SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #86

October 31, 2008

SCADA and Process Control Security - Some Good News for a Change. American utilities have made a 180 degree turn in the past five months - - no longer trying to claim that their control systems are "safe from cyber attacks." As a result, oversight organizations (like NERC, North American Energy Reliability Corporation) have stepped up to help them measure the effectiveness of their security using the right metrics, and are reaching for consensus on what must be done to secure the systems and how utilities can be sure they have done the right things. Many of the utilities that have already demonstrated how to make their security more effective are getting together in Orlando in early February to share the lessons they learned. The February "Summit" is open to utilities, government agencies, control systems vendors, and the service providers who help secure those systems. Registration and preliminary program information is at http://sans.org/scada09_summit/
Speaking of "the right metrics" for measuring security," this paragraph is for our US government and government contractor readers. There seems to be a growing chorus saying that government inspectors general (IGs) are not measuring the effectiveness of (attack-based) security controls, and, since IGs are the trusted "watchers," the massive failures of federal cyber security may be substantially attributed to IG reliance on non-technical, "checklist" audits. The Government Accountability Office (GAO) has testified repeatedly that security assessments are NOT measuring effectiveness. Is there specific evidence that supports the position that IGs are measuring the wrong things? Email apaller@sans.org with evidence either way. Your responses will be absolutely confidential.
Alan

---

TOP OF THE NEWS

UK Government Data Breaches Raise Concerns About Proposed Database
Appeals Court Upholds Decision, Reversing Case That Allowed-Business Method Patents
Court Rules Running Hashes Constitutes Fourth Amendment Search
Study Finds Security Policy Adherence Problems

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Tenenbaum Indicted in New York
Cyber Saboteur Gets Six Months in Prison
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Commission Will Draw Up Cyber Security Advice for Next President
UPDATES AND PATCHES
Opera 9.62 Addresses Critical Hole in Browser
STANDARDS
NIST Releases Documents on Key Management, Security in System Development Life Cycle and HIPAA Rule Implementation
STATISTICS, STUDIES & SURVEYS
RSA Wireless Security Study
MISCELLANEOUS
ICANN Tells EstDomains its Registrar Accreditation Will be Revoked
New Zealand Police Want Mandatory Registration for Pre-Paid Cell Phone Purchases

---

************************* Sponsored By CA *******************************

How can your organization utilize identity management technologies to cost-effectively manage and control user identities and demonstrate security compliance? Information provided in this IDC whitepaper can be used to guide your efforts on how to optimize and improve identity management deployments to make them more efficient. Learn more at http://www.sans.org/info/34829

*************************************************************************

TRAINING UPDATE

- - SANS CDI in Washington 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

UK Government Data Breaches Raise Concerns About Proposed Database (October 29, 2008)

According to statistics released by the UK Information Commissioner's Office (ICO), the public sector reported 176 data breaches last year, while the private sector reported 80. Of those in the public sector, 75 were at NHS and other health-related organizations, 28 in central government and 26 in local government. Information Commissioner Richard Thomas expressed "alarm that despite high profile data losses, the threat of enforcement action, a plethora of reports on data handling and clear ICO guidance, the flow of data breaches and sloppy information handling continues." Thomas called on company executives to take responsibility for the personal data their companies hold instead of leaving it to the IT departments. He also used the figures to underscore his push for caution in creating large databases of personal information.
-http://news.bbc.co.uk/2/hi/uk_news/politics/7697093.stm
-http://www.silicon.com/silicon/research/specialreports/agenda-setters-2008/ceos-
told---take-responsibility-for-toxic-data-39330308.htm
-http://www.nzherald.co.nz/compute/news/article.cfm?c_id=1501832&objectid=105
39909
[Editor's Note (Honan): Having attended that keynote speech, it was interesting to note that despite his concerns about the numbers of data breaches Mr. Thomas feels that there is no need to introduce mandatory breach disclosure laws into the UK. His concerns focused on adding additional burden on businesses and causing "breach fatigue" amongst the public if they get too many notices. Is this not ignoring the fact that companies should be better protecting people's data in the first place so they need not get these notifications? ]

Appeals Court Upholds Decision, Reversing Case That Allowed Business Method Patents (October 30, 2008)

The United States Court of Appeals for the Federal Circuit this week ruled nine to three to uphold a lower court decision that could reverse the landmark State Street Bank vs. Signature Financial Group case. That case, decided in 1998, found that business methods for computer commerce were patentable, and led to successful applications for patents for Amazon.com's "1-Click" checkout and Priceline.com's "name your own price" and various other tools.
-http://bits.blogs.nytimes.com/2008/10/30/federal-court-kills-patents-on-business
-methods/?pagemode=prints
-http://www.groklaw.net/article.php?story=20081030150903555
-http://blogs.wsj.com/law/2008/10/30/court-reverses-position-on-business-methods-
patents-in-bilski-case/?mod=googlenews_wsjs
-http://www.groklaw.net/pdf/07-1130.pdfs

