SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #96

December 09, 2008

Three important resources - all free:
The top story is about the report just released by the Commission on Cyber Security for the 44th Presidency. The two Congressional co-chairs told the press yesterday that they will do everything in their power to help get the recommendations implemented. The Obama transition team has already asked for a full briefing. You can get your own copy at http://www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf
In his editorial note below Gartner's John Pescatore calls for better application security. In an important step in the right direction, the New York Office of Cyber Security and Critical Infrastructure Coordination has developed standard procurement language for ensuring security is baked into applications purchased and developed by the State. Dozens of other states are reviewing the new procurement language and several are already implementing it. They have agreed to make their work available to the broader security community through SANS. CIOs and CISOs from medium and large organizations may request a copy by emailing apaller@sans.org.
Free live-on-line training on the most important new techniques in penetration testing. Ed Skoudis, the nation's top pen testing and hacker exploits teacher, is doing a 90 minute briefing called "Secrets of America's Top Penetration Testers," on Wednesday, December 17, from 1:00pm - 2:30pm EST and again on December 22nd when the 200 seats at the first one fill up. Great chance to see how good on line, live education can be. To register, visit https://www.sans.org/athome/details.php?nid=16889
If you want a seat in Ed's full six-day course (or his one-day update courses) at SANS 2009 in Orlando - be sure to sign up before the end of the year - his courses always fill up earlier than the others. Forty other courses at SANS 2009, too. http://www.sans.org/sans2009
Alan

---

TOP OF THE NEWS

Report Urges Obama to Create High Level Cyber Security Position
Group Aims to Shift Cyber Security Focus From Compliance to Effectiveness Against Attacks
Security Fed's Achilles Heel: Need Baked-in Security
European Court Ruling Means Britain Must Destroy Some DNA Evidence

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS
Two Arrests in BNP Membership List Leak Case
Three Indicted in Thefts from Online Financial Accounts
POLICY AND LEGISLATION
China Wants to Inspect Imported Computer Security technology
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Microsoft Lawsuits Target Alleged Sellers of Pirated Software
MALWARE
DNSChanger Trojan Variant Detected
UPDATES AND PATCHES
Firefox to Discontinue Anti-Phishing Feature in Version 2 Update
ATTACKS
SSH Brute Force Attack Uses Botnet to Target Specific Servers
STUDIES AND STATISTICS
BitDefender Report Says Phony Anti-Virus Programs Responsible for Many Windows Infections

---

*********************** Sponsored By ArcSight, Inc. *********************

Complimentary Whitepaper: Monitoring Data Access by Privileged Users Data breaches and confidential information theft continue to rise. An effective SIEM solution can help organizations understand who is on the network, what data they are seeing, and which actions they are taking with that data.
This whitepaper outlines how SIEM can provide privileged user monitoring across all applications, file systems, and databases. The result is increased security and data protection. http://www.sans.org/info/36328">http://www.sans.org/info/36328

*************************************************************************

TRAINING UPDATE

- - SANS 2009 in Orlando in early march - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/ For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Report Urges Obama to Create High Level Cyber Security Position (December 8, 2008)

In a report titled "Securing Cyberspace for the 44th Presidency," the CSIS Commission on Cybersecurity for the 44th Presidency urges President-elect Barack Obama to create the National Office for Cyberspace, a new White House office headed by an Assistant to the President for Cyberspace, who would oversee 10-20 employees. The report also pushes for new legislation that would allow investigations into cyber crime to proceed more quickly. Among the proposals is the creation of data warrants in place of search warrants. Commission member Jerry Dixon said, "We have to have a solid cyber doctrine" defining when incidents would require military action and when they would be better addressed through law enforcement or intelligence community channels. The report makes numerous other recommendations, including moving the government away from passwords toward strong authentication for network access.
-http://www.securityfocus.com/news/11540
-http://www.nextgov.com/nextgov/ng_20081208_8449.php
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9122903&source=rss_topic17
-http://online.wsj.com/article/SB122870335556887341.html?mod=googlenews_wsj
-http://news.cnet.com/8301-13578_3-10117856-38.html?part=rss&subj=news&ta
g=2547-1_3-0-20
-http://www.nytimes.com/2008/12/09/technology/09security.html?partner=rss&emc
=rss&pagewanted=print
-http://www.washingtonpost.com/wp-dyn/content/article/2008/12/08/AR2008120801944_
pf.html
-http://www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf
[Editor's Note (Skoudis): US-based infosec pros really should read this document, as it contains numerous insights that will influence the evolution of our industry here. Set aside some time this weekend to flip through it at least. Even if its recommendations aren't adopted, it will frame the debate, so reading it will help people contribute to that debate.]

