SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #48

June 19, 2007

The first story in this issue illuminates the final nail in the coffin for FISMA's approach to securing US government systems: a Computerworld interview with Greg Wilshusen, the Government Accountability Office official who oversees the federal government's security and FISMA compliance assessment. If the House Government Reform Committee doesn't act now, when Congress's own experts say its approach has failed, then oversight of the security of federal systems should be immediately taken over by a different House committee. Note that everyone will win when the government shifts to measuring actual security. Federal contractors who have real-world technical security knowledge have repeatedly told me that they see huge opportunities arising when government actually measures security rather than writing reports on checklist compliance. They acknowledge the C&A reports they produce are useless and say they do them only because Congress and OMB force their government customers to demand them.
Alan

PS For our commercial and international readers, the issue of checklist security vs measurement of actual security is one that may become extremely important in your worlds shortly after the US government fixes its FISMA errors.

PPS There is one more week until the deadline for low-cost registration to the largest cyber security program in Washington: SANSFIRE at the end of July. http://www.sans.org/sansfire07/

---

TOP OF THE NEWS

GAO Official Confirms: Compliance With FISMA Does Not Make Federal Systems Secure
NATO Defense Ministers Call for Attention to Cyber Security
Anti-Spyware Bill Introduced in US Senate
PayPal Deploys Two-Factor Authentication

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DHS IT Security to be Topic of House Subcommittee Hearing
Visa Appointment System Hacking to be Investigated
Los Alamos Contractor Distributes Sensitive Nuclear Secrets By Unencrypted eMail
POLICY & LEGISLATION
Legislators Aim to Amend FISMA
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Yahoo! Fixes Cross-Site Scripting Flaw
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Data Breach Affects Thousands of Ohioans
Lost Flash Drive Holds Student Data
Stolen Flash Drive Holds Student Data
STATISTICS, STUDIES & SURVEYS
Survey Says More Needs to be Done to Protect Data
Employees Believe Data Breaches Lead to Job Loss
MISCELLANEOUS
UK Dept. of Trade and Industry Funds Human Factor IT Security Projects

---

********************* Sponsored By ArcSight, Inc. ***********************

****** Free Whitepaper: ArcSight Perspectives on Risk ******

Cyber attacks. Incident management. Legal issues. Security trends. The subjects are diverse, but the one powerful message is that security is the most important issue your company faces. Learn to make better decisions about risk management with this free collection of articles. Brought to you by ArcSight, the leader in compliance and security management.
http://www.sans.org/info/9151

*************************************************************************

SANS TRAINING UPDATE: In the next 120 days SANS training will be available in more than 30 cities in five countries with the biggest programs in Washington DC at the end of July and Las Vegas the end of September. Complete schedule at: http://www.sans.org/training/bylocation/index_all.php Two other ways to take SANS courses:
(1) from your home or office you can learn from top SANS faculty teaching live on line and you asking questions in real time - very cool - called SANS@HOME http://www.sans.org/athome/
(2) Or have SANS faculty come to your site and shape the course to your specific needs: http://www.sans.org/onsite/

*************************************************************************

---

TOP OF THE NEWS

GAO Official Confirms: Compliance With FISMA Does Not Make Federal Systems Secure (June 14, 2007)

"The key message to take away from my
[Congressional ]
testimony last week is that agencies need to move away from mere compliance with the FISMA requirement and focus on effective security," said Greg Willshusen, director of information security issues at the Government Accountability Office (GAO). "When we go out and conduct our security control reviews at federal agencies, we often find serious and significant vulnerabilities in systems that have been certified and accredited... agencies may be focusing on just trying to get the systems certified and accredited but not effectively implementing the processes that the certification and accreditation is supposed to reflect."
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9024658
[Editor's Note (Schultz): Wilshusen's statement is extremely significant in that it shows senior management recognition that the nature of FISMA compliance needs to change substantially if it is to positively impact security within the US government. ]

NATO Defense Ministers Call for Attention to Cyber Security (June 14 & 15, 2007)

In the wake of recent cyber attacks against Estonian websites and networks, NATO defense ministers expressed concern about the cyber security of critical information systems. While uncertain about how to proceed, NATO defense ministers believe the need to take action is "urgent." NATO sent a technology expert to Estonia while the attacks were underway. The defense ministers were attending a two-day meeting regarding the deployment of missile defense systems in Europe.
-http://www.securityfocus.com/brief/527
-http://www.theregister.co.uk/2007/06/15/cyber_war_screaming_fist/print.html
-http://news.com.com/2102-7348_3-6191011.html?tag=st.util.print

Anti-Spyware Bill Introduced in US Senate (June 15, 2007)

US Senator Mark Pryor (D-Arkansas) has introduced legislation that would make it a crime to install spyware on PCs without users' consent. Pryor said he took the step of introducing the Counter Spy Act of 2007 because "the industry has failed in self-regulating." The bill would make it an unfair practice to install spyware. The bill would also give the Federal Trade Commission (FTC) enforcement powers. Violators could face civil and criminal penalties, which could be both fines and prison sentences of up to five years.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199904803
-http://news.com.com/8301-10784_3-9729925-7.html
-http://pryor.senate.gov/newsroom/details.cfm?id=276980&

