SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XII - Issue #80
October 08, 2010
At least three stories this week lead to the same conclusion - that security teams need to become skilled in ensuring any hardware and software developed or purchased by their organization does not pose unacceptable cyber risk. The best first step for security officers is to establish a secure development and procurement program in partnership with your developers and your acquisition people. Hundreds of organizations are making good progress on secure development - though many have gone down the dead end of "security awareness for developers" (doesn't work). As far as we know, Cisco has the best model for secure
development, but we are looking for other models to share with the community. (email@example.com) You can help ensure your programmers have the needed skills using these courses described at
- ---Secure Coding in Java/JEE: Developing Defensible Applications - ---Secure Coding in .NET: Developing Defensible Applications - ---Defending Web Applications Security Essentials - ---Essential Secure Coding in Java/JEE
- ---Essential Secure Coding in ASP.NET
Some good news: A DHS-funded research program will soon publish a report
showing how to score software on its security status.
TOP OF THE NEWSMicrosoft's Scott Charney Proposes Public Health Model for PC Protection
DC Suspends Online Voting System After Security Breach
Stuxnet Refocuses Attention on SCADA Security
UK Man Jailed for Refusing to Surrender Password
THE REST OF THE WEEK'S NEWSMicrosoft to Fix 49 Flaws on October 11
GAO: White House Slow to Implement Cyber Policy Review Recommendations
Former Fannie Mae Contract Worker Convicted of Planting Malicious Code on Servers
Akamai Employee Convicted of Trying to Sell Data to Foreign Government
Aldi Grocery Store Skimmer Scheme Hits Stores Near 10 Large US Cities
Russian Authorities Detain Bank Fraud Suspect
Adobe Security Updates for Reader and Acrobat Fixes 23 Vulnerabilities
Researcher Demoted After Medical Data are Compromised
******************** Sponsored By Sourcefire, Inc. ********************
Free Next Gen IPS Analyst Briefing
Key industry analysts are saying that the future of information security is context aware and adaptive. What does that mean to you? What should you be considering as you replace your static security infrastructure? Why is it important to have application, identity, and content awareness? Find out in a free research briefing. http://www.sans.org/info/65503 *************************************************************************
New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
-- SOS: SANS October Singapore, October 4-11, 2010 7 courses
-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
-- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments and Future Trends in Network Security
-- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
Plus Dubai, Geneva, Bangalore, San Antonio and Sydney all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *********************************************************************
TOP OF THE NEWS
Microsoft's Scott Charney Proposes Public Health Model for PC Protection (October 6 & 7, 2010)Microsoft's Corporate VP of Trustworthy Computing Scott Charney has published a report suggesting a plan that would prevent PCs infected with bot software from connecting to the internet. Comparing the proposal to the "public health measures like vaccinations and quarantines," Charney called his idea "collective defense." The idea calls for issuing PCs health certificates that provide information about how up to date its patches are, whether it is running security software and whether it is free of malware. Quarantine would be a last step after patching machines and updating antivirus programs. Critics have enumerated the proposal's problems, including the possibility of abuse of information.
[Editor's Note (Pescatore): The health model is a very backwards looking approach. Mandatory vaccinations work fine against threats that are static, not against threats that change constantly - such as we've seen with the flu over the past several years. The use of Network Access Control processes by enterprises and even ISPs to continually monitor the security status of endpoints (which for today's world of targeted threats has more important parameters than presence of patches and security software) is a good thing - but the public health model would be like, in 2011, mandating protection against threats like Slammer and Blaster that were hitting in 2003. Better to focus public policy on incenting technology suppliers to build and sell safer products. ]
DC Suspends Online Voting System After Security Breach (October 5 & 6, 2010)The Washington, D.C. Board of Elections and Ethics has put on hold a system that would allow voters overseas to cast their ballots over the Internet. The Board believed the Digital Vote by Mail system to be secure and challenged hackers to test its security. A University of Michigan student found holes in the program and altered the system so it played the school's fight song when a vote was cast. To make such changes, the intruders must have gained complete control of the system. The system appears to have stored a database username, password and encryption key on a vulnerable server.
[Editor's Note (Pescatore): When you find one termite, there are invariably swarms of them inside rotting wood. Perhaps a better strategy might to be to require professional security testing of software as part of the acceptance criteria before you buy online voting software? ]
Stuxnet Refocuses Attention on SCADA Security (October 6 & 7, 2010)The Stuxnet SCADA worm has refocused attention on the security of the systems that control elements of the world's critical infrastructure. An audit of the Australian State of Victoria's public water facilities found a high risk of unauthorized access and noted that operators did not have "effective processes to manage the risk to their infrastructure control systems." In a separate story, Mark Weatherford, chief security officer at the North American Electric Reliability Corp. (NERC), says the industry needs to demand more secure software.
[Editor's Note (Schultz): Mark Weatherford is 100 percent correct. Until the power industry demands better quality software, the bug-ridden software that this industry currently uses will continue to be the way it is.
(Honan): Stuxnet has marked a watershed in malware development. Not only because it targeted SCADA systems but it demonstrates and provides a very effective blueprint for future malware development. This report unfortunately could be replicated throughout many other SCADA operators and I recommend that you read it as there are many lessons to be learned from it. To add to your weekend reading list, ENISA (the European Network and Information Security Agency) has also produced an excellent analysis of Stuxnet which is available at
UK Man Jailed for Refusing to Surrender Password (October 5 & 6, 2010)A 19-year-old man has been sentenced to four months detention for refusing to surrender the password necessary to decrypt content on his computer. Oliver Drage was found guilty of violating the Regulation of Investigatory Powers Act (RIPA) for refusing to provide police with a password that would allow them to access allegedly illegal content on his computer. Drage was arrested in 2009 as part of an investigation into images of child sexual abuse.
