Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #63

August 11, 2009


(1) V2.1 To Be Released This Week
On Friday of this week Version 2.1 of the 20 Critical Controls for Effective Cyber Defense will be published at the CSIS site. This update reflects input from more than 100 organizations that reviewed the initial draft and contains the mapping of the 20 Critical Controls to revised NIST 800-53 controls requested by NIST.


(2) Search for Effective Automation Tools Begins
This release also signals the launch of the search for tools that automate one or more of the controls. The authors have already received seven submissions from vendors that believe their tools provide effective automation for the implementation and continuous monitoring
of several controls. The new search will last until August 31. Any user that has automated elements of the 20 Critical Controls and any vendors that have tools that automate those controls, should send submission to cag@sans.org before August 31. Those that are demonstrated to actually work will be posted and may be included in the first National Summit on Planning and Implementing the 20 Critical Controls to be held at the Reagan Center in November. If you are wondering whether your tools meet
the needs, you can find a draft at

http://www.sans.org/cag/guidelines.php

(3) A 60 minutes webcast on Thursday, August 13, 1PM - 2PM EDT: "Three Keys To Understanding and Implementing the Twenty Critical Controls for Improved Security in Federal Agencies" with James Tarala and Eric Cole. For free registration, visit

https://www.sans.org/webcasts/show.php?webcastid=92748

Alan

TOP OF THE NEWS

US-CERT Director Resigns
Appeals Court Upholds Ruling Dismissing Suit Against Alleged Spammer.

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS & SENTENCES
Man Arrested and Indicted for Alleged Attack on Former Employer's Systems
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
UK Defence Department Allowing Use of Social Networking Media
DATA BREACHES
Citibank and Bank of America Issue New Cards to Massachusetts Customers
DATA PROTECTION & PRIVACY
Secret, Stubborn Cookies
ACLU Concerned About Proposed Increase of Cookie Use on Government Sites
UPDATES AND PATCHES
Microsoft to Issue Nine Bulletins on August 11
ATTACKS & ACTIVE EXPLOITS
Attack on Twitter and Facebook Was a "JoeJob"
STUDIES AND STATISTICS
Compliance with NERC Standards No Guarantee of Security
MISCELLANEOUS
Skeptics Refute Beck's Allegation That Connecting To Cars.Gov Site Gives US Government The Right To Seize Computer
Sandia to Launch Research Botnet


********************** SPONSORED BY Q1 Labs **************************

** A COMPREHENSIVE GUIDE TO NETWORK FRAUD PROTECTION **

Includes LIVE DEMO and COMPLIMENTARY copy of Gartner 2009 SIEM Critical Capabilities Report.

Next-generation security information and event management (SIEM) solution integrates Gartner-recommended fraud detection technologies and helps organizations like yours:

* Improve Threat Management
* Thwart Insider Abuse
* Prevent Data Leakage
* Protect Corporate Security & Intellectual Property.

August 18, 2009
REGISTER 10:00 AM EDT
Session https://www.sans.org/info/47159
OR 2:00 PM EDT Session
https://www.sans.org/info/47164

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition
https://www.sans.org/ns2009
- - SANS Virginia Beach August 28 - Sept. 4. 11 full-length courses plus short courses:
https://www.sans.org/vabeach09/
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days
https://www.sans.org/info/43118
Looking for training in your own community? https://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

TOP OF THE NEWS

US-CERT Director Resigns (August 8 & 10, 2009)

The director of the Department of Homeland Security's (DHS) US Computer Emergency Readiness Team (US-CERT) has resigned. Mischel Kwon was the fourth person to hold that position in the last five years. Last week, acting National Cyber Security Coordinator Melissa Hathaway stepped down, withdrawing her name from the list of potential candidates for the full time post. The position was announced months ago and has yet to be filled. Earlier this year, Rob Beckstrom resigned as head of the DHS National Cyber Security Center, citing a lack of funding and bickering over control with other agencies.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/08/07/AR2009080702805_
pf.html

-http://www.theregister.co.uk/2009/08/10/us_cert_boss_quits/
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=219100611

-http://fcw.com/Articles/2009/08/10/Web-Kwon-Resignation-USCERT.aspx
-http://blogs.usatoday.com/ondeadline/2009/08/head-of-us-computeremergency-agency
-quits.html

[Editor's Note (Schultz): This says a lot about the barriers and negative job conditions that cyber security professionals within the US government face. Note also that this is not the first time that notable cyber security professionals within the government have bailed.
(Paller): Ms. Kwon's leaving is not a big national policy issue - it simply reflects her frustration with weak personnel that the last Administration placed at DHS and the bad performance that ensued. The new managers in cyber at DHS (Reitinger, McConnell, Schaffer, Brown, Coose) are enormously better, good enough to make a big difference in cybersecurity in government. And once they enable the government to lead by example, they are good enough to make a difference in the rest of the critical infrastructure with or without a White House cyber czar. But Mischel's patience with ineffective people in the lower level management roles and legal positions had run out. She was the best thing that had happened to DHS in years. Very sad. ]