Group Aims to Shift Cyber Security Focus From Compliance to Effectiveness Against Attacks (December 4, 2008)

A group of security experts, led by ex-Air Force CIO John Gilligan, is developing cyber security standards it hopes will be endorsed by the Federal CIO Council, the Inspectors General, and Office of Management and Budget (OMB). The standards would shift agency focus from checklist compliance to measuring how ready agencies are to withstand known attacks and how ready they are to discover and clean up after attacks that were successful. The new "attack based metrics" takes advantage of both government and private hacker and forensics knowledge to understand how systems are being infiltrated and attacked and to measure the effectiveness of controls meant to counter those attacks. It seeks to solve the problems caused by NIST guidance that so diffused agency efforts that they did not focus on the most important controls. The approach is similar to that used by the US Air Force, which worked with National Security Agency (NSA) hackers to document the vulnerabilities in their systems; the project ultimately led to the development of the Federal Desktop Core Configuration (FDCC). The group helping to shape the new standards includes experts at the NSA, the Air Force, the US Computer Emergency Readiness Team (US-CERT) and the Defense Department Cyber Crime Center, the Government Accountability Office, as well as leaders in the forensics and penetration testing community outside government.
-http://www.federaltimes.com/index.php?S=3849692
Thursday at 10 AM Eastern Standard Time, Mr. Gilligan will be interviewed about the project on Federal News Radio. Listen live at
-http://www.federalnewsradio.com/?nid=249
or listen to the archive later.
[Editor's Note (Honan): The development of the Federal Desktop Core Configuration (FDCC) was an excellent piece of work. Let's hope that this new project can produce results of the same quality which both Government and industry can apply to enhance the security of our networks. ]

Security Fed's Achilles Heel: Need Baked-in Security (December 3, 2008)

Speaking at a conference last week, US Air Force chief information officer (CIO) Lt. Gen. Michael Peterson called cyber security the US government's "Achilles heel" and said that best practices need to become ubiquitous for government agencies to be adequately protected from cyber threats. Peterson added that he believes that in the future, conflict will not become solely computer based, but that cyber attacks will be one strategy among many used by adversaries. Peterson said cyber security needs to be implemented in agency operations, not added on as an afterthought.
-http://www.nextgov.com/nextgov/ng_20081203_1212.php
[Editor's Note (Pescatore): One good way the DoD could accelerate "baking in security" (vs. trying to sprinkle it on at the end) is to accelerate efforts to change the certification and accreditation process for IT systems from a paper-driven exercise to something that has more focus both on early design review for inclusion of security capabilities *and* on actually detecting vulnerabilities in software before approving systems.
(Northcutt): You have to give the government some credit for moving in the direction of best practice, but they need to go further - to begin to shift the focus to be more on detection so they are ready when the inevitable compromises occur. We need to get better at detecting collected information being taken and "beamed to the mothership" and also detecting malware on systems themselves.
(Paller): Few security problems are more challenging than finding the "persistent presence" of attackers who have burrowed into systems and networks. The US government has prioritized solving that problem as one of the 12 key projects of the multi-billion-dollar Comprehensive National Cyber Initiative (CNCI). ]

