SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #39
May 15, 2007
The big changes coming in security appear to be creating a surge of demand for security professionals and auditors with stronger technical skills in intrusion detection, forensics, wireless security, penetration testing, secure configuration management, application security, technical security auditing and more. The only programs that provide authoritative training in these topics come from SANS. Here's where you can go to find training with SANS top instructors:
Brussels: SANS Secure Europe (6 courses): June 25-30
http://www.sans.org/brussels07/
Denver: Rocky Mountain SANS (14 courses): May 31-June 7
http://www.sans.org/rockymnt2007/
Washington DC, SANSFire 2007 (57 courses): July 25-August 3
http://www.sans.org/sansfire07/
TOP OF THE NEWS
Google Research Finds 10 Percent of Web Pages Hold MalwareProposed Legislation Would Make PCI Standard the Law in Texas
NIST Releases PRISMA Database
Visa Names Applications that Don't Meet Payment Application Best Practices
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITYVA to Purchase Encrypted Flash Drives
DOD Blocks Employees' Access to Certain Websites
DHS Privacy Committee Expresses Reservations About Real ID
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
50th Conviction for DOJ Anti-Piracy Operation
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Cisco Warns of Flaws in FTP Server Component of IOS Server
Attackers Using BITS to Download Malware
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Pirate Bay User Data Stolen
Goshen College Acknowledges Computer Security Breach
INSIGHTS
Intrusion Detection Is Not Dead: But Is Changing
********************* Sponsored By Ounce Labs, Inc. *********************
How Can You Ensure Your Applications Are Secure?
Ounce Labs, the leader in software security assurance, allows customers to verify their critical data is secure. Our white paper, "The Path to a Secure Application," directly links source code vulnerabilities to data theft and non-compliance. Find out how to manage software risk across the enterprise and down to the line of code at
http://www.sans.org/info/7041
*************************************************************************
TOP OF THE NEWS
Google Research Finds 10 Percent of Web Pages Hold Malware (May 11, 2007)
According to research from Google, 10 percent of web pages contain malicious code. Google closely analyzed 4.5 million web pages over the course of a year and found that approximately ten percent, or 450,000, had the capability of installing malware without users' knowledge. An additional 700,000 pages are believed to be infected with code that could harm users' computers. The company says it has "started an effort to identify all web pages in the Internet that could be malicious." Most entice users to visit the dangerous pages through tempting offers, and exploit holes in Microsoft Internet Explorer (IE) to install themselves on users' computers. Google also examined the vectors used by attackers to infect these web pages; most malicious code was located in elements beyond the control of website owners, such as banner advertisements and widgets.-http://news.bbc.co.uk/2/hi/technology/6645895.stm
-http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf
[Editor's Note (Skoudis): This is a very good piece of research, and contributes significantly to our understanding the malware threat better. I recommend that you read it. Also, it shows that today's Internet is a cesspool of malware. Using mainstream browsers with patches that often follow weeks after exploits are in the wild is an increasingly dangerous proposition. ]
Proposed Legislation Would Make PCI Standard the Law in Texas (May 14, 2007)
Texas's House of Representatives has unanimously approved a measure that would make compliance with the Payment Card Industry (PCI) Data Security Standard a state law. HB 3222 would force companies that suffer a breach to reimburse banks and credit unions for costs incurred in blocking the use of compromised cards and issuing new ones if that business was not PCI compliant at the time of the breach. Companies that suffer breaches while in compliance would be protected under a safe harbor provision. The bill needs to win approval in the Texas Senate before it becomes law.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9019361&source=rss_topic17
[Editor's Note (Schultz): This is a very interesting turn of events. I am confident that those who wrote the PCI-DSS standard never envisioned this happening. Although PCI-DSS is far from perfect, legally requiring conforming to it would nevertheless appreciably boost security within companies that issue credit cards.
(Pescatore): This sounds like a major mistake. Merchants already bear the brunt of the costs of credit card fraud and breaches - the card issuers and card associations are no way entitled to a free ride here. While the PCI process has many good elements, it also is in tremendous need of improvement in the actual levels of security mandated and especially in the governance of the assessments and compliance granting.
