email earlier this week. The data in the computer were "being used for troubleshooting." The theft is being investigated by New York State Police.
[Editor's Note (Pescatore): Another example of sensitive data that never needed to be stored in the first place. There are no shortages of data-masking applications to turn live data into safe test data. Not to mention that an employee laptop without stored data encryption is like a manhole without a cover. ]
Green Dam Exploit Posted to Internet (June 25, 2009)An exploit for a buffer overflow in the controversial Green Dam Youth Escort filtering software has been released in the wild. The exploit affects Green Dam 3.17. The Chinese government has mandated that all PCs sold in or shipped to that country come with Green Dam pre-installed. The software has generated criticism among technology and security experts because it could be used by the government to restrict access to information and could be exploited by attackers for malicious purposes.
TJX Agrees to $9.75 Million Settlement (June 23, 2009)TJX, parent company of TJ Maxx and Marshalls, has agreed to a US $9.75 million settlement related to the company's massive data security breach that was disclosed in 2007. US $2.5 million is designated for a data security fund that states impacted by the breach will use for security initiatives. Of the remaining US $7.25 million, US $5.5 million will cover settlement fees and US $1.75 million will be used to pay for expenses incurred by the states in their investigations. The agreement also calls for TJX to implement a comprehensive data security program.
Security MaximsSmile ruefully in recognition at this list of security maxims, including "The Ignorance is Bliss Maxim: The confidence that people have in security is inversely proportional to how much they know about it." They may not be true, but they are funny.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/