European Court Ruling Means Britain Must Destroy Some DNA Evidence (December 4 & 5, 2008)

The European Court of Human Rights has ruled unanimously that retaining people's DNA samples and fingerprints when they have not been convicted of a crime is a violation of privacy. The ruling, which cannot be appealed, stems from a case in which two people in unrelated incidents sought to have their information purged from the UK's DNA database; in one of the instances, the charges were dropped, in the other, the individual was acquitted of the charges. Britain has until March to develop a plan for destroying the information it holds or for making a solid case for keeping some of the information. Britain's DNA database contains more than 4.5 million samples. More than 850,000 samples are from individuals with no criminal records. The current policy in Britain is to retain the information for 100 years or until the person dies. In Scotland, DNA samples taken for investigations that are ultimately dropped are destroyed. Finland, Germany and Sweden also destroy DNA samples when people are acquitted.
-http://www.msnbc.msn.com/id/28056833/
-http://news.cnet.com/8301-1009_3-10114304-83.html?tag=mncol;title
[Editor's Note (Skoudis): These points of overlap between biology and IT in areas such as bioinformatics, genetic engineering, and biometrics are fascinating and very much charged with ethical implications. We're heading for a lot of controversy in this rapidly expanding and exciting realm. ]

---

*************** SPONSORED LINK SCADA SECURITY SUMMIT ******************

How to present security investments to public utility commissioners. How to manage security in a disaster when you have to keep running and let outsiders in. Where the vulnerabilities are in the new smart meters. Much more. All at the SCADA and Control Systems Security Summit in New Orleans, February 2-3. Plus free courses sponsored by DHS and DoE. http://www.sans.org/scada09_summit/

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS

Two Arrests in BNP Membership List Leak Case (December 5, 2008)

Two people have been arrested in connection with the leak of the British National Party (BNP) membership list to the Internet. The people have been charged under the UK Data Protection Act. The list of approximately 13,500 members of the far-right organization was leaked to the Internet last month. The information that was exposed includes names, addresses and email addresses. Membership in the organization is generally kept secret because of fears of harassment. The list is believed to hold information of people who had expressed interest in the BNP as well as official members.
-http://www.theregister.co.uk/2008/12/05/bnp_list_arrests/
-http://www.guardian.co.uk/politics/2008/dec/05/bnp-leak-arrests
[Editor's Note (Northcutt): On my taxi drive to SANS CDI in Washington DC, the driver was playing a public radio piece with the history of the John Birch society which just turned 50. The more I listened, the more I wondered about the impact of their losing their membership list, especially in the 60s when they were such a focus. This strategy (releasing the membership list of a private - secret society) was alive and well in ancient Rome, but now that you can extract phonebooks from cell phones with Bluetooth, and database schemas from Internet facing web sites, it can only become more common. ]

Three Indicted in Thefts from Online Financial Accounts (December 5, 2008)

Three men have been indicted in connection with a scheme in which thousands of dollars from online bank and brokerage accounts were stolen. Authorities believe the mastermind of the scheme was Alexander Bobnev of Volgograd, Russia who allegedly recruited others in Russia, to infect machines with Trojan horse programs that stole the account login credentials. Bobnev also allegedly transferred money from the accounts into drop accounts in the US. There, Aleksey Volynskiy and Aleksey Mineev were allegedly responsible for opening the drop accounts and withdrawing the money. All three men face charges of conspiracy; Volynskiy faces two additional charges of access device fraud for allegedly attempting to have stolen credit card numbers made into phony cards.
-http://blog.wired.com/27bstroke6/2008/12/fed-blotter-ame.html
-http://blog.wired.com/27bstroke6/files/alexander_bobnev_indictment.pdf
-http://blog.wired.com/27bstroke6/files/aleksey_volynskiy_indictment.pdf

POLICY AND LEGISLATION

China Wants to Inspect Imported Computer Security technology (December 8, 2008)