THE REST OF THE WEEK'S NEWS
Microsoft to Fix 49 Flaws on October 11 (October 7, 2010)Microsoft plans to issue 16 security bulletins on Tuesday, October 12 to fix a total of 49 flaws. Four of the bulletins are rated critical, 10 are rated important and the remaining two are rated moderate. The vulnerabilities addressed in the bulletins affect Microsoft Windows, Internet Explorer, Microsoft Server Software and Microsoft Office.
GAO: White House Slow to Implement Cyber Policy Review Recommendations (October 6 & 7, 2010)A report from the Government Accountability Office (GAO) says that the White House has fully implemented just two of the 24 recommendations made in the National Cyber Policy Review released in May 2009. The report acknowledges that the administration has partially implemented the remaining 22 recommendations, and suggests that the reason for the delay is the seven months it took to fill the post of national cyber security coordinator. Agency officials indicate that the incomplete implementation is due in part to "not
[having been ]
assigned roles and responsibilities with regard to implementation." The report recommends that the Special Assistant to the President and the Cybersecurity Coordinator designate roles and responsibilities for each of the recommendations and to also develop milestones and plans for the recommendations that are not already in place.
Former Fannie Mae Contract Worker Convicted of Planting Malicious Code on Servers (October 7, 2010)A federal jury has convicted Rajendrasinh Babubhai Makwana of computer intrusion for installing malware on a Federal National Mortgage Association (Fannie Mae) computers while he was employed at the organization as a computer programmer. Makwana was a contract UNIX engineer at Fannie Mae for three years and had access to Fannie Mae's nearly 5,000 servers. He was fired on October 24, 2008; several days later, a senior engineer discovered the malware, which was installed on October 24 and programmed to execute on January 31, 2009. The malware was found embedded in a routine that executes on all Fannie Mae servers every morning; it was designed to destroy data. Makwana was linked to the malware through network logs.
Akamai Employee Convicted of Trying to Sell Data to Foreign Government (October 6 & 7, 2010)Akamai technologies employee Elliot Doxer has been arrested for allegedly attempting to hand information to someone he believed was a representative of an unnamed foreign government. Doxer had been charged with wire fraud. Doxer worked in Akamai's finance department and in June 2006, he allegedly contacted the Boston consulate of the foreign country by email, offering invoice and contact information of Akamai customers. The consulate contacted US authorities, which then set up a sting operation involving a dead drop, which Doxer used more than 60 times.
[Editor's Note (Pescatore): Another example of why cloud services operators need to do a much better job of super user privilege management *and* do a much, much better job of making their practices in this area transparent to those evaluating cloud services. ]
Aldi Grocery Store Skimmer Scheme Hits Stores Near 10 Large US Cities (October 6 & 7, 2010)An Illinois company, Aldi, that operates 1,100 grocery stores in 31 US states said that between June and August, cyber thieves used skimmers to steal payment card information from customers. The attacks appear to have affected payment terminals at stores in 11 states. More than 1,000 people in the Chicago Area have reported fraudulent transactions on payment cards that can be traced to the Aldi skimmers. The affected stores are close to 10 large cities, suggesting a coordinated scheme. Skimming operations have usually been local because they are so labor intensive. Fraudulent ATM withdrawals made on the compromised payment cards were made in California, Ohio and Illinois. There is speculation that Aldi was targeted because the "no-frills" grocery stores have few employees.
Russian Authorities Detain Bank Fraud Suspect (October 5 & 6, 2010)Russian authorities have detained a Ukrainian man who is believed to be the ringleader of a group that manufactured fake payment cards and identification documents. The group reportedly stole more than US $660,000 from credit organizations and banks during the first half of 2010. It is not clear if the activity is related to the string of arrests and charges made in connection with the ZeuS Trojan horse program in Ukraine, the UK and the US.
Adobe Security Updates for Reader and Acrobat Fixes 23 Vulnerabilities (October 5 & 6, 2010)Adobe has issued security updates for Reader and Acrobat to fix 23 vulnerabilities, most rated critical. Attackers have been actively exploiting one of the flaws for at least a month. The patches were scheduled to be released on Tuesday, October 12, but Adobe sped up their release because of the seriousness of the flaw being exploited. In September, Adobe issued an out-of-band patch for one of the critical flaws in stand-alone versions of Flash Player. That flaw exists in Reader and Acrobat and was fixed in this release, but Adobe is not aware that the flaw is being exploited in either of those products. The flaws affect Adobe Reader and Acrobat versions 9.3.4 and earlier for Windows, Mac OS X and UNIX. Adobe's next update for Reader and Acrobat is scheduled for February 8, 2011.
Researcher Demoted After Medical Data are Compromised (October 5, 2010)After the discovery of a data security breach that compromised the privacy of 180,000 women who had submitted information to the Carolina Mammography Registry, the University of North Carolina at Chapel Hill demoted the lead investigator in the research program. Bonnie C. Yankaskas maintains that she is being made a scapegoat, and that the university is responsible for the vulnerabilities the attackers exploited. The university maintains Yankaskas is responsible for the security issues because she is the study's principal investigator.
[Editor's Note (Schultz): I'm not in favor of scapegoating, but at the same time, little progress in preventing data security breaches is going to be made until individuals are held responsible for data with which they are entrusted. ]
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/