SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XII - Issue #40
May 22, 2010
Big story this week on US government cyber security spending. It is controversial but ultimately wonderful, reallocating more than a billion dollars in US cyber security spending over the next 36 months. If you need a copy of the NASA memo, email me at email@example.com. If you want to know more about the US State innovation, try to get a seat (they are free) at the Government Executive Magazine Cyber Insider breakfast on June 15 (register at http://www.govexec.com/cyber%5Finsider/) Otherwise email me and I'll try to connect you.
TOP OF THE NEWSNASA Shifts Cyber Security Focus and Money From Certification and Accreditation to Real-Time Threat Reporting
DHS Supports NASA Transformation
Microsoft Program Will Share Early Vulnerability Info With Governments
German Authorities Launch Investigation Into Google Wi-Fi Data Gathering
THE REST OF THE WEEK'S NEWSKeystroke Logger Spreading Through Twitter
Judge Shuts Down Cyber Crime-Friendly ISP
Vulnerability in 64-bit Windows 7
Apple Updates Java for OS X
Facebook Fixes Data Exposure Flaw
Heartland Settles With MasterCard Over Data Breach
Underground Cyber Crime Forum Data Stolen
Dutch Transit Site Offline After Vulnerabilities are Demonstrated
EXTRA: Five Ways to Keep Online Criminals at Bay: A Security Gift to Send On to Friends and Family
EXTRA: Feedback on Secure Transfer Techniques from Stephen Northcutt
**************** Sponsored By Trusted Computer Solutions ****************
Is your IT organization struggling to keep your enterprise servers in compliance with security policy? Could your organization pass a surprise security audit today? Security Blanket performs fast, consistent, and repeatable operating system lock down to industry or custom security settings in minutes, not days. Audit ready, all the time! Try Security Blanket for FREE.
-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
-- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 39 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php
Plus Amsterdam, Kuala Lumpur, Canberra and Taipei all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
TOP OF THE NEWS
NASA Shifts Cyber Security Focus and Money From Certification and Accreditation to Real-Time Threat Reporting (May 19 & 20, 2010)NASA deputy chief information officer Jerry Davis has issued a memo instructing all NASA CIOs and CISOs to "shift
[their focus and contracts ]
away from cumbersome and expensive C&A
[certification and accreditation ]
paperwork processes, in favor of a value-driven, risk-based approach to system security." The Federal Information Security Management Act (FISMA), which had never mandated C&As the way they were implemented by NIST, has been facing increasing criticism for being a paperwork sinkhole, requiring agencies to commit time and money to creating reports that assess compliance, but not requiring any actions to secure systems. C&As are still required before new systems are authorized for operation, but the wasteful 3-year C&A updates, consuming 85% of the C&A budgets are no longer allowed. Davis took his lead from a list of security requirements released by the Office of Management and Budget (OMB) last month.
[Editor's Note (Schultz): Good for NASA! The motivation behind FISMA was good, but the mechanisms and processes have been badly flawed since day one.
(Pescatore ): There is a lot of inaccurate wording here. Last year NIST took the lead in updating 800-53 and 800-37 to require more continuous monitoring. OMB is requiring that the output from the continuous monitoring be submitted through a tool called Cyberscope - which simplifies the top level compilation of agency submissions, but doesn't really change much for each individual agency. OMB is just requiring a different reporting channel and adding some benchmarking questions and adding potential on-site interviews - all in addition to the usual Office of Inspector General audits each agency will still go through. This is just another OMB unfunded mandate that most agencies that don't have budgets the size of NASA's will struggle to meet.
(Paller): After more than 12 years of terrible oversight by the lower-level security staffers at OMB, it's reasonable that John and others might think this is just another unfunded mandate by OMB. But that characterization would be wrong. The NASA innovation is the breath of fresh air that every CIO and every major program manager in government has been (secretly) hoping for. They had to be secretive, because the security underlings at OMB would bite their heads off if they expressed aloud their concern with the waste OMB's policies and NIST's documents were forcing on them. Vivek Kundra and Howard Schmidt (CIO and Cyber Coordinator for the U.S., respectively) have worked wonders enabling the agencies to move money away from the waste and to make rapid risk reduction possible. This is a fully funded mandate to implement the State Department's near real time (updated every 36-hours) security monitoring innovation. State proved that risk, reliably measured, can be reduced across the globe, by more than 90%, using the system. Rapid implementation of the State Department innovation (using money freed up by the NASA innovation) will finally allow the federal government to lead by example in showing how effective security can be implemented. And it is spreading. Three large US agencies and four companies in the Defense Industrial Base have already moved definitively to adopt the State Department iPost system. It's time for celebration! ]
DHS Supports NASA Transformation (May 20, 2010)Matt Coose, the Director of Federal Network Security at DHS (and the person to whom OMB's Vivek Kundra delegated primary responsibility for FISMA compliance measurement and enforcement) reinforced NASA's decision to move money from out-of-date 3-ring binder production to continuous (every 36 hours at most) automated monitoring as the US State Department is doing. Said Coose, "Other agencies should follow their lead and many are."
