SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XI - Issue #21
March 17, 2009
Very cool workshop in DC on application security tools - users sharing what works and defining capabilities for implementing the CAG. April 29. http://www.sans.org/appsec09_summit/ and a similar one on log management earlier in April: http://sans.org/info/37604.
Alan
TOP OF THE NEWS
US Lawmakers Reportedly Drafting Bill to Address Behavioral Advertising IssuesFinnish President Ratifies Law Allowing Employers to Monitor Employees' eMail Activity
Visa Says RBS WorldPay and Heartland No Longer PCI DSS Compliant
PCI Security Standards Council Issues Prioritized Approach for Compliance
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES, CONVICTIONS & SENTENCESMan Who Deleted Australian Government Computer Accounts to be Sentenced
LEGAL ISSUES
Japanese Court Orders ISP to Reveal File Sharer's Identity
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Report: IRS Malware Response Improved, Prevention Still Needs Attention
Kundra On Leave During Probe of Former Office
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Iowa Company Agrees to Pay Undisclosed Sum For Unlicensed Software Use
UPDATES AND PATCHES
Microsoft DNS Patch Does Not Address Core Issue
DATA LOSS & EXPOSURE
Comcast Subscriber Info Exposed Online
Consultant Who Exposed Coleman Website Flaw Defends Actions
************************** Sponsored By CA ******************************
Web-Based Security for Business Enablement
While "secure" and "Web" were once incompatible notions, they are now co-elements that support dynamic Web-based commerce. Technologies such as Web access management, single sign-on, identity management, federation, and strong authentication - when leveraged together - represent a more efficient way to conduct IT-enabled business. This IDC whitepaper explores how competitive advantage can be effectively realized through secure Web business enablement technologies. Learn more...
http://www.sans.org/info/40673
*************************************************************************
TRAINING UPDATE
- - Phoenix 3/23-3/30 (5 courses) http://www.sans.org/phoenix09/
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- - Amsterdam and Melbourne, too. See www.sans.org
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Plus Calgary, New Orleans, San Diego and more...
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
US Lawmakers Reportedly Drafting Bill to Address Behavioral Advertising Issues (March 16, 2009)
US legislators are drafting a bill that would require Internet companies using targeted advertising technology to notify users that their habits are being tracked for that purpose. One of the legislators involved says that users should be entitled to know exactly what information is being collected, who is collecting the information and what is being done with it. Google has recently announced its intention to start using targeted advertising, joining companies such as AOL, Yahoo and Microsoft. Google's system will assign users to interest categories based on their activity and target advertising to those interests; users will be able to change their interest categories or opt out of the program entirely.-http://www.scmagazineus.com/Behavioral-advertising-bill-being-drafted/article/12
8882/
Finnish President Ratifies Law Allowing Employers to Monitor Employees' eMail Activity (March 4 & 14, 2009)
A newly ratified law in Finland allows employers to monitor employees' email messages when they suspect misconduct. Employers would not be permitted to read the content of messages, but would be permitted to monitor the sizes of attachments and to whom they were being sent. The law also allows schools, libraries and telecommunications operators to snoop on users' activity. The law has met with harsh criticism from legal experts and privacy rights groups. The bill passed Parliament earlier this month by a vote of 96-56; the president ratified it on March 13.-http://www.ioltechnology.co.za/article_page.php?iSectionId=2883&iArticleId=4
889373
-http://news.theage.com.au/breaking-news-technology/finnish-parliament-approves-e
mail-tracking-law-20090305-8ona.html
[Editor's Note (Pescatore): The lack of reasonable expectation of privacy in corporate email is well established in the US but has always been a country by country thing (and often a labor union by labor union thing) in other countries. However, it seems universally OK to monitor the speed at which drivers are traveling on roadways in the name of safety or to prohibit certain types of health endangering behavior in the workplace (no spitting!) - the laws will eventually catch up to the cyber side.
(Schultz): Privacy protection is a major issue and priority in most European countries. At the same time, however, the need for monitoring user Internet activity for discovering illegal activity, identifying employee misconduct, and so on is growing. In the process of achieving equilibrium between privacy and monitoring, some compromises concerning individuals' right to and expectation of privacy will certainly have to be made (as is occurring in Finland), something that will not sit well with most Europeans. ]
Visa Says RBS WorldPay and Heartland No Longer PCI DSS Compliant (March 13, 2009)
Visa has said that RBS WorldPay and Heartland Payment Systems are no longer compliant with the Payment Card Industry Data Security Standard (PCI DSS). The statement follows recent acknowledgements by both companies that their computer systems recently suffered significant data security breaches. Visa said that both companies are "actively working on revalidation of PCI DSS compliance."-http://www.theregister.co.uk/2009/03/13/visa_delists_heartland_rbsworldpay/
PCI Security Standards Council Issues Prioritized Approach for Compliance (March 16, 2009)
The PCI Security Standards Council LLC has issued a list of compliance guidelines it calls the Prioritized Approach to help companies struggling with where to go or even where to begin implementing the controls to protect payment card customer data. The guidelines map PCI DSS requirements to a set of six milestones, dealing with the most important security issues first.-https://www.pcisecuritystandards.org/education/prioritized.shtml
-https://www.pcisecuritystandards.org/education/docs/Prioritized_Approach_PCI_DSS
_1_2.pdf
-https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=335844&source=rss_topic17
************************** SPONSORED LINKS ******************************
1) InstantSecurityPolicy.com - Custom IT Security Policies Created and Delivered Online; Quick, Comprehensive, and Complete. http://www.sans.org/info/40678
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Man Who Deleted Australian Government Computer Accounts to be Sentenced (March 13, 2009)
