Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #57

July 21, 2009


Two Cool Things:
(1) If you are a security manager and you would like to know how to get people to implement security programs when you have no authority to demand action, see the last story in this issue.

(2) Probably the coolest new class in security is going on-line. Called"The Human Sensor Network" training, the class was developed jointly with the Department of Energy nuclear labs, and teaches system administrators how to see evidence of infections on their systems and then test to verify whether they are seeing real problems. Attend
October 5-14, three hours per day, right from your office.
Details at https://www.sans.org/vlive/details.php?nid=19828
Because finding the "persistent presence" is so critical to the Department of Defense, contractors supporting DoD sites are eligible for site licenses for this course for all their system administrators. Email mbrown@sans.org for site license information.



Alan

TOP OF THE NEWS

GAO Report Finds Problems With FISMA Guidance and Agencies' Security Practices
Virtual Task Force Cooperation Helps Police Nab Cyber Criminals
Police in Queensland, Australia to Seek Out Unsecured Wireless Networks and Warn Owners
Pirate Websites to go Legit

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES
Microsoft Files Lawsuit Against Alleged Phishers
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Amazon Deletes Purchased Books From Kindle Users' Devices
DATA PROTECTION & PRIVACY
City of Los Angeles Considering Move to Google-Provided Cloud Computing
VULNERABILITIES
JavaScript DOM Flaw Affects Most Browsers
UPDATES AND PATCHES
Mozilla Releases Firefox 3.5.1
Google Chrome 2 Update Addresses Two Flaws
ATTACKS & ACTIVE EXPLOITS
Eircom Acknowledges Cache Poisoning Attacks
STUDIES AND STATISTICS
Consumer Devices with Embedded Web Interfaces are Vulnerable to Attacks
The United States Tops the Spam Table
INFOSEC Leadership Council - Secrets of Great Security Managers


*********************** Sponsored By Symantec ***************************

Ponemon Report: Data Loss During Downsizing According to a research study conducted by the Ponemon Institute, more than half of ex-employees admit to stealing company data. Download this report to view survey results and to see how you can protect your organization from being so vulnerable. Download report at http://www.sans.org/info/46194

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition http://www.sans.org/ns2009
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days http://www.sans.org/info/43118
Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses)
- - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************



TOP OF THE NEWS

GAO Report Finds Problems With Agencies' Security Practices and FISMA Guidance (July 17, 2009)

A report from the US Government Accountability Office (GAO) found "persistent weaknesses in information security policies and practices
[that ]
continue to threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of most federal agencies." In addition, the GAO said that the information security reporting process as mandated by the Federal Information Security Management Act (FISMA) does not provide an accurate measure of the effectiveness of agencies' cyber security stance.
-http://fcw.com/Articles/2009/07/17/Web-GAO-FISMA-info-security.aspx
-http://www.gao.gov/new.items/d09546.pdf
[Editor's Note (Pescatore): This has become an annual exercise: GAO issues a report that highlights the deficiencies found at government agencies security programs and then everyone bashes FISMA, as if that was the problem. Not once do we see a report that says what is needed to be done to remove obstacles keeping government security managers from making progress.
(Ranum): Until there are consequences for failure, government executives will continue to comfortably fail. ]

Virtual Task Force Cooperation Helps Police Nab Cyber Criminals (July 8, 2009)

An agreement struck by banks and credit card companies to create a virtual task force to share information about cyber attacks and malware has resulted in busts of two cyber crime gangs, netting a total of 22 arrests. The cooperation of banks and credit card companies is a significant step forward in battling cyber crime; in the past, both groups have been reluctant to share information about vulnerabilities and attacks for fear that criminals would exploit vulnerabilities before they were fixed and that customers might shy away from doing business with them.
-http://www.theregister.co.uk/2009/07/08/williams_acpo/

Police in Queensland, Australia to Seek Out Unsecured Wireless Networks and Warn Owners (July 17, 2009)

Police in Queensland, Australia plan to wardrive for unsecured wireless networks. Because cyber criminals often exploit these connections, police will search out the unsecured networks and warn their owners of the dangers they pose. People who have enabled security on their wireless networks but have left default passwords in place will receive similar warnings.
-http://www.reghardware.co.uk/2009/07/17/oz_plod_wardriving/
-http://www.securitypronews.com/insiderreports/insider/spn-49-20090717AustralianP
oliceToGoWardriving.html

[Editor's Note (Pescatore): I guess this is sort of like the fire department coming by to give you a free check of your smoke detectors, but it is hard for me to believe that any real risk prioritization exercise would put this anywhere near the top of the list of demands on a police officer's time. I'd rather they catch one more robber/killer/drunk driver than clean up 100 houses open WiFi access points. ]

Pirate Websites to go Legit (20 July, 2009)

