SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XII - Issue #62
August 06, 2010
If you didn't complete the security salary survey yet, please do
it today or Monday (it takes 5 minutes). A valid survey useful if
you want to have a productive conversation with your employer about
salaries. You get the survey results if you participate. It's at
Speaking of salaries and jobs. The easiest way to become a security
hero is to be the person who brings continuous security monitoring
to your organization. The government is leading the way. At this
point all but three federal agencies are making good progress in
planning and implementing continuous monitoring, and at least two
major system integrators have shifted smartly from writing C&A reports
to helping implement the new technologies. That makes them part of
the solution. Strong support has also coalesced in both the House and
Senate, and the shift that OMB and DHS are already making looks like it
will be codified in law when the Senate and House come together on the
new cyber bill. Sadly, a few false claims are still circulating. The
latest is that continuous monitoring actually cost more to implement
than the reporting it replaced. Even if it did, it would be worth
it, but the reality is that it cost less than 7% of the cost of the
reports it replaced - at least at the U.S. State Department.
TOP OF THE NEWSRBS Fined for Lax IT Governance
Security Checkpoint Body Scanner Images are Being Stored
RIM Stands Firm in Face of Governments' Demands for Monitoring Capabilities
THE REST OF THE WEEK'S NEWSMicrosoft to Issue 14 Security Bulletins on August 10
FCC Ends Net Neutrality Talks With Companies
Adobe Working on Fix for Critical Flaw in Reader and Acrobat
Apple Will Fix iPhone PDF Flaw (Apple Has Yet To Fix The iPhone Flaw)
DHS Deploying Cyber Security Teams to Power Plants
Year-Old Version of Stuxnet Identified
Six Arrested in Connection with Phishing Scheme
********************* SPONSORED BY SANS **************************
The SANS PCI Compliance Summit being held this September in Las Vegas is the premier event for getting real-world information on what works and what doesn't when it comes to compliance with the PCI/DSS. Especially with the update due this August and recent deadlines for compliance with certain aspects of the standard, it's our responsibility as PCI implementers to make sure that we've done everything required to make our organizations compliant.
TRAINING UPDATE - - -- SANS Virginia Beach 2010, August 27-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security; Hack Back! The Advanced Persistent Threat; and Securing the Human.
- - -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
- - -- SOS: SANS October Singapore, October 4-11, 2010 7 courses
- - -- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
- - -- Looking for training in your own community?
Save on On-Demand training (30 full courses) - See samples at
Plus Washington DC, Portland, London, Dubai and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live:
TOP OF THE NEWS
RBS Fined for Lax IT Governance (August 5, 2010)The Royal Bank of Scotland (RBS) has been slapped with a GBP 5.6 million (US $8.9 million) fine for negligent IT governance. RBS implemented an IT system in 2006 to screen cross-border transactions, but the bank has not tested the system for accuracy since its inception. Over a two year period, the system in question missed all incoming payments from a foreign source as well as the majority of outgoing payments except for those headed for the US.
[Editor's Note (Schultz): Lack of governance is being taking increasingly seriously in regulatory circles. Unfortunately, suitable information security governance is rare among information security practices.
(Paller): My take is that when organizations rarely get the operational people engaged in programs they consider to be "for compliance." Without operational ownership, verification is either rare or non-existent. That's one of the central reasons that the shift to continuous monitoring is so important for security - it is a partnership between security/compliance people and operations people. ]
Security Checkpoint Body Scanner Images are Being Stored (August 4, 2010)Images of body scans taken at US airports, courthouses and other high-security environments have been saved in some cases, despite assurances from the Transportation Security Administration (TSA) that the images "cannot be stored or recorded." The TSA at one point admitted that it requires the machines to be able to store and transmit the images, but said the capability was not enabled by default. The story came to light through evidence obtained by the Electronic Privacy Information Center (EPIC) under the Freedom of Information Act (FOIA). The US Marshals Service said it had saved tens of thousands of scanned images from a millimeter wave device at a checkpoint in a Florida courthouse. A machine tested at a Washington, DC federal courthouse was later returned to the manufacturer, which now is in possession of the stored images.
RIM Stands Firm in Face of Governments' Demands for Monitoring Capabilities (August 3, 4 & 5, 2010)Saudi Arabia has ordered mobile service providers in that country to stop service to Blackberry devices as of August 5 because the practices of Blackberry's parent company, Research in Motion (RIM), do not comply with Saudi Arabia's regulations. A RIM executive said the company would not bow to governmental pressure, and that allowing governments to access BlackBerry communications could damage its relationship with other customers. Earlier this week, the United Arab Emirates (UAE) announced that due to security concerns, BlackBerry services would be blocked there as of October 11 unless the issues get ironed out. Indonesia is also pushing for RIM to allow government monitoring of communications. The country wants Rim to put a server in Indonesia so it can monitor domestic communications. RIM processes and stores BlackBerry data on servers in Canada. RIM co-CEO Michael Lazaridis said, "Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off."
