SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #17

March 03, 2009

First Opportunity to Learn How Leading Organizations Have Implemented Key Elements of the Consensus Audit Guidelines (CAG)

"What Works in Log Management and Analysis" Summit in Washington on April 6-7 is the first opportunity to learn how the log-related controls of the CAG are actually being implemented. Fourteen of the key actions needed to implement the CAG Guidelines (as published in Draft 1.0 on Feb 23, 2009) will be targeted at the Summit being held in Washington DC on April 6 & 7. Five of the key actions are labeled as "quick wins," so, any ISO or ISSM or consultant looking for a fast way to demonstrate actual security improvements should attend. In most cases you already have the tools in place; you may not yet have turned the right features on or targeted them in the right directions. Federal departmental level CISOs have free passes for the program; contact your CISO. Others may register at http://www.sans.org/logmgtsummit09/
Alan

---

TOP OF THE NEWS

NSA Gaining Support as Lead Agency on Cyber Security
Judge Says Man Must Decrypt Drive
Surveys Find Employees Stealing Data to Help Economic Prospects

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Vermont Offers RFID-Enabled Driver's Licenses to Help at Border Crossings
Sensitive Presidential Helicopter Info Leaked Through P2P Program
One-Quarter of UK Defense Contractors Have Not Complied with Data Encryption Mandate
DATA BREACHES, LOSS & EXPOSURE
Doctor Charged with Violating Data Protection Act for Unauthorized Database Access
Visa Says There is No Third Payment Processor Breach
ATTACKS & ACTIVE EXPLOITS
Koobface Variant Spreading Through Social Networking Sites
STUDIES AND STATISTICS
Some Oracle Shops Have No Patch Application Policy
CAG CHRONICLE

---

************************ Sponsored By CA ******************************

Web-Based Security for Business Enablement
While "secure" and "Web" were once incompatible notions, they are now co-elements that support dynamic Web-based commerce. Technologies such as Web access management, single sign-on, identity management, federation, and strong authentication - when leveraged together - represent a more efficient way to conduct IT-enabled business. This IDC whitepaper explores how competitive advantage can be effectively realized through secure Web business enablement technologies. Learn more... http://www.sans.org/info/39638

*************************************************************************

TRAINING UPDATE

- - Phoenix 3/23-3/30 (5 courses) http://www.sans.org/phoenix09/
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Plus Calgary, New Orleans, San Diego and more...
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

NSA Gaining Support as Lead Agency on Cyber Security (March 2, 2009)

There is mounting support for placing the locus of national cyber security efforts in the National Security Agency (NSA). Speaking before the US House Intelligence Committee last week, Director of National Intelligence Admiral Dennis Blair said that the US Department of Homeland Security (DHS), which is currently the lead agency on cyber security, has not made adequate strides and that the NSA has "the greatest repository of cyber talent," and possesses significant knowledge of the types and vectors of attack that threaten the country's national infrastructure. Admiral Blair acknowledged that there is work to be done regarding NSA's reputation, particularly because of the warrantless wiretapping program put in place by the previous administration.
-http://www.securityfocus.com/brief/917
-http://blog.wired.com/27bstroke6/2009/02/nsa-should-over.html
[Editor's Note (Schultz): Admiral Blair has a good point. When I first entered the information security arena, the NSA was the dominant cyber security player within the government, but then things changed. Perhaps it is now time to turn back primarily to the NSA for cyber security leadership. At the same time, the DHS's inability to make greater strides in cyber security leadership may be more due to the fact that the DHS has not been in existence all that long--too much may have been expected from it in too little a period of time.
(Weatherford): Despite much of the bad press NSA has received over the years, we would be far worse off as a nation without them and what they do. In addition, it's inherently unreasonable in my opinion to believe that an organization like DHS (despite the good work they do) whose mission and resources are so widely distributed that they include everything from FEMA, Immigration and Customs Enforcement (ICE), Transportation Safety Administration (TSA) among others can do as good a job in the very technical cybersecurity arena as the NSA who's entire mission is, and has always been, built upon the use of complex and sophisticated technology.]