In a move similar to that made by Napster, the companies behind Pirate Bay and Kazaa have decided to legitimize their respective business models. The company behind The Pirate Bay website, Global Gaming Factory X, announced that it will introduce a "give and take" model which will reward users for sharing their resources. Under the new scheme users will be charged a monthly fee, but if they share their download content or computer resources their monthly fee could be reduced. Kazaa is expected to launch later this month as a monthly subscription service. Kazaa intends to employ DRM technology to limit downloads to five computers or devices.
-http://news.bbc.co.uk/2/hi/technology/8159560.stm
-http://www.smh.com.au/technology/biz-tech/the-pirate-bay-hatches-plan-to-go-legi
t-20090720-dq59.html



*************************** SPONSORED LINKS******************************

1) WEBCAST: How Browser Exploits Lead to Web 2.0 Hacking with keynote from IDC http://www.sans.org/info/46199
2) SANS Vendor Demo Spotlight: Palo Alto Networks - PA-4000 Next Generation Firewall Dedicated processing and memory for networking, security, threat prevention & management. http://www.sans.org/info/46204
3) Be Sure to Register Now for the Tool Talk Webcast: Finding the Root Cause of Any Security Alert - Fast Sponsored by: Solera Networks & SonicWALL http://www.sans.org/info/46209

*************************************************************************


THE REST OF THE WEEK'S NEWS

Microsoft Files Lawsuit Against Alleged Phishers (July 17, 2009)

Microsoft has filed a lawsuit in Washington state accusing two companies of using phishing tactics to trick Live Messenger users into divulging their login information. The companies, Funmobile and Mobilefunster, allegedly used the stolen data to send spam messages to everyone on the phished users' contact lists. Microsoft is seeking an injunction blocking the companies' alleged phishing and spamming activities as well as damages under the Computer Fraud and Abuse Act, the CAN-SPAM Act of 2003 and consumer protection and anti-spam laws in the State of Washington.
-http://www.h-online.com/security/Microsoft-sues-Live-Messenger-phishers--/news/1
13788

-http://www.scmagazineus.com/Microsoft-sues-to-stop-Windows-Live-Messenger-spam/a
rticle/140259/

-http://microsoftontheissues.com/cs/blogs/mscorp/archive/2009/07/16/saying-no-to-
spim.aspx

-http://www.scribd.com/doc/17420433/Microsoft-Corporation-v-Funmobile-et-al-case-
number-092212473

Amazon Deletes Purchased Books From Kindle Users' Devices (July 17, 2009)

Kindle owners who had purchased electronic copies of George Orwell's Animal Farm and 1984 were no doubt surprised to find the books deleted from their devices last week. Apparently the company that added the editions of the books to the Kindle catalog did not have the rights to do so. Amazon credited affected users' accounts for the cost of the books. Amazon says that if it faces similar circumstances in the future, it will not delete books from users' devices. Comments in customer web forms indicate that certain editions of Harry Potter books and works by Ayn Rand had similarly disappeared. The Kindle terms-of-service agreement nowhere states that Amazon has the right to delete purchased content from users' devices. The irony of Orwell's books being deleted has not been lost on the public.
-http://www.techweb.com/article/showArticle?articleID=218501227&section=News
-http://www.nytimes.com/2009/07/18/technology/companies/18amazon.html

City of Los Angeles Considering Move to Google-Provided Cloud Computing (July 16 & 17, 2009)

The city of Los Angeles has proposed moving its government e-mail, police records and other information management to Google's cloud computing services. If the proposal is approved, Los Angeles will become the second US city, after Washington DC, to migrate data storage to Google's services. The plan has the mayor's support, but police officials have some concerns. Los Angeles Police Protective League president Paul Weber expressed concern about the security of data stored on Google systems. Last week, internal Twitter documents were accessed through Google Apps and leaked to the Internet.
-http://www.latimes.com/news/local/la-me-public-records17-2009jul17,0,5461479.sto
ry

-http://www.msnbc.msn.com/id/31967328/ns/technology_and_science-security/
-http://www.govtech.com/gt/702712?topic=117673
[Editor's Note (Schultz): I like Google, but Google should by no means be considered a leader when it comes to information security practices. Until Google achieves this reputation, users of Google's so-called (and misnamed) "cloud services" should not be very trusting concerning Google's email and file storage services. The city of Los Angeles should have heeded Paul Weber's word of caution.]

JavaScript DOM Flaw Affects Most Browsers (July 16 & 17, 2009)

A security flaw in JavaScript's Document Object Model (DOM) affects most major web browsers. The flaw could be exploited to allocate large portions of memory, which could crash the applications. The flaw affects all tested versions of Internet Explorer (IE) as well as older versions of Opera, Chrome, Safari and Firefox, although the newer versions of most browsers, with the exception of IE, have been patched against the vulnerability.
-http://www.theregister.co.uk/2009/07/17/universal_browser_crash_bug/
-http://www.h-online.com/security/DOM-flaw-can-crash-many-browsers--/news/113779
-http://www.g-sec.lu/one-bug-to-rule-them-all.html#

Mozilla Releases Firefox 3.5.1 (July 17, 2009)