As of May 1, 2009, computer security technology that comes from outside China must be submitted to the government for approval and certification, raising concerns that companies may have to divulge trade secrets. According to a statement from the China Certification and Accreditation Administration, the rules are aimed at protecting national security and "advanc(ing) industry development." It has not specified what information the companies must disclose. The rules cover an array of hardware and software, including database and network security systems and secure routers.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/12/08/AR2008120801333_
pf.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Microsoft Lawsuits Target Alleged Sellers of Pirated Software (December 5, 2008)

Microsoft has filed 63 lawsuits against people the company believes are selling pirated copies of its software on Internet auction sites. The suits name defendants in the UK, the US, France and Germany; most are accused of selling phony copies of Windows XP, which is reportedly growing in popularity on the sites "as it is reaching the end of its commercial sales cycle." PCs sold with preinstalled Microsoft software after June 2008 come with Windows Vista instead of XP. According to Microsoft's research, 34 percent of the software sold on the auction sites does not install properly on PCs, and 43 percent contains altered code that could make users' PCs susceptible to cyber attacks.
-http://news.bbc.co.uk/2/hi/technology/7766607.stm

MALWARE

DNSChanger Trojan Variant Detected (December 5, 2008)

A new variant of the DNSChanger Trojan horse program has been identified. The malware affects a range of devices on local networks and directs them to phony websites even if the computers are fully-patched windows machines or are running other operating systems. Just one infected machine on a local area network (LAN) can change the DNS settings for many other connected devices. The malware "undermines the dynamic host configuration protocol (DHCP)." Internet Storm Center posted the original story reporting this new variant:
-http://isc.sans.org/diary.html?storyid=5434
-http://www.theregister.co.uk/2008/12/05/new_dnschanger_hijacks/

UPDATES AND PATCHES

Firefox to Discontinue Anti-Phishing Feature in Version 2 Update (December 5 & 8, 2008)

Firefox users who are still running Firefox 2 are urged to upgrade to Firefox 3, as the next (and final) version of Firefox 2, scheduled for release on December 16, will no longer have the anti-phishing feature. Google has asked Mozilla to remove the feature from future versions of Firefox 2 because it still uses Application Programming Interface (API) version 1; Google plans to stop using that version soon. Users who choose to update to Firefox 2.0.0.19 instead of upgrading to Firefox 3 will receive a clear warning that the new version will not provide anti-phishing protection. Mozilla released Firefox 3 in June 2008.
-http://www.heise-online.co.uk/security/Mozilla-pulls-anti-phishing-feature-from-
Firefox-2--/news/112185
-http://news.cnet.com/8301-1009_3-10115852-83.html

ATTACKS

SSH Brute Force Attack Uses Botnet to Target Specific Servers (December 5 & 8, 2008)

After noting a spike in failed SSH logins in October, researchers identified an ongoing brute-force attack that involves multiple machines that have been compromised with bot software. The attacks target specific servers. Researchers have not been able to obtain a sample of the botnet code used in the attack.
-http://www.theregister.co.uk/2008/12/08/brute_force_ssh_attack/
-http://www.heise-online.co.uk/security/Distributed-SSH-attacks-bypass-blacklists
--/news/112174

STUDIES AND STATISTICS

BitDefender Report Says Phony Anti-Virus Programs Responsible for Many Windows Infections (December 6, 2008)

According BitDefender's Top E-Threats Report, more than one-third of infections of Windows-based computers in the last month are from phony anti-virus scams. The malware pops up a window that claims to be scanning for malware. It then pops up a message that it detected malware on the computer and asks the user to buy a program to get rid of the offending code. The scam nets the thieves the credit card information of those who choose to purchase the bogus program and gives them the opportunity to take control of those computers, because what is actually downloaded to their computers when they buy the fake program is malware which could be anything from adware to bot software.
-http://www.heise-online.co.uk/security/Most-recent-Windows-infections-result-fro
m-the-same-simple-trick--/news/112176

---

*************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/