SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #97
December 12, 2008
A bonus exclusively for those of you may attend SANS2009 in Orlando or SANS Security West in Las Vegas (something you can offer to all of your co-workers at no cost): Three two-part, live-on-line, pre-conference training programs by SANS top instructors (the newest, most effective pen testing techniques, forensics, and application security.) We'll give you more data in mid-January, but wanted you to know early in case a gift like this to your co-workers helps you use end-of-year funds to register for either of those programs.
SANS Security West: http://www.sans.org/securitywest09/ SANS 2009: http://www.sans.org/sans2009/
Alan
TOP OF THE NEWS
Sony Will Pay Penalties for COPPA ViolationsMcAfee's Virtual Criminology Report
Mumbai Terrorists Used VoIP, Satellite Images and GPS to Help Plan and Carry Out Attacks
THE REST OF THE WEEK'S NEWS
LEGAL ISSUEST-Mobile and AT&T Will No Longer Advertise Their Voice Mail Systems as Secure
Judge Grants TRO to Shut Down Scareware operation
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Chertoff Wary of Moving Cyber Security Oversight from DHS to White House
Possible Candidates for Cyber Czar
Federal CISOs Discuss Possible FISMA Changes
VULNERABILITIES UPDATES AND PATCHES
Zero-Day Flaws Detected in Internet Explorer and WordPad
December's Patch Tuesday Comprises Eight Security Bulletins
STUDIES AND STATISTICS
Irish Cybercrime Survey
Firefox Tops List of Most Known Vulnerabilities in Applications
******************* Sponsored By Sourcefire, Inc. ***********************
SANS Real-time Adaptive Security White Paper
Real-time Adaptive Security is the next step beyond an IPS implementation. It gives you full network visibility, provides context around events so you know which ones to investigate first, reduces your false positives dramatically, offers automated impact assessment, introduces automated IPS tuning, and more. Let SANS tell you how. http://www.sans.org/info/36414">http://www.sans.org/info/36414
*************************************************************************
TRAINING UPDATE
- - SANS 2009 in Orlando in early march - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
Sony Will Pay Penalties for COPPA Violations (December 11, 2008)
The US Federal Trade Commission (FTC) has announced that Sony BMG Music Entertainment will pay penalties of US $1 million for violations of the Children's Online Privacy Protection Act (COPPA). Sony BMG collected data from more than 30,000 children under the age of 13 without their parents' consent, which is required under COPPA. The FTC says that Sony BMG allowed children to interact with other visitors to some of their sites, including adults, again without parental consent. Sony BMG's privacy policy stated that site users under the age of 13 would be restricted from certain activities on the site, but the underage registrations were accepted.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9123219&source=rss_topic17
[Editor's Note (Ranum): This is a very interesting problem for social networking sites. Many attempt to control what minors can do/see but have no real way of reliably differentiating a minor from an adult. I participate in an online arts site that has blocks to prevent minors from seeing "mature content" but everyone knows that minors create profiles with inaccurate ages. At what point does the site become liable? Personally, I think this should be the parents' problem, not the Internet's; COPPA is fundamentally deeply flawed legislation. ]
McAfee's Virtual Criminology Report (December 2008)
McAfee's annual Virtual Criminology Report arrived at three key findings. First, cyber crime is not a priority of governments around the world; the low priority is compounded by other pressing international concerns such as terrorism and the economy. Second, because the cyber world knows no borders, prosecution for cyber crime often proves difficult. Finally, law enforcement organizations lack adequate training in all aspects of cyber crime, from forensics to court proceedings. The report makes a number of recommendations to mitigate the problems it describes: increasing training for law enforcement officers, prosecutors and judges; incentives for Internet service providers (ISPs) to adhere to best practices for network design and operation; mandatory security breach disclosure; legal responsibilities for organizations in both the private and public sectors for Internet-related data breach or loss; consumer education; limited liability for software vendors that do not abide by best practices for security in design and operation; and "the use of government procurement power to demand significantly higher standards of security in software and services."-http://www.mcafee.com/us/local_content/reports/mcafee_vcr_08.pdf
-http://voices.washingtonpost.com/securityfix/2008/12/report_cybercrime_is_winnin
g_t.html
Mumbai Terrorists Used VoIP, Satellite Images and GPS to Help Plan and Carry Out Attacks (December 10, 2008)
The terrorists who perpetrated the deadly attacks in Mumbai, India used Voice over Internet Protocol (VoIP) telephones during the three days of violence to maintain contact with their leaders. The attackers used the mode of communication to evade attempts to monitor their communications. The terrorists in the Mumbai attacks were also believed to have used GPS devices to travel to Mumbai by sea. It is also believed that they learned the layout of the city by studying satellite images. There has been a petition filed in court in India to ban the use of Google Earth and similar services. Taliban members in Afghanistan reportedly use Skype to guard against eavesdroppers on their communications, and other attackers have been known to use information gleaned from Google Earth to launch attacks.-http://www.timesonline.co.uk/tol/news/world/asia/article5317075.ece
[Editor's Note (Schultz): The terrorists' use of these technologies in carrying out their sordid deeds once again shows that technological advances are truly a two-edged sword. In time, this problem is only likely to become worse.