PayPal Deploys Two-Factor Authentication (June 18, 2007)

PayPal users will now have an extra layer of security to use when accessing their accounts. A key fob token generates a "pseudo-random six-digit" security passcode every 30 seconds. The device is available to both PayPal customers and eBay customers; eBay is the parent company of PayPal. PayPal and eBay top most lists of frequent phishing targets. Customers will need to pay a US $5 fee for the device, but beyond that, the service costs nothing.
-http://www.securityfocus.com/brief/528
[Editor's Note (Ranum): Fantastic!!!! They'll get my $5. (Shpantzer): I'm all for strong authentication. One niggling issue is the possibility that companies that give tokens to customers would use them as an excuse to not refund lost monies in the event of true fraud. Non-repudiation (via strong authentication) could possibly be used against fraud victims by saying 'Hey, we gave you a token,. Who else could it have been but you? No refund!']

---

************************* Sponsored Links: *****************************

1) ALERT: "How a Hacker Launches a LDAP Injection Attack Step-by-Step"- White Paper
http://www.sans.org/info/9156

2) Struggling to manage access to sensitive applications and data? Download this free whitepaper for help.
http://www.sans.org/info/9161

3) Upcoming SANS Ask the Expert webcast on June 20th at 1pm EDT titled Reputation-Based Network Security. Register today.
http://www.sans.org/info/9166

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

DHS IT Security to be Topic of House Subcommittee Hearing (June 18, 2007)

A US House subcommittee hearing scheduled for Wednesday, June 20 will examine the Department of Homeland Security's (DHS) response to nearly 850 cyber security incidents in fiscal years 2005 and 2006. Among the concerns the House Homeland Security subcommittee wants addressed are "the lack of IT security funding" at DHS, and "the data security implications of
[a project designed ]
to combine all of its IT networks under one roof."
-http://federaltimes.com/index.php?S=2836501
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9025100&taxonomyId=17&intsrc=kc_top
[Editor's Note (Ranum): DHS was created out of 20+ agencies with the premise that combining them would break down barriers and create new synergies, etc. That's what the taxpayers were told. DHS was given (and has spent) a hell of a lot of money to try to do exactly that. The fact that, 5 years after the creation of DHS, there is still a question of "combining IT networks" is unsettling. ]

Visa Appointment System Hacking to be Investigated (June 13, 2007)

The US Embassy in Kingston, Jamaica, is investigating the reported hacking of its online visa appointment system that prevented several Jamaican athletes from attending a track meet in the US earlier this year. Although officials had applied for visa appointments ahead of schedule, they were not able to get the necessary dates. The non-immigrant visa appointment system was infiltrated and manipulated so that individuals were unable to obtain appointments when necessary.
-http://www.rjr94fm.com/news/story.php?category=2&story=36819
-http://www.jamaicaobserver.com/news/html/20070613T200000-0500_124289_OBS_US_EMBA
SSY_WARNS_AGAINST_VISA_APPOINTMENT_FRAUD_.asp

Los Alamos Contractor Distributes Sensitive Nuclear Secrets By Unencrypted eMail (June 15, 2007)

a consultant to Los Alamos National Laboratory's board, Harold Smith, sent an email containing highly classified, non-encrypted nuclear-weapons information to several board members, who forwarded it to other members, according to the Associated Press. A team from Lawrence Livermore, a second Department of Energy nuclear Laboratory, was flown in to recover the wayward information.
-http://online.wsj.com/article/SB118191340325436695.html?mod=googlenews_wsj

POLICY & LEGISLATION

Legislators Aim to Amend FISMA (June 11 & 14, 2007)

Proposed legislation in both US branches of Congress seeks to amend the Federal Information Security Management Act (FISMA). The Federal Agency Data Breach Protection Act would have "Office of Management and Budget officials establish policies, procedures and standards for agencies to disclose data breaches; give agency CIOs the authority to enforce FISMA standards and require that they "develop and maintain an inventory of computers and hardware containing sensitive personal information"; and require that "all federal property assigned to employees at the end of their employment" be accounted for. The bill also broadens the definition of sensitive personally identifiable information.
-http://www.fcw.com/article102949-06-11-07-Print&newsletter=yes

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Yahoo! Fixes Cross-Site Scripting Flaw (June 15, 2007)

Yahoo! has fixed a cross-site scripting flaw that could be exploited to take control of users' accounts. The flaw affected the entire Yahoo! site; attackers could exploit the flaw by tricking users into clicking on specially crafted links. The vulnerability is not dependent on a particular browser. Attackers could exploit the flaw to access address books, send email and instant messages, and review query histories and settings in various Yahoo! services.
-http://www.theregister.co.uk/2007/06/15/yahoo_xss_error/print.html
[Editor's Note (Skoudis): Keep an eye on these Cross-Site Scripting (XSS) flaws. I think they are going to be very big in the future, especially as more users store more data online in so-called Web 2.0 applications. As the Sammy worm showed in MySpace two years ago, a determined XSS attacker could unleash a plague that steals or destroys data from millions of users. To help protect yourself, create a local back-up of the information you store in social networking, blogging, on-line photo, and even on-line e-mail accounts. (Shpantzer): Note that this is a browser-independent issue. Moving away from Microsoft's Internet Explorer won't save us from basic coding flaws in the web's most popular platforms. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Data Breach Affects Thousands of Ohioans (June 17, 2007)