Judge Says Man Must Decrypt Drive (February 26 & March 3, 2009)

A federal judge has ruled that a man suspected of having child pornography on an encrypted drive on his laptop computer is not protected by the Fifth Amendment. US District Judge William Sessions ruled that Sebastien Boucher surrendered those rights when he allowed his laptop to be searched the first time, and ordered Boucher to provide the court with an unencrypted version of the drive in question. The ruling reverses an earlier decision in which a judge ruled that Boucher was protected from incriminating himself under the Fifth Amendment. The original request from the US department of Justice had been to make Boucher surrender his encryption passwords; the appeal asked only that he decrypt the drive in view of the grand jury. Boucher's laptop was searched in December 2006 while crossing the border into the US from Canada. Agents claim to have seen the offending content, then shut down the computer. When they tried to access the images after Boucher's arrest, they were unable to because of his PGP program.
-http://news.cnet.com/8301-13578_3-10172866-38.html?tag=pop
-http://www.theregister.co.uk/2009/03/03/encryption_password_ruling/
-http://www.wcax.com/Global/story.asp?S=9909241
[Editor's Note (Liston): It's interesting that by lowering the standard from "give us your passwords" to "decrypt the drive" that the DOJ was able was able to win on appeal. I'm not sure how the difference in approach actually affects the Fifth Amendment issue.
(Weatherford): "But your Honor, I really did forget the password." ]

Surveys Find Employees Stealing Data to Help Economic Prospects (February 27 & March 2, 2009)

A Cyber-Ark Software survey of 600 office workers in London, New York and Amsterdam found that theft of proprietary information is on the rise; many of the thieves are not outsiders, but insiders concerned about losing their jobs. A study from Symark found that 40 percent of companies do not know whether employees' user accounts remain active after the employee no longer works for the company. According to UK Director of Cyber-Ark Mark Fullbrook, cyber criminals feel they are reaping benefits from the current economic crisis. Reductions in budgets have led to increased outsourcing and decreased focus on security.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=operating_systems&articleId=333732&taxonomyId=89&intsrc=kc_
feat
-http://www.scmagazineuk.com/Hackers-claim-that-economic-situation-is-helping-the
m-to-thrive/article/127994/
[Editor's Note (Schultz): These statistics provide additional compelling evidence that data loss prevention technology is no longer a luxury--it is now instead really more of a necessity than anything else.
(Weatherford): When someone faces the prospect of losing a job, they will do anything to ensure their family is fed and supported. Unfortunately, that includes doing things detrimental to their careers like stealing company information. It's our job to have the policies and security controls in place to protect our organizations and save people from themselves. ]

---

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Vermont Offers RFID-Enabled Driver's Licenses to Help at Border Crossings (March 2, 2009)

Vermont has joined New York and Washington State to become the third US state to offer RFID enhanced licenses. The licenses are optional, and are designed to expedite border crossings. The licenses comply with the DHS's Western Hemisphere Travel Initiative; the chips can be read at a distance of 20 to 30 feet. Arizona and Michigan plan to establish similar systems. In Canada, British Columbia has already set up a comparable program and Manitoba, Ontario and Quebec plan to do so as well.
-http://fcw.com/Articles/2009/03/02/Vermont-issues-RFID-drivers-license.aspx

Sensitive Presidential Helicopter Info Leaked Through P2P Program (February 28 & March 2, 2009)

A Maryland defense contractor appears to have leaked information through a peer-to-peer (P2P) file sharing program about the helicopter currently used by US President Barack Obama. The information, including "blueprints and an avionics package for Marine One (the President's helicopter)" were detected at an IP address in Tehran by a company that monitors P2P networks. There is speculation that an employee at the company downloaded the P2P program without understanding how it could compromise the security of other information on the company's network.
-http://www.wpxi.com/news/18818589/detail.html#-
-http://news.cnet.com/8301-1009_3-10184558-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9128820&source=rss_topic17
[Editor's Note (Skoudis): I strongly believe the leakage of sensitive information via P2P happens at a much greater rate than is reported. Enterprises should strive to block P2P protocols at their network borders. However, many of them are now using HTTP over port 80, which makes blocking them on the network difficult. You may also want to consider implementing Software Restriction Policies to prevent the common P2P programs from running at all, or use the program execution whitelist/blacklist features of various endpoint security suites.
(Weatherford): Organizations must make conscious decisions about allowing P2P. One more time: ORGANIZATIONS MUST MAKE CONSCIOUS DECISIONS ABOUT ALLOWING P2P and then recognize that some organizations are simply not appropriate candidates for using P2P due to the inherent risks. If you do not explicitly deny P2P and actively manage and block it, you are implicitly allowing it and people will take advantage of that implicit authorization. ]