(Paller): PCI, despite its flaws, is a much, much more valid and reliable standard for protecting sensitive information than are NIST's standards. Multiple PCI auditors get the same answer and they are looking at the most important things. Neither can be said about FISMA auditors using NIST standards. If NIST recommended the PCI audit guide as an acceptable method of meeting the NIST standards, security in the US government would surge forward. The same is true of ISO standards. An improved version of the PCI audit guide (particularly including improvements recommended by John Pescatore) should be the audit guide for minimum acceptable behavior under the ISO standards. ]
NIST Releases PRISMA Database (May 7, 2007)
The National Institute of Standards and Technology (NIST) has released the Program Review for Information Security Management Assistance (PRISMA) database, which comprises NIST publication guidelines, federal IT security standards, best practices and Federal Information Security Management Act (FISMA) requirements. The database is designed to help agencies gather the data they need to conduct assessments of their IT security programs. NIST has also released "Guide to NIST Computer Security Documents," an index of its relevant publications, which allows users to search by topic cluster, by family, and by legal requirement.-http://www.gcn.com/print/26_10/44216-1.html
-http://prisma.nist.gov/
-http://csrc.nist.gov/publications/CSD_DocsGuide.pdf
[Editor's Note (Schultz): NIST deserves huge amounts of credit for all it has done to promote security through its many excellent publications and standards. It seems as if NIST is constantly coming out with very reasonable and well-written security-related publications and standards.
(Paller): The efforts NIST has made to document security are heroic and deserve hearty thanks from the whole community. NIST's security work has, however, one fatal flaw: its recommendations are not prioritized. Agencies are unanimous in concluding that they don't have enough money to fully implement even a substantial fraction of all NIST's recommendations. Lack of prioritization destroys the validity and reliability of its recommendations. As a result, NIST has become the principal reason that federal agencies are getting failing grades on FISMA (the Federal Information Security management Act), and also the principal reason that agencies are spending so much money on report writing rather than on actual security. PRISMA provides elegant proof of the problem NIST has caused. ]
Visa Names Applications that Don't Meet Payment Application Best Practices (May 13, 2007)
Visa USA Inc. has sent a letter to financial institutions that grant merchants approval to accept credit card transactions asking them to make sure companies stop using certain applications that do not comply with the Payment Applications Best Practices (PABP), a companion to the Payment Card Industry (PCI) Data Security Standard. PABP standards are presently voluntary, but Visa hopes eventually to make them part of the PCI requirements. The applications in question store sensitive card data, including PINs and card verification value numbers. The vendors whose products are named in the letter were informed before it was sent, and most have issued a patch or an upgrade to prevent their products from retaining the sensitive information. Visa hopes that by making public the products that do not comply with the PABP standards, software vendors will be more inclined to develop products that meet the requirements.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=292347&source=rss_topic17
[Editor's Note (Grefer): (Grefer): While a list of non-compliant vendors is not yet available, a list of compliant vendors can be accessed at
-http://usa.visa.com/download/merchants/validated_payment_applications.pdf]
************************* Sponsored Links: *****************************
1) Stop the use of unauthorized USBs, iPods, and PDAs across your network with VolumeShield AntiCopy! http://www.sans.org/info/7046
2) Cenzic will find more "real" vulnerabilities and less false positives than SPI Dynamic or Watchfire http://www.sans.org/info/7051
*************************************************************************
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
VA to Purchase Encrypted Flash Drives (May 14, 2007)
Last week, we ran a story about flash drives topping the list of security concerns for IT managers. On a related note, the US Department of Veterans Affairs will purchase 25,000 encrypted thumb drives to protect data and comply with an Office of Management and Budget (OMB) "mandate" requiring security measures for mobile data. In March, the VA indicated it plans to implement a policy requiring that employees use only approved flash drives that contain no more than 2G of data.-http://www.fcw.com/article97949-03-19-07-Print
-http://www.fcw.com/article102707-05-14-07-Web
[Editor's Note (Pesactore); Providing secure USB storage devices to your employees is a very good idea. However, it needs to be backed up with controls that assure *only* that device can be used on corporate PCs in order to be effective. (Ranum): Encrypting drives is not the whole answer. Knowing where the data is, who has access to it, why, and where it's being used is the answer. As long as the problem is treated as a technology issue (which it isn't) instead of a process, audit, and governance issue (which it is) no amount of knee-jerking will help. ]
DOD Blocks Employees' Access to Certain Websites (May 14, 2007)
Citing unnecessary consumption of resources and possible security risks, the US Department of Defense (DOD) will block employees' access to 13 websites, including MySpace and YouTube, as of May 14. Nearly 3 million individuals will be affected. Employees are also being asked to use caution and good judgment regarding data transmitted from home computers to work computers. Internet cafes used by soldiers are not affected by the ban.-http://www.cnn.com/2007/TECH/internet/05/14/military.sites.blocked.ap/index.html
-http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20070514/pentagon_internet_0
70514/20070514?hub=SciTech
[Editor's Note (Ullrich): About time. A non-technical friend who is working for a federal govt. agency told me that he usually doesn't worry about clicking on links because he is "sure that our computers are secure". Of particular note, MySpace has been used to launch attacks in the past. ]
