SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XII - Issue #45
June 08, 2010
Interesting question we got last night from the CIO of one of the largest financial institutions. He wrote: "Alan, do you know anyone who has deployed a lot of iPhones to their executives and technical people with access back into corporate systems, and have a technical security blanket that lets them sleep well at night?" If any NewsBites reader has an answer, please share (firstname.lastname@example.org) and tell us whether you want credit or anonymity.
TOP OF THE NEWSCyber Security Code for Australian ISPs
NATO Report Says Cyber Attack Could Justify Military Retaliation
Appeals Court Upholds Ruling Denying Damages in Data Exposure Case
Loss of Unencrypted USB Drive Constitutes Violation of Data Protection Act, Says ICO
THE REST OF THE WEEK'S NEWSCommission Will Issue Report on Expanding and Improving Cybersecurity Workforce
Australian Authorities Investigating Google's Wi-Fi Data Collection
Adobe Working on Fix for Critical Flaw in Flash, Reader and Acrobat
Malware Found in Some Windows Phone Apps
Minnesota Company Sues Man Who Tried to Sell Database of Customer Information
Two Indicted on Charges Stemming From Cisco Equipment Fraud
Insurance Company Denies Data Breach Claim
******************** Sponsored By SailPoint ****************************
LIVE WEBINAR: RETHINKING PROVISIONING IN 2010 AND BEYOND: Join SailPoint and Burton Group on June 10 to discuss the new compliance and business demands affecting the identity management landscape. You'll get a roadmap for provisioning success. And, you'll learn about new technology that gets you from here to there quickly. REGISTER NOW!
-- SANSFIRE 2010, Baltimore, June 6-14, 2010 36 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
-- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
-- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses
-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
-- Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php
Plus Amsterdam, Kuala Lumpur, Canberra and Portland all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
TOP OF THE NEWS
Cyber Security Code for Australian ISPs (June 7, 2010)The Australian government and the country's Internet Industry Association have drafted voluntary code of practice for Internet service providers and customers. Among other suggestions, the code recommends throttling of Internet connections of users whose computers are infected. The document includes recommendations for educating customers, detecting malicious activity, taking action against infected machines, and reporting to the Australian Federal Police and CERT Australia. Australian communications minister Stephen Conroy suggested that if ISPs did not voluntarily comply with the code, it might become mandatory.
Text of code:
[Editor's Note (Pescatore): There is a lot of goodness here and IIA (Internet Industry Association) has already put out similar anti-spam practices that Australian ISPs have to follow. However, a major weak spot is that it says ISPs have to do only one of 4 actions, and one of the four is simply more education of the end user. If they do that, they don't have to do any of the other three (detection, blocking, reporting.) I'd much rather see education be mandatory and at least one of the other three done in addition. US ISPs should take that approach and get out ahead of the Internet neutrality issue. ]
NATO Report Says Cyber Attack Could Justify Military Retaliation (June 6, 2010)A group of NATO experts said that cyber attacks against member nations could justify retaliation. "A large-scale attack on NATO's command and control systems or energy grids could possibly lead to collective defence measures under article 5," which asserts that an armed attack against one NATO country "shall be considered an attack against them all." NATO's next step is to determine the severity of an attack that would justify retaliation, how military force would be used in that retaliation, and what the targets would be. NATO lawyers do not believe existing treaties need to be rewritten because a cyber attack could conceivably have an effect much like a physical assault. The next step echoes US Cyber Command head General Keith Alexander's statement last week that there need to be "clear rules of engagement that say what we can stop."
Appeals Court Upholds Ruling Denying Damages in Data Exposure Case (June 4, 2010)The Ninth US Circuit Court of Appeals has ruled that a man whose personal information, including his Social Security number (SSN), was exposed by a third party has no legal standing to seek damages because he did not suffer materially as a result of the breach. Joel Ruiz had submitted the data as part of a job application. Vangent, the company that processed that application, was holding the data on a laptop that was stolen. The appeals court upheld a lower court ruling that "Ruiz had failed to establish sufficient appreciable, nonspeculative, present harm to sustain a negligence cause of action under California law."
Loss of Unencrypted USB Drive Constitutes Violation of Data Protection Act, Says ICO (June 4, 2010)The UK Information Commissioner's Office (ICO) has found a Welsh medical practice to be in violation of the Data Protection Act. A staff member at Lampeter Medical Practice downloaded unencrypted patient data to a USB drive; the device was then sent to the Health Boards Business Service Centre by post in March 2010, but the package never arrived. Downloading unencrypted data onto a removable storage device violates the practice's data security policy. The head of the practice has agreed to implement safeguards to ensure that a similar incident will not happen again. All mobile devices, including laptops, will be encrypted and staff members will be re-educated about the data security policy. The breach affected 8,000 patients.