The state of Ohio has hired a data security expert to help "determine the likelihood of someone getting access to the data on a stolen backup storage device." The device was stolen from the car belonging to an intern at the state's Office of Management and Budget; the device contains the names and Social Security numbers (SSNs) of all 64,000 Ohio state employees, data belonging to nearly 54,000 people enrolled in Ohio's pharmacy benefits management program, 75,000 of their dependents, the names and case numbers of approximately 84,000 welfare recipients, records for nearly 160,000 Medicaid providers and their bank account information, and the names and federal tax identification numbers of approximately 1,200 vendors receiving payroll deduction payments from the state. Ohio governor Ted Strickland "has issued an executive order to change the procedures for handling state data."
-http://www.ohio.com/mld/beaconjournal/news/state/17383005.htm
-http://zanesvilletimesrecorder.com/apps/pbcs.dll/article?AID=/20070616/UPDATES01
/70616002/1002/NEWS01

Lost Flash Drive Holds Student Data (June 16, 2007)

A Texas A&M Corpus Christi professor vacationing in Madagascar lost a flash drive while traveling. The storage device holds personally identifiable information of approximately 8,000 students. The data breach affects nearly all people who were students at the Corpus Christi campus in 2006. The professor, Dr. Blair Sterba-Boatwright, did not violate school policy by taking the flash drive with him on his vacation. While it has not been determined exactly what data are on the drive, they are believed to include SSNs and dates of birth. The university plans to notify affected students by letter.
-http://www.kristv.com/Global/story.asp?S=6667387&nav=menu192_2
[Editor's Note (Skoudis): A contributing factor to these data breach issues is the rapidly increasing size of USB 2.0 "thumb" drives. In 10 years, it may become common to have a small form-factor storage device with 200 gigs or (much) more, able to store a massive corporate database on a very small device. Is encrypting these drives the solution? Clearly, it'll help. But with increases in storage outstripping the processor improvements predicted by Moore's Law, our crypto solutions will likely feel slower and slower all the time. The trajectory, thus, isn't heartening.]

Stolen Flash Drive Holds Student Data (June 12 & 13, 2007)

A flash drive stolen from the English Department of Grand Valley State University's (Michigan) Allendale Campus contains personally identifiable information of approximately 3,000 current and former students. The data include SSNs. The university is investigating the presence of the SSNs on the drive, which goes against school policy. The university has notified affected students by letter.
-http://www.woodtv.com/Global/story.asp?S=6643715&nav=0Rce
-http://www.mlive.com/news/grpress/index.ssf?/base/news-36/118173691983190.xml&am
p;coll=6

STATISTICS, STUDIES & SURVEYS

Survey Says More Needs to be Done to Protect Data (June 18, 2007)

A survey of more than 1,000 IT and compliance professionals found that nearly half believe their organizations are not doing enough to prevent data loss. Forty-five percent do not have confidence their organizations would be able to notify affected customers after a data breach. IT professionals and compliance and internal auditing professionals perceive the data exposure risks differently. Thirty-three percent of compliance specialists believe their companies are vulnerable to breaches; among IT specialists, that figure is 42 percent. The survey was commissioned by Oracle and conducted by the Ponemon Institute.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199905013
-http://www.oracle.com/security/security-worries.pdf

Employees Believe Data Breaches Lead to Job Loss (May 2, 2007)

According to a survey of approximately 250 IT professionals, more than three-quarters believe they could lose their jobs over a data breach. The majority of those surveyed also felt they did not have the necessary skills and/or tools to prevent data loss. Nearly all respondents reported using antivirus software, approximately 80 percent use antispyware products and automated patch management, but just 35 percent use end-node vulnerability scanning products.
-http://www.networkworld.com/news/2007/050207-data-breach-job-security.html

MISCELLANEOUS

UK Dept. of Trade and Industry Funds Human Factor IT Security Projects (June 18, 2007)

The UK's Department of Trade and Industry (DTI) has set aside GBP 4 million (US $7.9 million) to fund four research projects that will address the factor of human error in IT security. The projects revolve around behavioral science and include the "development of a risk-assessment package focused on organizational and human factors," and the development of "a predictive modeling framework that assesses security policies that regulate the interaction between humans and information systems."
-http://www.theregister.co.uk/2007/06/18/dti_it_security_research/print.html
-http://www.heise-security.co.uk/news/91327
[Editor's Note (Schultz): This is a very promising development. The relationship between information security and human behavioral considerations has been grossly overlooked, yet it is one of the potentially most important information security issues. Additionally, studies show that human error is responsible for more financial loss than are security-related incidents. ]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/