DHS Privacy Committee Expresses Reservations About Real ID (May 11, 2007)
In responding to US Department of Homeland Security (DHS) draft regulations regarding the implementation of Real ID requirements, the DHS Data Privacy and Integrity Committee has expressed serious concerns about privacy, security and logistics. The Real ID Act requires states to issue driver's licenses and identification cards that conform to a national standard. The state license databases would hold images of documents like birth certificates and Social Security cards for at least seven years and would be linked to each other. The committee called Real ID "one of the largest identity management undertakings in history." The draft regulations made no provisions for data security and do not hold the states liable for the personal information they collect. US citizens would need valid ID cards compliant with Real ID standards to board aircraft, enter government buildings and receive government benefits. The act has met with criticism from various other groups as well, including privacy advocates and legislators.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9019222&taxonomyId=17&intsrc=kc_top
[Editor's Note (Grefer): Federal ID cards have been the norm in Germany and various other European countries for decades. As such, the outcry about Fed vs. State authority may be hard to comprehend for readers outside the US. However, one major area of concern is the apparent lack of controls and data protection from the stipulations of the Act. It might be time to take a closer look at how other countries have properly implemented and legislated similar acts. ]
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
50th Conviction for DOJ Anti-Piracy Operation (May 14, 2007)
The US Department of Justice's (DOJ) Operation FastLink has netted its 50th conviction. Christopher E. Eaves has pleaded guilty to one count of conspiracy to commit copyright infringement; Eaves was a member of Apocalypse Crew, a group responsible for making music downloads available before they were officially released. When he is sentenced in August, Eaves could face up to 10 years in prison and a fine of US $250,000.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9019363&source=rss_topic17
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Cisco Warns of Flaws in FTP Server Component of IOS Server (May 10 & 11, 2007)
Cisco has released a security advisory warning of a number of vulnerabilities in its IOS FTP Server. The vulnerabilities could be exploited to obtain unauthorized privileges or cause a denial-of-service (DoS) condition. The flaws affect IOS versions 11 and 12; IOS XR is not affected. Cisco has issued updates that disable the FTP Server component and recommends manually disabling IOS FTP Server as a workaround.-http://www.scmagazine.com/us/news/article/656879/cisco-discloses-ios-ftp-server-
flaws/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9019219&source=rss_topic17
-http://www.vnunet.com/vnunet/news/2189647/cisco-warns-security-flaws
-http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml
Attackers Using BITS to Download Malware (May 10, 11 & 14, 2007)
Attackers are using the Background Intelligent Transfer Service (BITS) to circumvent firewalls and plant malware on computers. Microsoft uses BITS, an asynchronous file transfer service, to deliver patches through Windows Update. BITS has "automatic throttling so downloads don't impact other network chores. It automatically resumes if the connection is broken." Because BITS is "baked in" to some versions of Windows, it is considered a trusted program and therefore avoids the firewall. In late March 2007, a trojan infected computers using BITS causing mny computers to be infected.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9019118&source=rss_topic17
-http://www.theregister.co.uk/2007/05/11/vxers_subverts_windows_update/print.html
-http://www.scmagazine.com/us/news/article/657068/windows-update-used-download-ma
lware-updates/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Pirate Bay User Data Stolen (May 14, 2007)
The Pirate Bay, a website that helps users find files over BitTorrent peer-to-peer (P2P) file sharing software, has reportedly been the victim of attack; the intruder stole a copy of the site's user database. User passwords are encrypted, but Pirate Bay's site operator encourages users to change their passwords nonetheless, and if they use the same password elsewhere, to change those as well. The attacker got in through a hole in the site directory's blogging software. Pirate Bay has a reported 1.4 million members.-http://www.theregister.co.uk/2007/05/14/pirate_bay_hacked/
-http://www.securityfocus.com/brief/499
Goshen College Acknowledges Computer Security Breach (May 11 & 12, 2007)
Goshen College in Goshen, Indiana has acknowledged that a cyber intruder breached the security of the college's computer system. Officials believe the motive was to use the computers to send spam, not to steal information. Nevertheless, the college has taken the precaution of notifying those affected by the breach and offering advice about credit protection. College director of Information Technology Services Michael Sherer said, "Staff immediately addressed the breach[and ]
Goshen College has implemented additional internal controls and safeguards for personal information." The breach affects approximately 7,300 current and prospective students and their families dating from fall 2003 through the present. The potentially compromised data include names, birth dates and Social Security numbers (SSNs).
-http://www.goshen.edu/news/pressarchive/05-11-07-security.html
INSIGHTS
Intrusion Detection Is Not Dead: But Is Changing (May 11, 2007)
Gene Schultz argues that intrusion detection is not dead, but the tools are being used in different ways. Most importantly, Schultz argues that a new class of intrusion detection analyst who has the technical skills to weave information IDS systems with data from other sources to provide more complete and effective forensics and early warning.-http://www.darkreading.com/document.asp?doc_id=123822&WT.svl=news2_1
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/