On Thursday, July 16, Mozilla released Firefox 3.5.1 to address a critical vulnerability in the TraceMonkey JavaScript engine's just-in-time (JIT) compiler. The flaw could be exploited to run arbitrary code, allowing attackers to install malware on vulnerable computers. Exploit code for the flaw was posted to the Internet early last week. Firefox 3.5.1 also addresses several stability issues in the browser and a performance issue that causes slow start-up on Windows systems.
-http://www.computerworld.com/s/article/9135617/Mozilla_quashes_first_critical_bu
g_in_Firefox_3.5_beats_Microsoft_to_patch_punch?source=rss_security

-http://www.theregister.co.uk/2009/07/17/firefox_update/
-http://www.mozilla.com/en-US/firefox/3.5.1/releasenotes/

Google Chrome 2 Update Addresses Two Flaws (July 16 & 17, 2009)

Google has released version 2.0.172.37 of its Chrome 2 browser to address a pair of security flaws. The first is a heap-based buffer overflow that could be exploited to ruin arbitrary code. The second is a critical memory corruption flaw in the renderer process that could be exploited to execute arbitrary code and could cause vulnerable computers to crash.
-http://www.h-online.com/security/Google-closes-two-vulnerabilities-in-Chrome--/n
ews/113789

-http://googlechromereleases.blogspot.com/2009/07/stable-beta-update-bug-fixes.ht
ml

Eircom Acknowledges Cache Poisoning Attacks (July 17, 2009)

Irish internet service provider (ISP) Eircom says that it was targeted by a cache poisoning attack that redirected customers to sites they did not intend to visit twice within the last few weeks. An Eircom spokesperson also acknowledged that steps the company took to mitigate the effects of the attack probably had an effect on customers' ability to connect to the Internet, as there were two periods of time earlier this month during which customers were left without service.
-http://www.siliconrepublic.com/news/article/13448/cio/eircom-reveals-cache-poiso
ning-attack-by-hacker-led-to-outages

-http://www.scmagazineuk.com/Irish-ISP-Eircom-hit-by-multiple-attacks-that-restri
ct-service-for-users/article/140243/

Consumer Devices with Embedded Web Interfaces are Vulnerable to Attacks (July 16, 2009)

Stanford University researchers tested 21 devices with embedded web interfaces, such as webcams, printers, network switches, and photo frames, and found that none was immune to attack. The researchers subjected the devices to several types of attacks including cross-channel scripting, cross-site request forgeries and unauthorized access of files or device resources. The devices posing the greatest overall security risk were network-attached storage, or NAS units. The researchers plan to share their findings at the Black Hat security conference in Las Vegas.
-http://www.theregister.co.uk/2009/07/16/buggy_web_interface_peril/

The United States Tops the Spam Table (July 20, 2009)

A recent study by Sophos shows that the United States is responsible for relaying more spam than any other country in the world. In the report published on Monday, 15.6% of all spam email in the second quarter of 2009 was relayed from the United States. The other countries that make up the global top three are Brazil at 11.1% and Turkey at 5.2%. The top three countries and their rankings remain unchanged from the first quarter of 2009. The large percentage figure attributed to the United States can be explained by the number of infected PCs with access to broadband networks and that are part of large botnets.
-http://www.scmagazineus.com/United-States-is-worlds-No-1-spam-sender/article/140
314/

-http://www.v3.co.uk/v3/news/2246369/six-spams-american-accent

INFOSEC Leadership Council - Secrets of Great Security Managers


INFOSEC Leadership Council web cast on how to get security programs implemented when you have no authority to demand action.

(Scheduled for July 22 at 2 PM EDT).

The INFOSec Leadership Council is sponsoring a web cast tomorrow (Wednesday, July 22) afternoon at 2 PM EDT. It covers the one technique that allows security managers to get other executives to implement improved security when those other executives would usually resist. It will last about an hour.

There is no cost for qualified people. Complete the qualification form at
-http://www.sans.org/executive/questionaire.php

Here is why this particular technique works so well:

(1) It helps you implement important strategic change even when many others may resist the change.
(2) It gets you resources and support from bosses without resorting to political games.
(3) It helps you avoid developing adversary relationships.
(4) It fosters creative and cooperative behaviors in support of your initiatives.

And best of all, we now have a perfect case study that proves the value and shows each of the elements that are essential for success.
This program is one part of SANS new "Advanced Communications Skills for Security Managers." It assumes the manager knows how to speak and write well, and provides training on the advanced techniques that very successful executives use.

A few of the other topics in the INFOSEC Leadership Council program include:
- --- What three communications errors do security managers make that most damage their careers and why do they make them?
- --- Security managers are told not to use jargon but to speak in language that is relevant to the business - how can that that done effectively and consistently?
- --- Email has replaced business memos as the most common form of communication between managers? What are the keys to creating emails that senior executives appreciate?
- --- When negotiating with other managers, what two techniques are most critical to reaching a satisfactory outcome?
- --- If you have only 60 seconds to explain an important security initiative to top management, what are the most important elements to cover? (The elevator pitch)
- --- What works in addressing hostile audiences and in responding to hostile questions?



**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/