**************************** Sponsored Links: **************************
1) Coffee Coaching: Start your day with a sip of coffee and a byte of technology - http://www.sans.org/info/60283
2) Download Athena's Free Firewall Rulebase Browser for a head-start on PCI compliance. Slice and dice any firewall-related question to save loads of time. http://www.sans.org/info/60288
3) Measuring network performance, security and stability under hostile conditions - Take our SANS Network Security Survey http://www.sans.org/info/60293
THE REST OF THE WEEK'S NEWS
Commission Will Issue Report on Expanding and Improving Cybersecurity Workforce (June 4 & 7, 2010)The Commission on Cybersecurity for the 44th Presidency plans to issue a report with recommendations for increasing the pool of skilled and qualified cyber security professionals in the federal government. The recommendations are expected to include ongoing training for contractors and government employees. The report will also recommend that the administration create a certification body to establish standards for testing cyber security skills. The Commission was established by the Center for Strategic and International Studies (CSIS).
Australian Authorities Investigating Google's Wi-Fi Data Collection (June 3 & 7, 2010)Australian Federal Police are investigating Google's inadvertent Wi-Fi data collection. At the request of the Federal Attorney-General, the police are attempting to determine if Google breached the Telecommunications Interception Act when it collected payload data from wireless networks while gathering images for its Street View feature. In a separate, related story, Google said late last week that it will start providing the data it collected to regulators in Germany, Spain and France. Until the announcement, Google had been reluctant to share the information, citing legal concerns. Google chairman and CEO Eric Schmidt said that the company would release the results of both internal and external audits of its data collection practices.
Adobe Working on Fix for Critical Flaw in Flash, Reader and Acrobat (June 5, 6 & 7, 2010)A critical zero-day flaw in Adobe Reader, Acrobat and Flash could allow attackers to take control of vulnerable computers. Adobe has acknowledged the problem and is developing a fix. There are reports that the flaw is being actively exploited in the wild. The flaw affects Flash Player version 10.0.45.2 and earlier, and the authplay.dll component of Adobe Acrobat and Adobe Reader 9.x for Windows, Mac, Linux and Solaris; version 8.x does not appear to be affected.
Malware Found in Some Windows Phone Apps (June 4 & 7, 2010)Certain Windows-based mobile phone applications distributed on up to nine download sites contain malware. The scammers appear to have copied and repackaged familiar applications with malware code embedded. The malware causes the infected phones to make calls to premium rate numbers around the world, so users are hit with surprise charges on their bills. Microsoft is investigating. The malware does not exploit flaws in Windows however; users are urged to be vigilant about the reliability of the sources from which they download applications.
[Editor's Note (Schultz): The problem here is by no means exclusive to the Microsoft mobile phone environment. Smartphone applications have for years been available to the user community, although little attention paid to security in them. ]
Minnesota Company Sues Man Who Tried to Sell Database of Customer Information (June 4, 2010)Minnesota e-commerce company Digital River is suing a New York man after a database of nearly 200,000 of its customers' sensitive information made its way into his hands. Eric Porat allegedly tried to sell the information to a Colorado direct marketing company for US $500,000. The company refused the offer, and when he persisted, the company contacted authorities. Porat claims to have obtained the information from India, but declined to provide details. Digital Rover's legal team believes that Porat "hacked the hacker."
Two Indicted on Charges Stemming From Cisco Equipment Fraud (June 2 & 4, 2010)Two men have been indicted for allegedly tricking Cisco into exchanging legitimate networking hardware for counterfeit hardware they produced. Robert Kendrick Chambliss and Iheanyi Frank Chinasa have each been charged with one count of "conspiring to commit mail fraud and nine counts of mail fraud." Chinasa allegedly manufactured the phony equipment, then one or the other of the men would contact Cisco to complain that they were having problems and Cisco would offer replacement parts. The pair allegedly defrauded Cisco of at least US $27 million worth of equipment.
Insurance Company Denies Data Breach Claim (June 4 & 7, 2010)A Colorado insurance company says it is not liable for a US $3.3 million claim made by Perpetual Storage regarding a data security breach. In June 2008, backup tapes containing information about 1.7 million patients from University of Utah hospitals were on their way to a Perpetual Storage facility when they were stolen from the car of one of Perpetual's employees. The university sought compensation from Perpetual Storage for costs it incurred as a result of the breach. At the time of the theft, Perpetual had a security breach insurance policy with Colorado Casualty Insurance Co. The insurance company's suit seeks a declaratory judgment that it is not liable for the costs. The missing tapes were recovered and appeared to be untouched; however, the university incurred costs associated with breach notification, credit monitoring and other issues. Perpetual has since changed its breach insurance provider.
[Editor's Note (Schultz): Information security professionals are taught that insuring against information security risk is one of the security risk management options available to organizations today. However, in more cases than not, insurers underpay or refuse altogether to pay when a incident such as the one in this news item occurs. In my mind, information security insurance is thus not a viable risk management option. ]
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/