David Anthony McIntosh, a former IT consultant for the government in Australia's Northern Territories, will be sentenced this week for damage he caused to a government computer system. McIntosh maintains he was drunk and upset over a broken engagement when he broke into the system a month after leaving his position. McIntosh deleted more than 10,000 Health Department, hospital, prison and Supreme Court employee user accounts, causing AU $1.2 million (US $793,000) in damages. McIntosh pleaded guilty to unlawfully accessing and modifying data in court in January. He has written a letter of apology to the court and plans to pursue another line of work when he completes his prison term.-http://www.theregister.co.uk/2009/03/13/nt_hack_convict/
-http://www.ntnews.com.au/article/2009/03/13/38995_ntnews.html
LEGAL ISSUES
Japanese Court Orders ISP to Reveal File Sharer's Identity (March 15, 2009)
A Japanese court has ordered an Internet service provider (ISP) to disclose the identity and address of a customer who allegedly used file-sharing software to expose personally information of 110,000 high school students. The information was apparently unintentionally uploaded to the Internet through a computer infected with malware.-http://www.yomiuri.co.jp/dy/national/20090315TDY02311.htm
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Report: IRS Malware Response Improved, Prevention Still Needs Attention (March 10 & 16, 2009)
A recently released audit report from the Treasury Inspector General for Tax Administration (TIGTA) says that while the US Internal Revenue Service (IRS) "responded appropriately when malware was detected," it could improve controls to prevent malware from reaching the systems in the first place. The purpose of the audit "was to determine whether adequate security controls are present to prevent and respond to malware attacks." The report recommends that the IRS CIO schedule automatic antivirus scanning on IRS servers; instruct administrators not to use their administrator accounts to access the Internet and monitor activity to ensure the policy is followed; notify employees when their activity allows malware onto systems; "and update the IRS security awareness training to include the use of portable and removable media among the common ways in which users can introduce malicious code to the network."-http://www.nextgov.com/nextgov/ng_20090316_2528.php
-http://www.treas.gov/tigta/auditreports/2009reports/200920045fr.pdf
Kundra On Leave During Probe of Former Office (March 12 & 13, 2009)
Vivek Kundra, who was recently appointed by president Obama as federal chief information officer (CIO), has taken a leave of absence from that position following the arrests of two individuals associated with his former office. The two men, an employee at the District of Columbia's Office of the Chief Technology Officer and a consultant who worked with the office, are facing charges in an alleged bribery scheme. Kundra was the DC CTO until March 4.-http://www.nextgov.com/nextgov/ng_20090313_9027.php
-http://blogs.zdnet.com/BTL/?p=14553
-http://washingtondc.fbi.gov/dojpressrel/pressrel09/wfo031209.htm
-http://www.washingtonpost.com/wp-dyn/content/article/2009/03/13/AR2009031303838.
html
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Iowa Company Agrees to Pay Undisclosed Sum For Unlicensed Software Use (March 12 & 16, 2009)
An Iowa company has agreed to pay the Software & Information Industry Association a six figure settlement for using copies of software without valid licenses. Creative Edge Master Shop in Fairfield and an affiliate, Flex kits, admitted to using unlicensed copies of software from Adobe, Apple, Symantec and other companies; Creative Edge has agreed to implement internal controls to ensure that only properly licensed software is used. The amount of the settlement was not disclosed.-http://www.informationweek.com/news/global-cio/legal/showArticle.jhtml?articleID
=215900445
-http://www.siia.net/press/releases/Creative%20Edge%20Release%20FINAL999%20_8_.pd
f
UPDATES AND PATCHES
Microsoft DNS Patch Does Not Address Core Issue (March 16, 2009)
One of the patches Microsoft released last week for a vulnerability in Windows DNS and WNS servers merely mitigates the issue but does not fix it, according to security engineer Tyler Reguly. The patch, part of Microsoft update MS090-008, is meant to address a vulnerability in the Web Proxy Automatic Discovery (WPAD) functionality of Windows DNS Server that could be exploited through a man-in-the-middle attack. The fix allows administrators to set up a list of blocked domains, but if servers already have "valid WPAD entries, it's not patched." Microsoft responded to notification of the issue by saying that the company "needs to be very careful when releasing a security update to ensure that (it) both protects (its) customers and does not break the functionality they have come to rely on."-http://gcn.com/Articles/2009/03/13/Microsoft-flawed-DNS-patch.aspx?p=1
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9129722&source=rss_topic17
-http://www.zdnetasia.com/news/security/0,39044215,62052239,00.htm
DATA LOSS & EXPOSURE
Comcast Subscriber Info Exposed Online (March 16, 2009)
A list of several thousand Comcast subscriber usernames and passwords was exposed on the Internet for about two months. The document was discovered at Scribd, a document sharing website. The document had been viewed nearly 350 times and downloaded 27 times; it is no longer available on the website. Comcast has said it does not believe the information was leaked from inside the company, as there were many duplicated entries and no associated account numbers, according to a company spokesperson; she suggested the list could have been compiled from a phishing or other data collection scheme. Comcast is freezing the email accounts of users whose information was on the list.-http://bits.blogs.nytimes.com/2009/03/16/passwords-of-8000-comcast-customers-exp
osed/
Consultant Who Exposed Coleman Website Flaw Defends Actions (March 13 & 16, 2009)
The IT consultant who exposed the vulnerability on former Minnesota Senator Norm Coleman's campaign website in January says she did so highlight the problem so others could protect themselves from breaches. Adria Richards maintains that the Coleman campaign would likely not have been responsive had she approached them about the vulnerability. Wikileaks posted personal information of donors taken from the site through the vulnerability; Richards has been the target of vitriol from Coleman supporters.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9129631&source=rss_topic17
-http://minnesotaindependent.com/29067/wikileaks-it-pro-not-in-any-danger-in-cole
man-leak-lawyer-says
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/