SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #42

May 25, 2007

Correction: You may invite *both* your own organization's programmers as well as programmers who work for your system integrators and outsourcers, to participate in the inaugural secure coding exams in C and Java, on August 14 in Washington DC. Please select up to six programmers for the exams. Ensuring application programmers know how to find and eliminate the errors that cause security flaws is by far the most cost-effective way to improve the security of the applications you are deploying. Test participants will be eligible to earn secure programming certification, and each will receive a detailed report listing gaps in their secure programming knowledge. Participant names will be entirely confidential. Those who sign up in the next few days will also get an invitation to a webcast that helps them ensure they know what will be covered and where to find study materials. Resources:
Exam blueprints and details at: www.sans-ssi.org
Test information: http://www.sans.org/gssp07/
Questions: spa@sans.org

Alan
PS. Application security is the biggest growth area in information security, and Application Security Manager (ASM) is the newest title on the security team, and a great job. Every ASM I have met has said that the new secure coding exams are an essential element that will enable their secure coding initiatives to have measurable results. Please help us make the tests the standard by sending some of your programmers to the tests in August. And if you would like, please sign on as an enterprise partner to help guide the exam evolution, so you can be sure the tests meet your organizations' goals.
(http://www.sans-ssi.org/enterprise.php)

---

TOP OF THE NEWS

OMB Memo Lays Down the Law on Data Protection and Breach Notification
Credit Card Security Legislation Passes in Minnesota
US House Passes Spyware Bill

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Fine and Community Service for Wireless Piggybacking
No Jail Time for Employee Data Theft
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
FBI Network Security Still Subpar
Einstein Monitors Agency Network Traffic
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Opera Fixes Buffer Overflow Flaw
Office 2003 Security Tool Designed to Protect Users from Infected Files
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Breach Compromises Data of 45,000 Univ. of Colorado Students
STATISTICS, STUDIES & SURVEYS
Survey Says Security Spending Will Slip

---

********* SANS Europe (Belgium) and SANSFIRE 2007 (Washington DC) *******

The big changes coming in security appear to be creating a surge of demand for security professionals and auditors with stronger technical skills in intrusion detection, forensics, wireless security, penetration testing, secure configuration management, application security, technical security auditing and more. The only programs that provide authoritative training in these topics come from SANS. Here's where you can find training with SANS' top instructors:

Brussels: SANS Secure Europe (6 courses): June 25-30
http://www.sans.org/brussels07/
Washington DC, SANSFIRE 2007 (57 courses): July 25-August 3
http://www.sans.org/sansfire07/

*************************************************************************

---

TOP OF THE NEWS

OMB Memo Lays Down the Law on Data Protection and Breach Notification (May 24, 2007)

A memorandum from the Office of Management and Budget (OMB) directs executive department and agency heads to tighten their procedures for handing personally identifiable information. Agencies should reduce the amount of data they collect and retain, limit data access to a need-to-know basis, and use encryption and strong authentication. The memo also requires all agencies to develop data breach notification policies within the next four months.
-http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf
-http://www.whitehouse.gov/omb/pubpress/2007/052307_ssn.pdf
-http://weblog.infoworld.com/zeroday/archives/2007/05/white_house_pub.html
-http://www.scmagazine.com/us/news/article/659814/after-myriad-data-breaches-feds
-cut-use-social-security-numbers/

Credit Card Security Legislation Passes in Minnesota (May 24, 2007)

The Minnesota state House and Senate approved the Plastic Card Security Act, which makes retailers liable for losses incurred by financial institutions when the retailers suffer data security breaches. The legislation requires that businesses accepting payment cards not retain card security code data, the PIN verification code, or the complete information from the card's magnetic stripe for any length of time after a transaction has been authorized. In the case of debit cards, the data may be retained for up to 48 hours after the transaction has been authorized. In the event of a breach, the entity found to be violating the data retention restrictions is responsible for reimbursing the financial institutions for costs incurred as a result of the breach. Organizations processing fewer than 20,000 such card transactions annually will not be liable to financial institutions in the event of a breach. In related news, the Texas House unanimously approved legislation that would require businesses to adopt the Payment Card Industry (PCI) data security standard; however, that state's Senate left the bill pending in committee, effectively letting it die.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199701966
-http://www.revisor.leg.state.mn.us/bin/bldbill.php?bill=S1574.2.html&session
=ls85
[Editor's Note(Schultz): It is not surprising that the PCI-DSS-related legislation did not pass in the Texas Senate. I'm sure that many companies lobbied against this legislation because of the resources required for PCI-DSS compliance. ]

US House Passes Spyware Bill (May 23, 2007)