Court Rules Running Hashes Constitutes Fourth Amendment Search (October 29, 2008)

A US District Court has ruled that running hash values on a computer constitutes a Fourth Amendment search (meaning a warrant would have been needed to allow the evidence to be used in court). The ruling suppresses evidence found by police on Robert Crist's computer. Because Crist had fallen behind on his rent, his landlord hired people to move his belongings to the curb. A friend of the movers picked up his laptop, and when Crist discovered the pile of his property outside, he reported his computer stolen. Crist's friend allegedly found images of child pornography on the machine and called the police, who then ran hashes on the machine to determine if it contained files known to be child pornography. The decision will likely be appealed.
-http://volokh.com/archives/archive_2008_10_26-2008_11_01.shtml#1225159904
-http://arstechnica.com/news.ars/post/20081029-court-rules-hash-analysis-is-a-fou
rth-amendment-search.html
[Editor's Note (Schultz): This ruling reinforces the message that cyber lawyer Mark Rasch constantly conveys, namely that the law and common sense often do not dovetail with each other.
(Northcutt): This is the second time recently kiddie porn has been the basis of a major court decision, the other was:
-http://lists.sans.org/pipermail/list/2007-December/026802.html
Anyway, this is a very complex case, when I first read it I thought it was open and shut, but Crist had no expectation his property would be transferred to another person, so while the issue of crypto hashes as art of search and seizure is important, my guess is this is too muddy to establish strong case law. And we still have the issue of reliability of hashes to consider:
-http://en.wikipedia.org/wiki/Hash_collision]

Study Finds Security Policy Adherence Problems (October 28 & 29, 2008)

A Cisco-commissioned study found that employees at businesses in 10 countries around the world are often unaware of their companies' security polices, or the employees ignore the policies because they hinder productivity. When surveyed about whether their companies had security policies, there was a 20 to 30 percent gap between responses from IT professionals and other employees. When asked why security policies are violated, IT professionals pointed to ignorance, while other employees said it was because the policies made it more difficult for them to do their jobs. The study surveyed more than 2,000 employees and IT professionals at companies in the US, the UK, France, Germany, Italy, Japan, China, India, Australia and Brazil.
-http://www.eweek.com/c/a/Security/Cisco-Study-Highlights-Common-Failures-of-Ente
rprise-Security-Policies/
-http://www.computerworld.com.au/index.php/id;1866823251;fp;4;fpid;78268965

---

************************* SPONSORED LINK ******************************

1) Sign up for SANS Webcast: Keeping Trusted Endpoints Honest: Using IDS/IPS for Post-Connect NAC Tuesday, November 4, 2008 at 1:00 PM EST Sponsored By StillSecure http://www.sans.org/info/34834

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Tenenbaum Indicted in New York (October 29 & 30, 2008)

Ehud Tenenbaum has been indicted in New York on charges of access device fraud and conspiracy to commit access device fraud. The indictment alleges that Tenenbaum "did knowingly and with intent to defraud effect transactions with one or more access devices issued to another person or persons." Last month, Tenenbaum and three accomplices were arrested in Canada for allegedly breaking into computer systems to increase limits on prepaid debit and credit cards and using those cards to withdraw US $1.7 million. In 1998, Tenenbaum broke into unclassified computer systems at the Pentagon in what was then called "the most organized and systematic attack to date" on US defense department computers.
-http://www.theregister.co.uk/2008/10/30/analyzer_hacker_indictment/
-http://blog.wired.com/27bstroke6/2008/10/israeli-hacker.html

Cyber Saboteur Gets Six Months in Prison (October 28, 2008)

A federal judge has sentenced contract systems administrator Priyavrat Patel to six months in prison for deliberately sabotaging three servers at his former employer's business. Patel will also serve three years of supervised release, the first six months of which will be in home confinement, and pay US $120,000 in restitution. Patel was upset over having been fired from his contract position at Connecticut tool manufacturer Pratt-Read; he removed critical boot-up files from the three servers, forcing them to use paper documentation for two weeks while the problem was cleaned up. Patel had accessed the servers from his home in late November 2007.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9118362&source=rss_topic17
-http://newhaven.fbi.gov/dojpressrel/2008/nh102808b.htm

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Commission Will Draw Up Cyber Security Advice for Next President (October 28, 2008)

The Commission on Cyber Security for the 44th Presidency is developing a body of advice for the next president, some of which may not be in concert with President Bush's Cyber Initiative. Commission co-chair Rep. Jim Langevin (D-R.I.) points out that while the Cyber Initiative is a "good start," the commission's findings draw from an array of experts in their fields. One of the more controversial recommendations is to move the lead for cyber security from its present location at the Department of Homeland Security (DHS) to a position in the White House.
-http://www.gcn.com/online/vol1_no1/47459-1.html?page=1