One-Quarter of UK Defense Contractors Have Not Complied with Data Encryption Mandate (February 26, 2009)

UK Defence Minister Bob Ainsworth said in a written response to Parliament last week that just 26 percent of defence contractors with access to the ministry's restricted network or that work with classified or more sensitive information have either confirmed that they do not comply with data encryption requirements or have not confirmed one way or another that they comply with the requirements. The Ministry of Defence's List-X Notice requires, among other things, that all data held on laptops and portable storage media are encrypted. MoD issued the List-X Notice last year to address data security concerns raised by data security breaches within the government.
-http://www.silicon.com/research/specialreports/protecting-enterprise-data/encryp
tion-demands-ignored-by-quarter-of-mod-contractors-39398413.htm

DATA BREACHES, LOSS & EXPOSURE

Doctor Charged with Violating Data Protection Act for Unauthorized Database Access (March 1 & 2, 2009)

A database containing medical records of 2.5 million people was breached by an NHS (UK's National Health Service) doctor; all the people whose records were accessed without authorization are famous or high-profile, including Prime Minister Gordon Brown. The Emergency Care Summary database contains names, addresses, occupations and current medications and allergies to medicines. Normally, NHS staff must ask patients' permission before accessing the database except in cases of emergency. An NHS Fife doctor has been charged with violations under the Data Protection Act.
-http://www.theregister.co.uk/2009/03/02/nhs_database_breach/
-http://www.sundaymail.co.uk/news/scottish-news/2009/03/01/medical-records-of-gor
don-brown-and-alex-salmond-hacked-78057-21162440/

Visa Says There is No Third Payment Processor Breach (February 27, 2009)

Visa issued a statement last week quelling speculation that there had been a data security breach at yet another payment processor. Instead, Visa said, the alerts it was sending to banks and credit unions were related to an ongoing investigation of a known breach. Visa did not clarify which breach it meant.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9128743&source=rss_topic17

ATTACKS & ACTIVE EXPLOITS

Koobface Variant Spreading Through Social Networking Sites (March 2, 2009)

A variant of the Koobface worm has been spreading through social networking communities such as Facebook and MySpace. The malware spreads by sending messages that appear to come from friends, asking them to click on a link to watch a video. When the users reach the malicious website, they receive a message that they need to install an Adobe Flash plug-in to view the clip properly. If they agree to install the plug-in, a Trojan horse program is installed on the computer instead, giving attackers control over the machine. This Koobface variant also sends out invitations to watch the bogus clip to contacts through the social networking account. In addition, two rogue Facebook applications have been attempting to steal user data.
-http://voices.washingtonpost.com/securityfix/2009/03/koobface_worm_resurfaces_on
_fa.html
[Editor's Note (Skoudis): Get used to this. I think we'll see a steady stream of these kinds of stories with malware propagating via social networking contacts throughout the next few years. And, given the increasingly flexible APIs the social network sites are implementing, bad guys will be able to mine this information for attacks far more effectively. ]

STUDIES AND STATISTICS

Some Oracle Shops Have No Patch Application Policy (February 26, 2009)

Two surveys conducted last spring and summer found that among organizations using Oracle database products, just 26 percent require that Oracle's security updates, which are released quarterly, be installed as soon as they are available. Six percent of the more than 160 respondents said their organizations require that Oracle's Critical Patch Updates be installed on critical systems only. Just 30 percent of the respondents said they usually installed Oracle's patches before the next batch are released, meaning some systems are months behind. Eleven percent of respondents said they had installed none of the security updates. Thirty percent of the respondents said their companies had no policy regarding application of Oracle patches. While delays are understandable - database administrators often need significant periods of time to test patches before applying them - having no policy at all is risky.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9128705
[Editor's Note (Skoudis): I know, it's probably pass to mention the old "Unbreakable" ads. Still, it seems to me that if a vendor spends many millions of dollars on an ad budget over the space of years touting their product as unbreakable, it's only natural for their customers to be lulled into complacency, apparently for a rather long time. Sad. ]

CAG CHRONICLE

--If you have not reviewed the CAG against the controls you have implemented or against those you audit or assess, you can get started at any time. They are posted at SANS at www.sans.org/cag and at the Center for Strategic and International Studies at
-http://www.csis.org/component/option,com_csis_pubs/task,view/id,5300/

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/