The US House of Representatives has passed legislation that would punish people who use spyware to commit fraud, but imposes no new regulations on software makers. The bill's chief sponsor, Zoe Lofgren (D-Ca.), remarked, "it targets the worst forms of spyware without unduly burdening technological innovation." The bill would provide for prison sentences of up to five years for individuals convicted of using spyware to commit federal offenses; convictions for obtaining or transmitting personal data with intent to injure or defraud a person or damage a computer would carry a maximum prison sentence of two years. The bill would also give US $10 million annually to the Justice Department to help fight other types of computer fraud.
-http://www.smh.com.au/news/Technology/US-House-of-Representatives-approves-legis
lation-to-combat-Internetspyware-other-scams/2007/05/23/1179601448552.html
-http://australianit.news.com.au/articles/0,7204,21780504%5E15306%5E%5Enbv%5E,00.
html
[Editor's Note(Schultz): This bill appears to be significantly "watered down;" if passed, it will in all likelihood not be effective in countering spyware. At the same time, however, passing a bill punishing people who engage in spyware-related fraud is at least a step forward in the fight against spyware. ]

---

*********************** Sponsored Links: ******************************

1) SANS OnSite Training
Receive bonus seat for SANS OnSite (up to $5100 value) Your Location! Your Schedule! Lower Cost!
Enter today! http://www.sans.org/info/7616

2) Upcoming SANS WhatWorks web cast May 31st at 12pm EDT, WhatWorks in Event and Log Management: Driving Compliance with Log Management at Tyson Foods
http://www.sans.org/info/7621

3) Do you like to study on your own schedule? Want to save money on travel costs? Check out SANS OnDemand online training.
http://www.sans.org/info/7636

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Fine and Community Service for Wireless Piggybacking (May 23 & 24, 2007)

Sam Peterson will perform 40 hours of community service and pay a US $400 fine for using a wireless network without permission. Peterson parked outside a Wi-Fi caf in Sparta, Michigan and checked his email on a daily basis. If he had gone inside for a cup of coffee and used the Internet while there, there would have been no grounds for prosecution. The cafe's owner was unaware that Peterson's activity was illegal. Peterson was caught because the local police chief became suspicious of him sitting in his car using his computer outside the cafe.
-http://www.theregister.co.uk/2007/05/23/michigan_wifi_conviction/print.html
-http://www.computerworlduk.com/management/security/data-control/news/index.cfm?n
ewsid=3160
[Editor's Note (Northcutt): The more I read about the details of this story, the more I am tempted to write a screen play for Andy of Mayberry 2007, but good judgment was used by all except Peterson. A much better telling of the tale can be found:
-http://www.woodtv.com/Global/story.asp?S=6546307
(Grefer): A recent proof of concept showed that it takes mere seconds to break WEP encryption, so to make wireless network reasonably secure, WPA or WPA2 connections. ]

No Jail Time for Employee Data Theft (May 21, 2007)

A man who once worked as a computer consultant for Blue Cross and Blue Shield of Florida will not go to prison for stealing the names and Social Security numbers (SSNs) of 27,000 of the company's employees. Because Paul Jason Clifton neither misused nor disseminated the data, he was sentenced to three years of probation and ordered to pay restitution of US $580,000. The funds represent the costs of notifying the employees of the data breach and monitoring their credit.
-http://www.jacksonville.com/tu-online/stories/052107/met_171666534.shtml

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

FBI Network Security Still Subpar (May 24, 2007)

According to a report from the Government Accountability Office (GAO), "certain information security controls over the
[FBI's ]
critical internal network ... were ineffective in protecting the confidentiality, integrity, and availability of information and information resources." The report noted seven areas in which security controls were inconsistently applied, including the configuration of network devices and services to keep unauthorized insiders from accessing information and ensuring system integrity; the enforcement of the principle of least privilege; and logging, auditing and monitoring security related events. The GAO made recommendations for addressing specific weaknesses in a separate, classified report. FBI officials responded to the report, saying they accept many of the recommendations, but do not agree with the "characterization of the associated risks," noting a number of measures they had implemented over the last five years, including a 24-hour security watch center, and the fact that all its systems are accredited as per the Federal Information Security Management Act (FISMA).
-http://www.gcn.com/online/vol1_no1/44340-1.html?topic=security&CMP=OTC-RSS
Report: "FBI Needs to Address Weaknesses in Critical Network"
-http://www.gao.gov/new.items/d07368.pdf

Einstein Monitors Agency Network Traffic (May 21, 2007)