[Editor's Note (Schultz): RIM is to Saudi Arabia as Google is to China. ]
**************************** SPONSORED LINKS **************************
(1) How has the threat to control systems changed during the last year? Who are the new attackers? What kind of damage have they already done? What can they do? Find answers to these questions and more at the: SANS 2010 European SCADA Security Summit.
(2) In case you missed it... Analyst Webcast: Measuring Network Performance, Security and Stability Under Hostile Conditions: SANS Network Security Survey Results
THE REST OF THE WEEK'S NEWS
Microsoft to Issue 14 Security Bulletins on August 10 (August 5, 2010)On Tuesday, August 10, Microsoft will release 14 security bulletins to address a record-setting 34 vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft Office and the Microsoft Silverlight development platform. Eight of the bulletins are rated critical; the other six are rated important. The flaws could be exploited to allow remote code execution or privilege elevation.
[Editor's Note (Skoudis): A record! How exciting. Actually... not. Does it feel to you like we're moving backwards here? It does to me. ]
FCC Ends Net Neutrality Talks With Companies (August 4 & 5, 2010)The US Federal Communications Commission (FCC) has called an end to closed-door meetings on net neutrality with Verizon, AT&T, Google and Skype. The announcement comes as Google and Verizon have reportedly reached a side agreement that would allow some traffic prioritization on fixed wire networks and no prioritization on wireless networks. The FCC's closed-door meetings with the companies have elicited criticism because such important decisions are being made with so few players present.
[Editor's Note (Pescatore): Private peering is a well established, and very effective practice on the Internet. A "wisdom of the crowds" driven approach makes no sense at all, but may at least serve as a busy box while the real work gets done. ]
Adobe Working on Fix for Critical Flaw in Reader and Acrobat (August 4 & 5, 2010)Adobe will release an out-of-cycle patch for a critical integer-overflow flaw in Reader and Acrobat. The arbitrary code execution flaw lies in the way the PDF viewer parses fonts. Adobe expects to release the patch the week of August 16. The flaw affects versions 9.3.3 and earlier of Reader for Windows, Mac and UNIX and versions 9.3.3 and earlier of acrobat for Windows and Mac. An exploit being used to jailbreak the most recent iPhone exploits a similar flaw.
Apple Will Fix iPhone PDF Flaw (Apple Has Yet To Fix The iPhone Flaw) (August 5, 2010)Apple will fix a security flaw in the newest iPhone software that can be exploited to access information stored on the device. The exploit could work by tricking users into visiting a website that contains a specially crafted PDF file. The vulnerability gained wide attention when it was used to jailbreak the devices, which allows owners to install applications that have not been approved by Apple. The fix has been developed and will be released "in an upcoming software update."
[Editor's Note (Pescatore): Hmm, more than a million gallons of oil spill ago, headlines were "BP Will Fix Oil Well Flaw." The headlines should only be "Apple Still Has Yet to Fix iPhone PDF Flaw."
(Skoudis): Apple needs to develop a patching process that actually, you know, *patches* software, rather than requiring us to download the entire OS every month or two. This was illustrated in that old SMS bug last year. Must we download 300 to 400 Megs for every fix?
(Liston): The "jailbreakme.com" site, by openly publicizing an unpatched vulnerability, has put millions of iPhone users at risk. While I certainly don't side with Apple on the whole "walled garden" aspect of the iPhone, and while I have a great deal of respect for the technical proficiency of the teams developing the tools to jailbreak the phones, I think that in this case they were very irresponsible. ]
DHS Deploying Cyber Security Teams to Power Plants (August 4, 2010)The US Department of Homeland Security (DHS) is sending out teams of specialists to test cyber security at power plants. Four teams have already been put together; there are expected to be 10 in all. The teams are part of the Industrial Control Systems Computer Emergency Response Team (ICS CERT) that DHS has been building over the past year. The teams have conducted 50 assessments in the past year, and teams have been sent out to investigate 13 cyber incidents. Of those incidents, nine were cyber intrusions and four were attributed to operator error. Focus on the issue of cyber security at organizations responsible for elements of critical infrastructure has been heightened by the disclosure that several supervisory control and data acquisition (SCADA) systems have recently come under attack from the Stuxnet worm.
Year-Old Version of Stuxnet Identified (August 4, 2010)Stuxnet, the worm used in the recent targeted attacks on SCADA systems around the world, was written more than a year ago, according to those investigating the malware. Stuxnet was not identified until mid-July, but an earlier version of the worm has been identified. The newer version used in the recent attacks is more sophisticated. The worms' authors managed to obtain valid digital signatures for Stuxnet to help it evade detection.
[Editor's Note (Liston): "Situational Irony" is defined by Wikipedia as "describ
a discrepancy between the expected result and actual results when enlivened by perverse appropriateness." I define it as "Authenticode-Signed Malware. ]
Six Arrested in Connection with Phishing Scheme (August 4, 2010)Six people have been arrested in the UK and Ireland in connection with a phishing scam in which at least 20,000 financial accounts were compromised and more than GBP 358,000 (US $569,000) was stolen. The unnamed suspects were arrested in suspicion of conspiracy to commit online banking fraud and violations of the Computer Misuse Act.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit