SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #77

September 30, 2008

If you have wondered when colleges would start taking responsibility for ensuring their graduates know how to write secure code, you'll like the final story (under MISCELLANEOUS). It includes a path you can use to help make sure the schools from which you hire programmers are part of the solution.
Alan

---

TOP OF THE NEWS

FISMA 2008: A Better Solution
Microsoft and Washington State AG File Charges Against Scareware Vendors
BT Will Run New Phorm Test on Opt-In Basis

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS
Carleton University Student Hacker Quits School Over Penalty Disagreement
Tenenbaum Free on Bail
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Stolen Hard Drives Hold Sensitive Data of 50,000 UK Ministry of Defence Staff
Los Alamos Needs to Implement Stronger Security, Says GAO
VULNERABILITIES
Secondhand VPN Router Connects to Previous Owners' Network
UPDATES AND PATCHES
Mozilla Fixes Firefox Password Manager Flaw
DATA LOSS
Whittington Hospital NHS Trust's Missing Disks Returned
ATTACKS
Cyber Thieves Use Purloined Yahoo Japan Auction Accounts
MISCELLANEOUS
Ten Most Mysterious Cyber Crimes
Security Certifications Pay
Four Colleges Selected For Grants For Secure Coding Education Innovation

---

*************************************************************************

TRAINING UPDATE

- - SANS CDI in Washington 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

FISMA 2008: A Better Solution (September 29, 2008)

Certain provisions in the proposed Federal Information Security Management Act (FISMA) of 2008 would make major strides toward ensuring that federal computer systems are protected from attacks. Federal agencies spend a lot of time on the paperwork part of compliance with FISMA 2003, which ultimately has little to do with the actual security of their computer networks. If enacted, FISMA 2008 would require that agencies purchase products with security built in from the start instead of adding it later; it would require attack-based metrics to demonstrate that their systems are protected from known vectors of attack; and it would require a government-wide consensus on those metrics.
-http://www.fcw.com/print/22_32/comment/153909-1.html?topic=security

Microsoft and Washington State AG File Charges Against Scareware Vendors (September 26 & 29, 2008)

On Monday, September 29, Microsoft and the state of Washington plan to file lawsuits against individuals and organizations for allegedly inundating users' computers with spurious warnings about vulnerabilities detected on their machines and attempting to sell them software to address those flaws. The Washington AG's office is bringing charges under the state's Computer Spyware Act against Branch Software and Alpha Red and their owner, James Reed McCreary IV. Microsoft is filing several John Doe lawsuits to learn the identities of individuals suspected of marketing other scareware products.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9115720&source=rss_topic17
-http://www.vnunet.com/vnunet/news/2227086/microsoft-launch-spyware-spam
-http://voices.washingtonpost.com/securityfix/2008/09/microsoft_washington_state_
tar.html?nav=rss_blog
-http://news.cnet.com/8301-1009_3-10053565-83.html

BT Will Run New Phorm Test on Opt-In Basis (September 25 & 29, 2008)

Just days after London police said they would not proceed with an investigation into BT's secret trials of targeted advertising system Phorm, the British telecommunications company has announced that it is starting new trials of the controversial technology on September 30. This time, however, customers will have opted in to the trial; in the earlier trial, the technology was used without user consent. The new trial will run for at least four weeks; BT hopes to get 10,000 users to sign up to participate. If BT decides to continue using Phorm, it could be rolled out to all its broadband customers. The company has not specified whether the program will still be opt-in at that point.
-http://news.bbc.co.uk/2/hi/technology/7634210.stm
-http://news.bbc.co.uk/2/hi/technology/7641754.stm
[Editor's Note (Pescatore): The opt-in part should be on the collection of the data, not on displaying targeted advertising. The former is the risk; the latter is actually a benefit.
(Guest Editor and Internet Storm Center handler, Steve Hall): I think the way this is being handled by BT is atrocious. If you check how BT are 'selling' this service to their customers, then it's being sold far less as a method of targeting advertising, and more as online protection.
-http://www2.bt.com/static/i/btretail/webwise/
I do wonder how many of the 10,000 randomly chosen people will read ONLINE PROTECTION, rather than 3RD PARTY MONITORING ALL YOUR SURFING when they read the interstitial page. ]

---

************************* SPONSORED LINK *******************************

1) 2-Day Training Class Hosted by the FISMA Center FISMA 101: Certification & Accreditation Concepts November 13-14, 2008 Columbia, Maryland http://www.sans.org/info/33674

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS

Carleton University Student Hacker Quits School Over Penalty Disagreement (September 26 & 29, 2008)

The Carleton University student accused of breaking into the school's computer network has refused to agree to one of the punishments for his actions and has dropped out of the school. In August, Mansour Moufid sent a 16-page report to school administrators and some students describing the vulnerabilities he exploited to gain access to 32 student accounts on the network. In the report, Moufid says he took the actions to demonstrate the need for improved security on the university's network. Among the penalties the school imposed on Moufid was to require him to write a letter of apology in which he would say that he lied when he said earlier that he had alerted university officials to the issue before sharing the report. Although he would have been willing to submit to the remainder of the punishments outlined by University officials, Moufid said that to make such a statement in the letter would be a lie. Moufid could also face charges of mischief to data and unauthorized use of a computer under Canada's Criminal Code, which each carry maximum sentences of 10 years in prison.
-http://www.canada.com/ottawacitizen/news/story.html?id=ce863a37-9fb9-46d6-b90b-4
0be380084e6
-http://www.securityfocus.com/brief/829

Tenenbaum Free on Bail (September 26, 2008)

Ehud Tenenbaum, who is the alleged mastermind of a scheme in which CAD 1.8 million (USD 1.7 million) was stolen from Direct Cash Management in Calgary, Alberta, Canada, has been released on bail. The alleged scheme involved obtaining pre-paid debit cards from Direct Cash, breaking into the company's computer system and increasing the cards' values. The judge has allowed Tenenbaum to return to Montreal, where he must report to police twice a week. He has also been barred from using any device that is capable of accessing the Internet and from talking with another suspect in the case. He is scheduled to appear in court again on October 29. As a teenager, Tenenbaum broke into US Defense Department computers. His initial sentence of six months of supervised release was eventually increased to 18 months in jail.
-http://www.canada.com/calgaryherald/news/city/story.html?id=7833966a-5188-4e84-8
62c-0ed65aa7d047

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Stolen Hard Drives Hold Sensitive Data of 50,000 UK Ministry of Defence Staff (September 26 & 29, 2008)

Personally identifiable information of as many as 50,000 UK military staff has been compromised due to the theft of three portable hard drives from the RAF Innsworth base in Gloucestershire. The unencrypted data include addresses, bank account numbers and medical records. The theft is under investigation by Ministry of Defence (MoD) police and Gloucestershire police. The MoD plans to notify all individuals affected by the data security breach.
-http://www.computerworlduk.com/management/government-law/public-sector/news/inde
x.cfm?newsid=11244
-http://www.mirror.co.uk/news/top-stories/2008/09/26/safety-fears-for-50-000-raf-
staff-after-personal-files-are-stolen-115875-20754809/
-http://www.theregister.co.uk/2008/09/29/raf_usb_drives_stolen/
[Editor's Note (Honan): The stolen hard drives were apparently not encrypted as they were located in a secure facility. I guess the RAF has learnt a lesson in defense in depth and that you need to ensure you include layers of defense in the physical, logical and personnel domains. ]

Los Alamos Needs to Implement Stronger Security, Says GAO (September 25, 26 & 29, 2008)

According to a report from the US Government Accountability Office (GAO), cyber security vulnerabilities at the Los Alamos National Laboratory (LANL) could expose sensitive data. Although LANL has begun implementing previously recommended measures to improve data security, there are still holes in its unclassified network, which holds information about export control and sensitive employee data. The network itself has strong authentication measures in place, but once access is granted, users can find their way around the other security measures to access the sensitive data. The report also found weaknesses in physical security at LANL. The GAO made several recommendations for improving LANL's cyber security posture, including "requir(ing) the Director of LANL to ... ensure that the risk assessment for the unclassified network evaluates all known vulnerabilities and is revised periodically and strengthen policies with a view toward ... reducing ... foreign nationals' access to the unclassified network."
-http://www.theregister.co.uk/2008/09/29/los_alamos_cyber_insecurity/
-http://www.fcw.com/online/news/153921-1.html
-http://www.nextgov.com/nextgov/ng_20080929_5288.php
-http://www.gao.gov/new.items/d081180t.pdf
[Editor's Note (Schultz): The condition of information security at LANL sounds typical of many laboratories within the nuclear weapons complex. There is often such an emphasis upon protecting classified data, systems and networks that protecting the unclassified side of computing, while not at all neglected, becomes overshadowed.
(Weatherford): This is another example of how bureaucracy impedes security and if it doesn't make you want to scream you haven't been paying attention because "Over the last decade, LANL has experienced a series of high-profile security incidents in which sensitive assets and classified information were compromised." How long does it take to finally get the problem fixed? The GAO report says that "A key reason for these information security weaknesses is that the laboratory has not fully implemented an information security program to ensure that controls are effectively established and maintained" and also "Although LANL cyber security officials told us that funding has been inadequate to address some of their security concerns, NNSA officials raised questions about the basis for LANL's funding request for cyber security. NNSA's Chief Information Officer told us that LANL has not adequately justified requests for additional funds to address the laboratory's stated shortfalls." ]

VULNERABILITIES

Secondhand VPN Router Connects to Previous Owners' Network (September 29, 2008)

In a new twist on the dangers of selling used equipment, a man who bought a virtual private network (VPN) server through eBay found that when it was switched on, it automatically connected to an internal network that belongs to the local government of West Yorkshire, England. The man, who works for a security company, purchased the secondhand Cisco device for 99p (US $1.78). A Cisco spokesperson said that the devices come with instructions for resetting them to the factory default.
-http://news.bbc.co.uk/2/hi/technology/7635622.stm
[Editor's Note (Pescatore): The same thing is happening with print servers and all kinds of other equipment that has "hidden" storage. Essentially, if you are surplusing any kind of IT you need to make sure it is either sanitized or destroyed. ]

UPDATES AND PATCHES

Mozilla Fixes Firefox Password Manager Flaw (September 29, 2008)

Mozilla patched a vulnerability in the Firefox Password Manager feature last week, just days after it released Firefox 3.0.2 to address 11 security flaws. Firefox 3.0.3 was slated to be released this week, but the fix was pushed out late in the day on Friday, September 26. Mozilla became aware of the password problem when, after installing Firefox 3.0.2, some users reported they were unable to retrieve saved passwords or save new site passwords.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9115783&intsrc=hm_list
-http://www.theregister.co.uk/2008/09/29/firefox_update_fixes_password_saving_bug
/

DATA LOSS

Whittington Hospital NHS Trust's Missing Disks Returned (September 26, 2008)

Four disks reported missing from the Whittington Hospital NHS Trust in London have been recovered. After a memo was sent to all employees notifying them of the situation, the disks were turned in the trust's finance department. The disks, which were password-protected, contain personally identifiable information of 18,000 trust staff members. The trust is reviewing its data handling procedures.
-http://news.zdnet.co.uk/security/0,1000000189,39494153,00.htm
[Editor's Note (Veltsos): Memo to all security staff - please stop calling things "password protected" unless you're referring to the kind of weak and built-in password protection that comes in most off-the-shelf software. ]

ATTACKS

Cyber Thieves Use Purloined Yahoo Japan Auction Accounts (September 27, 2008)

Cyber criminals used stolen login information to access accounts on Yahoo Japan's auction website more than 1.5 million times since May. The thieves used the purloined accounts to sell phony luxury items. Initially, the true account holders were being charged fees for the fraudulent transactions, but Yahoo Japan has identified an IP address associated with the activity and is now processing customers' claims to have the bogus charges removed.
-http://www.yomiuri.co.jp/dy/national/20080927TDY02308.htm

MISCELLANEOUS

Ten Most Mysterious Cyber Crimes (September 26, 2008)

While cyber crime cases that result in arrests and prison sentences are making the news more and more often, there are still major cases that have remained unsolved for years. This list of "The 10 Most Mysterious Cyber Crimes" includes both old - the hacking of a UK Ministry of Defense satellite in early 1999 - and new - the Hannaford/Sweetbay supermarket chain credit card data breach that was acknowledged earlier this year.
-http://www.pcmag.com/print_article2/0,1217,a%253D232455,00.asp

Security Certifications Pay (September 23, 2008)

Of 165 IT certifications monitored over the past year, 17 increased in value. Seven of the 17 certifications that increased in value were from the security sector, with those who had earned the GIAC Security Expert (GSE) certification posting a whopping 36.4% average salary increase during the last 12 months: the largest salary growth of any certified professional. Overall, pay for security certifications was up 0.4% during the last six months and 2% during the last year (through July 1, 2008), compared with the downward trend of all IT certifications, which lost 2.5% during the last six months and 3.5% during the past year. seven of the 17 certifications that increased in value were from the security sector, with those who had earned the GIAC Security Expert (GSE) certification posting a whopping 36.4% average salary increase during the last 12 months: the largest salary growth of any certified professional. Overall, pay for security certifications was up 0.4% during the last six months and 2% during the last year (through July 1, 2008), compared with the downward trend of all IT certifications, which lost 2.5% during the last six months and 3.5% during the past year.
-http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1331613,00.h
tml

Four Colleges Selected For Grants For Secure Coding Education Innovation (September 27, 2008)

Cornell, the University of North Carolina at Charlotte, Virginia Tech, and the University of California at Davis were selected as the first recipients of funding for deployment of the National Secure Coding Clinics (NSCC) initiative. UC Davis Professor Matt Bishop demonstrated that computer science students can master secure coding without asking college faculty to learn it or teach it. The innovation employs graduate student and corporate clinicians to review student code for each assignment and point out secure coding errors and how to fix them. In Bishop's test, students not only radically reduced their secure coding errors but also become "converts" with new, strong commitments to writing and ensuring others wrote secure code. The program has strong support from multiple federal agencies as well as the SANS Institute and large IT companies engaged in the SAFECode initiative.

---

We are including this note in NewsBites to invite employers who hire college graduates to join in the NSCC Partnership to encourage and support schools where you hire programmers to participate in the program and improving the secure coding skills of their graduates. If you are interested, send us a note with the name of the school from which you have hired at least a dozen programmers over the past five years and we'll let you know where that school stands on the NSCC and help you help them make progress in ensuring the graduates know how to write secure code. Email apaller@sans.org with subject NSCC.

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/