Appeals Court Upholds Ruling Dismissing Suit Against Alleged Spammer. (August 8, 2009)

The Ninth Circuit Court of Appeals has upheld a lower court ruling that says individuals may not sue spammers under the CAN-SPAM Act if the plaintiffs do not meet the requirements of being an Internet service provider. A lower court had dismissed a case James S. Gordon Jr. brought against Virtumundo, Inc. seeking US $10 million for receiving thousands of unsolicited commercial emails. The Appeals court ruled that Gordon lacked the necessary standing to sue. Gordon appears to have taken no steps to block email from reaching his in-box and the ruling suggested that Gordon has made a practice of collecting spam and filing lawsuits.
-http://www.theregister.co.uk/2009/08/08/spam_suit_torpedoed/
-http://www.scmagazineus.com/Federal-court-spurns-anti-spammer/article/141422/
-http://blogs.findlaw.com/courtside/2009/08/9th-circuit-puts-can-spam-lawsuit-in-
the-junk-folder.html

-http://www.ca9.uscourts.gov/datastore/opinions/2009/08/06/07-35487.pdf


*************************** SPONSORED LINKS******************************

1) Whitelisting Your Way to FISMA Compliance - Total Application Visibility & Control
http://www.sans.org/info/47169

*************************************************************************

THE REST OF THE WEEK'S NEWS

Man Arrested and Indicted for Alleged Attack on Former Employer's Systems (August 6, 7 & 8, 2009)

Luis Robert Altamarino has been arrested and indicted for allegedly breaking into his former employer's computer network and causing damage that took days to remedy. The intrusion occurred a year after Altamarino was let go from his position as a computer specialist at the United Way Miami-Dade County. He allegedly gained access to the organization's servers and deleted donor lists, email and the blackberry account management system. He also allegedly caused problems with the organization's analog phone system, rendering voicemail inaccessible. Altamarino had worked for the United Way for five months starting in July 2007. The incident illustrates the importance of revoking access privileges as soon as employees are terminated.
-http://www.theregister.co.uk/2009/08/07/it_admin_christmas_eve_rampage/
-http://news.softpedia.com/news/Former-IT-Specialist-Hacks-into-Charity-039-s-Net
work-118711.shtml

-http://www.usdoj.gov/usao/fls/PressReleases/090806-01.html
[Editor's Note (Weatherford): De-provisioning users is one of the most important things an organization can do yet it continues to be one of those things people simply don't think is important enough...until they become a victim. ]

UK Defence Department Allowing Use of Social Networking Media (August 7, 2009)

In contrast to recent news that the US military is considering restricting or even banning social networking media altogether, the UK's Defense Ministry is encouraging its troops to make use of Twitter, Facebook, YouTube and other similar services. Troops and civilian employees may post to the sites without authorization as long as they follow guidelines to "maintain personal information and operational security and be careful about the information they share online."
-http://www.nextgov.com/nextgov/ng_20090807_7858.php?oref=topnews

Citibank and Bank of America Issue New Cards to Massachusetts Customers (August 10, 2009)

Bank of America Corp. and Citigroup Inc. have issued new credit and debit cards to customers in Massachusetts. The accompanying letters informed the customers that a data compromise at third-party organizations may have put their card information at risk of exposure. Bank representatives do not appear to believe the situation was caused by a new breach.
-http://triangle.bizjournals.com/triangle/othercities/charlotte/stories/2009/08/1
0/daily3.html

-http://www.scmagazineus.com/Report-Mass-bank-customers-getting-replacement-cards
/article/141431/

Secret, Stubborn Cookies (August 10, 2009)

Researchers from the University of California, Berkeley have reported that more than half of the Internet's websites are using Adobe Flash cookies to track users' behavior and interests, but these cookies are mentioned in just four privacy policies, though other suites mention the use of "tracking technology." Flash cookies differ from regular cookies because they are unaffected by browser privacy controls. Flash cookies are even being used to re-establish cookies for users after those users delete the more familiar cookies. The researchers' report was submitted earlier this week as a comment on the deferral government's proposal to re-establish the use of cookies on federal websites (see following story).
-http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/
-http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862

ACLU Concerned About Proposed Increase of Cookie Use on Government Sites (August 10, 2009)