Microsoft Program Will Share Early Vulnerability Info With Governments (May 19, 2010)Microsoft plans to pilot a program with national governments around the world that will provide some organizations with technical details of security flaws before patches are made available. The Defensive Information Sharing Program (DISP) is aimed at helping protect critical infrastructure. The program will begin this summer, with a full scale launch planned for later in the year. The goal of providing the government with more time is to allow the organizations to prioritize their actions. Microsoft also has another government program in the works; the Critical Infrastructure Partner Program will share information with governments about security policy to help protect critical infrastructure.
[Editor's Note (Paller): This is a good thing if you assume that none of the governments around the world that get the early information have malicious interests and that they would not use the early data for quick-hit penetrations of sensitive sites. That's a bad assumption. ]
German Authorities Launch Investigation Into Google Wi-Fi Data-Gathering (May 19 & 20, 2010)The Google data-gathering issue is gaining widespread attention. Google has acknowledged that it inadvertently gathered personal information, including scraps of websites and personal email messages, from unprotected Wi-Fi networks while gathering images for Google Street View. German prosecutors have opened an investigation into Google's collection of data from Wi-Fi networks. German officials have asked that Google turn over a hard drive containing some of the data. Google has said it will destroy the data. US legislators are also questioning the legality of Google's data collection and have asked the Federal Trade Commission (FTC) to investigate. France and Italy are launching investigations as well. The Irish Data Protection Commissioner requested that data gathered there be destroyed and Google has complied. The UK Information Commissioner's Offices (ICO) have asked Google to delete the data it has collected there and declined to launch an investigation, although there are groups pushing for the data to be retained for an investigation.
[Editor's Note (Pescatore): Good to see the FTC investigate this. They have been using existing laws for years to go after private industry abuses of privacy and have quietly been very effective - without needing new laws or regulations. I'd like them to see them proactively do this to all the companies like Google that sell advertising around other people's information. ]
THE REST OF THE WEEK'S NEWS
Keystroke Logger Spreading Through Twitter (May 20, 2010)Malware spreading through zombie Twitter accounts installs a keystroke logging Trojan horse program on users' systems. In some cases, the link that people receive claims to be the Twitter iPhone app; there are also reports of a tagline about "the funniest video I've ever seen." The link has received more than 1,630 clicks. The malware also disables Windows Task Manager, regedit, and Windows Security Center notifications.
[Editor's Note (Pescatore): The generic title for this kind of news piece is "Malware Will Spread Through Every Web Site Users Ever Visit." The only change is which web site is popular -Twitter is really just a really popular web site. If you don't have in-bound malware filtering between your users (including mobile users) and the web then you are at risk.
(Paller): Some products that have shown strong performance in blocking web malware include M86, McAfee and Zscaler, in alphabetical order. ]
Judge Shuts Down Cyber Crime-Friendly ISP (May 19 & 20, 2010)US District Judge Ronald M. Whyte has ordered California-based ISP 3FN.net, also known as Pricewert, shuttered. The company was also ordered to liquidate all its assets and forfeit at least US $1 million in ill-gotten profits. The permanent shutdown order follows a temporary restraining order issued last June that froze the company's assets and ordered its upstream providers to sever service. The case began with a Federal Trade Commission (FTC) complaint against 3FN that describes the company as providing "a safe haven for some of the Internet's most objectionable content." The complaint included logs from NASA servers that showed attacks coming from IP addresses under 3FN's control.
Vulnerability in 64-bit Windows 7 (May 18 & 19, 2010)Microsoft is warning users of a flaw in 64-bit versions of Windows 7, Windows Server 2008 R2, and Windows Server 2000 R2 for Itanium. The vulnerability in the Canonical Display Driver (CDD) is due to improperly parsed information when copied from user mode to kernel mode. A Microsoft spokesperson said the most likely attack scenario would simply cause vulnerable computers to reboot, although it could conceivably be exploited to allow remote code execution. The flaw affects only users who have the Aero theme installed; Aero is the default graphical user interface installed in most versions of Windows 7. Microsoft plans to issue a patch for the vulnerability, but did not say when that patch would be available. Users are urged to disable the Aero desktop until the patch is released.
Apple Updates Java for OS X (May 18 & 19, 2010)Apple has issued Java updates for Mac OS X versions 10.5 and 10.6. The update for Mac OS 10.6 installs Java version 1.6.0_20; the update for OX 10.5 installs Java version 1.5.0_24. Users need to be running OS X 10.5.8 or OS 10.6.3 or higher to update correctly; users running older versions of the OS will need to update those before the java updates can be installed. Among the vulnerabilities fixed in the updates are several arbitrary code execution flaws and vulnerabilities that allow untrusted Java applets to execute while users visit specially-crafted pages; the applets execute with the users' privilege levels.