(Ranum): On the other hand, these are all common technologies, so it would be surprising if they didn't use them.
(Pescatore): This is kind of silly. The attackers also used TV to monitor news reports. I took my family on vacation to Italy last year and we used GPS, laptops, cell phones, Google Earth and Skype. I bet a good percentage of tourists did - and also cell phone cameras and all kinds of other technology. The police forces also took advantage of the same technology to *respond* faster to the terrorist attack. The problem wasn't technology - the most effective technology the attackers used was gunpowder and that was invented over a thousand years ago. ]
*************** SPONSORED LINK SCADA SECURITY SUMMIT ******************
1) ALERT: Hackers Announce Open Season on Web 2.0 Users and Browsers- Purewire White Paper http://www.sans.org/info/36419
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
T-Mobile and AT&T Will No Longer Advertise Their Voice Mail Systems as Secure (December 11, 2008)
T-Mobile and AT&T have agreed to permanent injunctions in a Los Angeles court that prohibit them from claiming that their voice-mail systems are protected from sabotage. The Los Angeles District Attorney's Office says the two mobile service providers advertised that their systems were secure when they were not. An investigation revealed that their voice mail could be easily broken into changed or deleted.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9123242&source=rss_topic17
[Editor's Note (Honan): If only we could get a similar ruling against IT security vendors who promise their products will make your systems compliant against whatever the latest popular standard.]
Judge Grants TRO to Shut Down Scareware operation (December 10 & 11, 2008)
A federal judge has issued a temporary restraining order that closes down operations of two companies involved in the marketing and distribution of phony malware protection software, often known as scareware. The product was advertised and sold by making false claims that illegal pornography had been detected on the users' computers and urging them to buy the phony products. The order was prompted by a lawsuit filed by the FTC. Companies that initially accepted the advertisements on their sites eventually became aware of the problem and began rejecting the ads. The malware purveyors then established phony advertising agencies that placed the ads, which were programmed to display images to people based on their IP addresses. The order also freezes the assets of the defendants. The defendants named are Kristy Ross, James Reno, Sam Jain, Daniel Sundin, Marc D'Souza and Maurice D'Souza.-http://www.theregister.co.uk/2008/12/10/scareware_group_shuttered/
-http://www.heise-online.co.uk/security/US-court-halts-the-sale-of-scareware--/ne
ws/112228
-http://voices.washingtonpost.com/securityfix/2008/12/court_freezes_assets_of_all
ege.html
-http://ftc.gov/os/caselist/0723137/081202innovativemrktgcmplt.pdf
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Chertoff Wary of Moving Cyber Security Oversight from DHS to White House (December 10, 2008)
US Department of Homeland Security (DHS) Secretary Michael Chertoff has expressed concerns about moving cyber security operations oversight from DHS to the White House, as was recommended in a recent report from the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency. Chertoff said that "to get the White House involved in operational activity ... pulls the White House into areas where it's exposed to legal and oversight issues."-http://www.nextgov.com/nextgov/ng_20081210_6108.php
[Editor's Note (Weatherford): From a political perspective, Secretary Chertoff's point may be valid and the White House office might create some unusual problems...but nothing that hasn't been dealt with before. On the other hand, the visibility of a White House appointment would speak volumes about how seriously the new administration takes the national cyber security problem and it would provide the inherent and organic horsepower needed to make changes. This is what those of us in the security business should be praying for. ]
Possible Candidates for Cyber Czar (December 9, 2008)
The CSIS Commission on Cybersecurity for the 44th Presidency recently released a report in which it recommended that president-elect Barack Obama create a new office within the White House to oversee cyber security. ChannelWeb has listed several people it believes could be on a short list to head up the national cyber security effort, including such luminaries as Richard Clarke, Colin Powell, and Patrick Fitzgerald, plus some more conventional choices.-http://www.crn.com/security/212300531
Federal CISOs Discuss Possible FISMA Changes (December 9, 2008)