In the summer of 2006, several computers at the US Department of Agriculture (USDA) became infected with a worm. Those computers began scanning network connections to find other vulnerable machines to help create a botnet. The worm was not detected until the USDA computers tried to infect computers at the US Department of Transportation (DOT). The malicious activity was caught at DOT because DOT is participating in the Department of Homeland Security's (DHS) Einstein program, which monitors agency network gateways for anomalous traffic patterns. When the patterns are detected, the system alerts DHS's US Computer Emergency Readiness Team (US-CERT). "US-CERT's security analysts use Einstein data to correlate cross-agency security incidents." Agency participation in the Einstein program is voluntary and costs agencies nothing, as DHS provides hardware, software, support services and operational training. Einstein does not replace the need for intrusion detection systems.!
-http://www.fcw.com/article102730-05-21-07-Print&printLayout
[Editor's Note (Ullrich): We at Internet Storm Center routinely use similar reports from DShield to notify infected users. The big story here is how many networks, especially government networks that should be better protected, are missing the most basic network monitoring tools, and have to rely on others to enumerate their infected systems. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Opera Fixes Buffer Overflow Flaw

Opera has released Opera version 9.20 for Windows to address a buffer overflow flaw. The vulnerability is the result of a boundary error that arises when version 9.x of the browser handles maliciously crafted Torrent files. For the flaw to be exploited, attackers would need to manipulate users into right-clicking on the malicious Torrent file in the transfer manager. Successful exploit of the flaw could allow attackers to execute arbitrary code. Versions of Opera for other operating systems may be vulnerable as well. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=2823
-http://www.theregister.co.uk/2007/05/23/opera_torrent_bug/print.html
-http://www.opera.com/support/search/view/860/

Office 2003 Security Tool Designed to Protect Users from Infected Files (May 22, 2007)

Microsoft has released a free tool called Microsoft Office Isolated Conversion Environment, or MOICE, to help protect users from malware placed in Office files, a vector of attack that has recently gained popularity. MOICE converts Word, Excel and PowerPoint docs to their OpenXML counterparts and opens them in a quarantined environment to protect users' computers from embedded malicious payloads designed to exploit holes in Microsoft Office. MOICE works in tandem with the File Block, a tool that allows administrators to establish group policies regarding users' permissions to open certain file types. Both tools work out of the box with office 2007. Office 2003 users need to install the Compatibility Pack for Word, Excel and PowerPoint 2007 Office File Formats first. There is no protection offered for users running versions prior to Office 2003. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=2838
-http://www.theregister.co.uk/2007/05/22/office_moice/print.html
-http://support.microsoft.com/kb/935865
Compatibility Pack:
-http://www.microsoft.com/downloads/details.aspx?FamilyID=941b3470-3ae9-4aee-8f43
-c6bb74cd1466&displaylang=en

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Breach Compromises Data of 45,000 Univ. of Colorado Students (May 23 & 24, 2007)

The names and SSNs of approximately 45,000 University of Colorado students may have been exposed following a breach of a university server. A worm exploited a known flaw in a Symantec anti-virus management console to gain unauthorized access to a server at the Academic Advising Center of the University's College of Arts and Sciences. The breach affects people enrolled as students at CU from 2002 through the present. The breach was detected on May 12 when the compromised server started scanning other Internet-connected systems. A patch is available for the flaw, but it had not yet been applied to the server. IT operations at the College of Arts and Sciences have not been operating under the auspices of CU's central IT department, but steps are being taken to change that situation.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9021059&source=rss_topic17
-http://www.scmagazine.com/us/news/article/659383/hackers-exploit-unpatched-flaw-
disabled-firewall-access-personal-info-45000-university-colorado-students/
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199701978

STATISTICS, STUDIES & SURVEYS

Survey Says Security Spending Will Slip (May 200, 2007)

According to a Goldman Sachs survey of 100 IT managers, security is no longer a top priority in IT spending. Although budgets and spending are holding steady, IT managers say they will focus their spending on server consolidation and server virtualization. Security, compliance and risk management, long perennial favorites, have fallen from the top ten list.
-http://www.computerworlduk.com/management/it-business/it-department/news/index.c
fm?RSS&newsid=3100
[Editor's Note (Northcutt): I believe it! If you go to trends.google.com and first type in "information security" you see a gentle down slope. If you type in "server virtualization" you see a quickly rising hot new trend. And it just makes sense, time and time again they gave us money to "fix the problem." Security people spent the money, but they still have "the problem".
(Ullrich): Maybe the survey results are a reflection of organizations no longer focusing on security spending to fix old mistakes, and instead making security part of everyday IT spending decisions. As long as new solutions are implemented with security in mind, security spending should drop.
(Paller): Findings from our continuous research into security job changes reinforces Johannes's and Stephen's comments. CEOs are pulling back on spending for regulatory reporting and giving more security responsibility (and funding) to operations managers. The key lesson here is that if your security skills are soft, you'll want to get much better prepared to do technical, hands-on security work to keep your career moving. ]


Note: Next week, NewsBites will be published once, on Thursday, May 31. The following week we will return to our regular Tuesday & Friday publication schedule.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/