UPDATES AND PATCHES

Opera 9.62 Addresses Critical Hole in Browser (October 30, 2008)

Opera has released version 9.62 of its flagship browser to address a critical arbitrary code execution in the "history search" page that was disclosed late last week. The update also fixes a cross-site scripting vulnerability in the browser's links panel. The release of opera 9.62 follows that of Opera 9.61 by one week.
-http://www.heise-online.co.uk/security/Opera-closes-critical-hole-in-web-browser
--/news/111831
-http://www.scmagazineus.com/Opera-Software-fixes-flaw-with-browser-version-962/a
rticle/120214/
-http://www.opera.com/support/search/view/906/
-http://www.opera.com/support/search/view/907/

STANDARDS

NIST Releases Documents on Key Management, Security in System Development Life Cycle and HIPAA Rule Implementation (October 27, 2008)

The National Institute of Standards and Technology (NIST) has released three documents. Special Publication 800-57, "Recommendation for Key Management Part 3: Application Specific Key Management Guidance," is a draft document aimed at helping "system administrators and system installers adequately secure applications based on product availability and organizational needs and to support organizational decisions about future procurements." Comments on the draft document will be accepted through January 16, 2009. Special Publication 800-64, "Security Considerations in the System Development Life Cycle," is a document in its final form that "has been developed to assist federal government agencies in integrating essential IT security steps into their established IT system development life cycle." Special Publication 800-66, "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule," also in its final form.
-http://www.gcn.com/online/vol1_no1/47450-1.html?topic=security
-http://csrc.nist.gov/publications/drafts/800-57-part3/Draft_SP800-57-Part3_Recom
mendationforkeymanagement.pdf
-http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf
-http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

STATISTICS, STUDIES & SURVEYS

RSA Wireless Security Study (October 27 & 28, 2008)

RSA's seventh annual wireless security survey looked at wireless networks in London, New York and Paris. Most corporate access points in the three cities are using some form of encryption. In New York, 97 percent of access points are protected by encryption; in Paris, 94 percent are encrypted; and in London, 80 percent are encrypted. Homeowners with wireless access points appear to be more careful than companies; the percentages of wireless home networks with encryption in Paris, New York and London are 98 percent, 97 percent and 90 percent, respectively.
-http://www.theregister.co.uk/2008/10/28/rsa_wireless_security_survey/
-http://www.eweek.com/c/a/Security/RSA-Wireless-Security-Making-Headway-Though-Vu
lnerabilities-Remain/

MISCELLANEOUS

ICANN Tells EstDomains its Registrar Accreditation Will be Revoked (October 29 & 30, 2008)

The Internet Corporation for Assigned Names and Numbers (ICANN) says that EstDomains' registrar accreditation will be revoked on November 12. EstDomains is a domain name registrar that is known to register shady domains used in the commission of cybercrime. The reason given for the revocation is that company president Vladimir Tsastsin was convicted in an Estonian court on credit card fraud charges. Many domain names registered by EstDomains have been used in spam, phishing, malware spreading and drug sale schemes. US network provider Intercage also ended its contract with EstDomains when it was faced with termination of service from its upstream providers for similar reasons. Update: The revocation has been temporarily stayed while ICANN hears EstDomains' response to the charges against Tsastsin.
-http://www.theregister.co.uk/2008/10/29/estdomains_gets_deaccredited/
-http://www.vnunet.com/vnunet/news/2229394/estdomains-fighting-life
-http://www.securityfocus.com/brief/847
The letter explaining the ICANN point of view:
-http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf
The reply from EstDomains to ICANN:
-http://www.icann.org/correspondence/poltev-to-burnette-29oct08-en.pdf
[Guest Editor's Note (Frantzen): Should ICANN go forward with this, the 281,000 domains under care of EstDomains wil need to be migrated according to established procedure.
-http://www.icann.org/processes/registrars/de-accredited-registrar-transition-pro
cedure-01oct08.pdf]

New Zealand Police Want Mandatory Registration for Pre-Paid Cell Phone Purchases (October 28 & 29, 2008)

Police in New Zealand have called for mandatory registration for people buying prepaid cell phones. There has been concern that criminals use the phones, which presently require no information to purchase, to communicate with each other in untraceable ways. The president of the Auckland Council for Civil Liberties says the change would be intrusive, and that lost and/or stolen phones then used for criminal activity could draw legitimate owners into the morass of investigations.
-http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=105398
44
-http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=105397
19

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board. Will Pelgrin is Chief Information Security Officer of New York State, chair of the Multi-State Information Sharing and Analysis Center and co-chair of the National ISAC Council.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/