Federal Chief Information Security Officers (CISO) speaking at a panel discussion at a Government Technology Research Alliance conference discussed how potential changes to the Federal Information Security Management Act (FISMA) would affect their organizations. The greatest concern is that the new requirements would be piled on top of all the wasted effort they expend to meet increasingly discredited NIST guidance. The CISOs see the focus on attack based metrics as essential, but only if they don't have to waste most of their security budgets on paper exercises. The Senate Homeland Security and Governmental Affairs Committee earlier this year approved legislation to amend FISMA. The proposed changes include expanded responsibilities for the CISO, required annual third-party audits for government agencies and mandated standard contract language throughout the government.-http://www.fcw.com/online/news/154609-1.html?topic=security
Zero-Day Flaws Detected in Internet Explorer and WordPad (December 9, 10 & 11, 2008)
Despite Microsoft's security update that addresses 28 vulnerabilities (see story below), two zero-day vulnerabilities that are being exploited in targeted attacks remain unpatched. The flaws in question affect Internet Explorer (IE) and WordPad. The flaws require user interaction for exploits to be successful. Microsoft is looking into reports of the attacks, which it says are "limited and targeted." Exploit code for the IE flaw was released in China by researchers who believed the problem had been patched.-http://isc.sans.org/diary.html?storyid=5458&rss
-http://www.theregister.co.uk/2008/12/11/wordpad_zero_day/
-http://www.theregister.co.uk/2008/12/09/zero_day_ie_flaw_exploited/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9123100&source=rss_topic17
-http://voices.washingtonpost.com/securityfix/2008/12/exploit_for_unpatched_inter
net.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9123118&source=rss_topic17
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9123179&source=rss_topic17
-http://www.gcn.com/online/vol1_no1/47709-1.html?topic=security
December's Patch Tuesday Comprises Eight Security Bulletins (December 9 & 10, 2008)
Microsoft's monthly software security update for December included eight bulletins that address a total of 28 vulnerabilities. Of those, 23 are rated critical. The fixes cover a range of the company's products, including Windows, Internet Explorer, Office, SharePoint, Windows Media and the Visual Basic and Visual Studio development tools. Most of the security flaws are remote code execution vulnerabilities; one bulletin also addresses a privilege elevation vulnerability. ISC:-http://isc.sans.org/diary.html?storyid=5449
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9123042&source=NLT_PM&nlid=8
-http://www.theregister.co.uk/2008/12/10/ms_patch_tuesday_december/
-http://news.cnet.com/8301-1009_3-10119227-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://voices.washingtonpost.com/securityfix/2008/12/microsoft_plugs_at_least_28
_se.html
-http://www.securityfocus.com/brief/868
-http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx
STUDIES AND STATISTICS
Irish Cybercrime Survey (December 11, 2008)
The Irish chapter of the Information Systems Security Association (ISSA) and University College Dublin's Centre for Cybercrime have released the second Irish Cybercrime Survey, which looks at attacks and intrusions at both public and private organizations during the course of 2007. Thirty percent of companies experienced denial-of-service (DoS) attacks and 25 percent experienced external intrusion attempts. Eighteen percent of companies experienced instances of internal unauthorized access and 10 percent reported internal financial fraud. Sixty-one percent of the time, companies chose to deal with internal incidents through internal disciplinary procedures; of those cases, 37 percent resulted in job loss, 16 percent resulted in resignation, and four percent resulted in criminal prosecution.-http://www.siliconrepublic.com/news/article/11929/cio/irish-firms-are-suckers-fo
r-cybercrime-and-punishment
[Editor's Note (Weatherford): Though the sample set is small,but these are very actionable metrics. Numbers matter!
(Honan): An interesting statistic is that despite the high number of internal security breaches, only 14% of the companies surveyed were concerned about employees accessing data they should not, and only 8% rated internal intrusions in their top three security concerns. Companies need to wake up that one of the biggest threats to their security is their own staff, remember those that you trust the most are the ones that can hurt you the most. ]
Firefox Tops List of Most Known Vulnerabilities in Applications (December 11, 2008)
Whitelisting company Bit9 has compiled statistics on the applications with the most security vulnerabilities reported over the last year. Mozilla's Firefox web browser versions 2 and 3 top the list with 40 reported flaws. Adobe Acrobat versions 8.1.1 and 8.1.2 follow with 31 reported flaws. Windows Live (MSN) Messenger versions 4.7 and 5.1 came in third with 19 flaws. Fourth and fifth place were taken by Apple iTunes versions 3.2 and 3.1.2 and Skype version 3.5.0.248, respectively.-http://www.vnunet.com/vnunet/news/2232492/firefox-tops-app-vulnerability
-http://www.bit9.com/news-events/press-release-details.php?id=102
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