The American Civil Liberties Union (ACLU) is concerned about a proposal from the White House Office of Management and Budget (OMB) to allow broader use of cookies on government web sites. A policy established in 2000 allows limited use of cookies on government sites, in cases of "compelling need." In a blog entry posted late last month, US Federal CIO Vivek Kundra and the OMB proposed a new cookie policy to "create a more open and innovative government." The ACLU has posted comments to the suggestion, saying that "the implications of allowing the government to collect and store such information are staggering."
-http://www.computerworld.com/s/article/9136471/Potential_gov_t_cookie_policy_cha
nge_prompts_concerns

-http://blog.ostp.gov/2009/07/24/cookiepolicy/

Microsoft to Issue Nine Bulletins on August 11 (August 7, 2009)

On Tuesday, August 11, Microsoft plans to release nine security bulletins to address vulnerabilities in Windows, Microsoft Office, Visual Studio, Microsoft ISA Server and Microsoft BizTalk Server. One of the Windows-related bulletins will address flaws in Outlook Express and Windows Media Player. Five of the bulletins have been rated critical; the other four have been rated important. Most of the fixes will require restarts.
-http://www.theregister.co.uk/2009/08/07/patch_tuesday_pre_alert/
-http://news.cnet.com/8301-27080_3-10304972-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20

-http://www.scmagazineus.com/ActiveX-fix-eight-other-Microsoft-patches-to-land-Tu
esday/article/141284/

-http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx

Attack on Twitter and Facebook Was a "JoeJob" (August 6, 7 & 10, 2009)

The denial-of-service attacks that hobbled Twitter and Facebook last week were not conducted through botnets, but instead were the result of a spam campaign aimed at a taking out accounts that belong to a pro-Republic of Georgia blogger. The social networking and blogging sites suffered deteriorating service as spam recipients clicked on links that pointed to accounts belonging to the blogger known as Cyxymu. The links pointed to Cyxymu's accounts on YouTube and LiveJournal as well. The blogger has written an open letter asking Russian President Dmitry Medvedev to launch an investigation to find the culprits.
-http://www.theregister.co.uk/2009/08/07/twitter_attack_theory/
-http://www.computerworld.com/s/article/9136379/Security_researchers_zero_in_on_T
witter_hackers

-http://www.theregister.co.uk/2009/08/10/cyxymu_letter_to_medvedev/
-http://news.bbc.co.uk/2/hi/technology/8194395.stm
-http://voices.washingtonpost.com/securityfix/2009/08/twitter_facebook_google_att
ack.html

Compliance with NERC Standards No Guarantee of Security (August 7, 2009)

A survey of 100 information security specialists at US energy companies found that the majority believe that the cyber security standards established by the North American Electric Reliability Corp (NERC) are not adequate to protect the country's electric power grid. More than half of those responding to the survey said they handle at least 150 serious attacks every week; two-thirds of respondents said they deal with at least 75 intrusions every week. Every respondent agreed that simply being in compliance with NERC regulations does not ensure that their systems are secure. However, respondents said that having compliance requirements helps make their departments' needs visible to senior management and helps generate funding for their budgets.
-http://www.scmagazineus.com/Energy-companies-say-NERC-standards-inadequate/artic
le/141224/?DCMP=EMC-SCUS_Newswire

[Editor's Note (Schultz): The same issue that has plagued the PCI-DSS standard has surfaced in the case of the NERC standards. The question is not whether the standards mandate strong levels of security, so strong that systems and networks that conform to them could repel virtually any attack. Requiring such levels would foster open rebellion because of the high costs involved in achieving compliance. The real question is instead whether standards prescribe acceptable levels of security that result in sufficient controls that mitigate most identified risks. ]

Sketpics Refute Beck's Allegation That Connecting To Cars.Gov Site Gives US Government The Right To Seize Computer (August 10, 2009)

Fox News commentator Glenn Beck has claimed that a policy statement on the Cars.Gov web site, the site that the US government has implemented for the Cash for Clunkers program, stated that this site asserts the government's right to own and seize any computer connected to this site. Soon afterward hoax sites such as snopes.com declared Beck's assertion a hoax. Among other things, skeptics such as Eugene Schultz have noted that seizing a computer in the manner that Beck described is not only against the government's published policy, but also question how a remotely connected computer to any web site could actually be seized.
-http://www.glennbeck.com/content/articles/article/198/28815/
-http://www.eff.org/deeplinks/2009/08/cars-gov-terms-service
-http://www.dot.gov/privacy.html
-http://blog.emagined.com/

Sandia to Launch Research Botnet (August 9 & 10, 2009)

Later this year, the US Department of Energy's Sandia National Laboratories plans to launch a simulated botnet comprising one million virtual machines. The botnet will not be used maliciously; instead, researchers hope to gain insight into botnet behavior and also into how to manage large systems.
-http://blogs.zdnet.com/emergingtech/?p=1706
-http://gcn.com/Articles/2009/08/10/Sandia-Botnet.aspx


**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/