[Editor's Note (Ranum): It strikes me as weird that Apple is posturing about Flash being inefficient and full of bugs, when they support Java ]
Facebook Fixes Data Exposure Flaw (May 18 & 19, 2010)Facebook has fixed a cross-site request forgery vulnerability that discloses certain information, including birthdates, even if it has been classified as private. Attackers could exploit the flaw by enticing users to click on a specially-crafted link while logged into Facebook. The attackers would then be able to read and alter the users' profile pages. Although Facebook says the issue has been fixed, the researcher who reported the flaw to Facebook says there are still ways to exploit it. The problem lies in the way Facebook checks to ensure that the browser requesting an action, for instance, "like"ing a page, is actually the one through which the account is logged in. By removing a small piece of code, Facebook completely bypasses the checking function and allows the action.
[Editor's Note (Pescatore): But did Facebook fix the flaws in the software development cycle that allowed vulnerable web software to be running on their site? Probably more importantly, given that Facebook's CEO has claimed to be having internal meetings to emphasize privacy, has Facebook fixed flaws in their business model to value user privacy as much as advertising revenue? ]
Heartland Settles With MasterCard Over Data Breach (May 19 & 20, 2010)Heartland Payment Systems has reached a provisional agreement with MasterCard regarding a massive data security breach in 2008 that compromised payment card data. The proposed deal includes up to US $41.1 million to be made available to be paid to MasterCard issuers who lost money because of the data theft. The settlement will become official if institutions representing 80 percent of affected accounts accept it by June 25, 2010. Heartland has already reached deals with American Express and Visa. The Heartland breach was one in a string of similar attacks masterminded by Albert Gonzalez, who has been sentenced to 20 years in prison.
Text of Proposed Settlement:
Underground Cyber Crime Forum Data Stolen (May 18 & 19, 2010)An online forum where criminals trade stolen financial account information has been attacked and information stolen. At least three files now being traded on a public site contain information stolen from Carders.cc, the German underground forum, including communications between members. Ironically, a poorly configured server allowed the attackers to steal information from the group's database. The culprits appear to be members of a group that says it wants to expose the forum's illegal activity.
Dutch Transit Site Offline After Vulnerabilities are Demonstrated (May 18, 2010)A Dutch transit website has been shut down after authorities were presented with evidence of a demonstration that allowed an attacker access to the personal information of 168,000 passengers. The website, Ervaar het OV, or Experience the OV, was designed to allow riders greater ease in using the transportation systems through smart cards, coupons and promotions. The SQL injection attack is the same type that was used to break into Heartland Payment Systems' and other companies' networks to steal payment card information.
EXTRA: Five Ways to Keep Online Criminals at Bay: A Security Gift to Send OnIf you have family and friends who might benefit from some security guidance, you might share this New York Times article with them. It steers clear of jargon while offering concrete advice about how to manage each of the issues.
EXTRA: Feedback on Secure Transfer Techniques from Stephen NorthcuttIn our last edition (issue 39) we carried a story about employees at federal agencies using unsecure methods to transfer information and asked for your feedback and especially pointers to studies that might help. Stephen Northcutt has summarized the responses received in time to prepare the next edition below:
"'Nudge: Improving Decisions about Health, Wealth, and Happiness' by Thaler and Sunstein. Although it does not directly address the issue of encryption, it provides a study of behavioral economics that seems to apply here. In short, people don't encrypt because the default is not to encrypt."
I have read nudge and it is a good book. My biggest take away is that for someone to change they have to believe there is a substantial benefit and that they can change. As security professionals, system designers and developers, we have a responsibility to incorporate choice architecture into our work. By default, expect people to take the path of least resistance and also expect and build for error. So if SSH and FTP are both available and a user is familiar with FTP, what will they use? Our systems need to give feedback, if you hold down a key too long a system might beep at you, if we *have* to make FTP available, perhaps executing the program could stimulate some type of potentially unsafe warning. Is there anything we can do to help users understand the risks of not using encryption? Probably the best thing we can do is make it more complex to use the wrong tool than the right tool. You can use FTP if you need to, but you have to provide a fully qualified pathname to the executable. And of course there is the idea of incentives for doing the right thing. If everyone in a department is using FTP instead of SSH but one person, give that person the parking slot closest to the building and an appropriate title.
Several people wrote in saying the reason they do not use GPG/PGP is the interface is not as friendly as it could be. The biggest horror story was: "
[Aside: the reason this isn't encrypted is that last week I installed a beta version of NOD32 for Mac and it hung my machine which uses filevault on my main account. Having been here before I restarted the machine and logged into my non filevault account and uninstalled it. But when I came back to my main account mail had lost all its customisations and I have not been able to get GPGmail going again. Time to make a full backup and reinstall I think, sigh.... ]
Two fairly awesome links to papers and projects related to this are:
Which has the paper Why Johnny Can't Encrypt and
Other points that people made are that sometimes the manufacturer only supports FTP and they listed several examples. Finally one reader points out the user might be using SFTP and think they are using FTP. Thank you very much for your thoughts and if you find other studies or useful bits of information I would love to hear from you, Stephen@sans.edu (
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/