SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #24

March 27, 2009

National Manpower Estimate for Cyberspace Security Skills.
A consortium of federal and private organizations are completing a national estimate of requirements for specialized security skills. Their work is primarily based on targeted estimates made by the military and intelligence communities, but their report hopes to cover the critical infrastructure, as well. They are looking for substantive research that has been done on the topic that could help shape the report, due in April. Email apaller@sans.org if you know of any such reports.
Alan

---

TOP OF THE NEWS

Langevin Speaks in Support of White House-based Cyber Security Leadership
A Federal CIO Perspective On NIST 800-53 and the Twenty Most Important Security Controls (CAG)
China's Defense Spending is Way Up
High Court of England Allows Data to be Transferred to US for Madoff Investigation

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Man Involved in AOL Card Fraud Sentenced
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Senator Seeks Details About Support for DHS National Cyber Security Center
VULNERABILITIES
Overflow Flaws in Sun Java Runtime Environment Unpacking Utility
UPDATES AND PATCHES
Firefox Update Slated for Next Week
Cisco Updates Address 11 Vulnerabilities in IOS
Adobe Updates Fix Code Injection Flaw in Linux Versions of Reader and Acrobat
MALWARE, ATTACKS & ACTIVE EXPLOITS
Conficker Update Slated for April 1
Ransomware Scheme Incorporates Phony Antivirus Program
COOL TRAINING EVENTS
Penetration Testing Summit
Application Security Summit

---

*********************** Sponsored By Qualys *****************************

Qualys presents these popular PCI resources to help your organization show proven ROI and help automate compliance initiatives.

*PCI Compliance Current & Future Trends webcast: http://www.sans.org/info/41264
*COSEC Compliance Through Security Poster: http://www.sans.org/info/41269
*4 Steps to Automate IT Security Compliance whitepaper: http://www.sans.org/info/41274

*************************************************************************

TRAINING UPDATE

- - Toronto 5/5-5/13 (15 courses) http://www.sans.org/toronto09/event.php
- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - New Orleans 5/5-5/10 (6 courses) http://www.sans.org/securityeast09/event.php
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- -- Plus San Diego, Amsterdam and more, too. See www.sans.org
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Looking for training in your own community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Langevin Speaks in Support of White House-based Cyber Security Leadership (March 24, 2009)

US Representative Jim Langevin (D-R.I.), co-chair of the House Cybersecurity Caucus, says he cannot be sure what recommendations will come from the 60-day cyber security program review being conducted by Melissa Hathaway, but made clear his opinion that the country would be well served by using the structure of the counter-proliferation program by which to model its cyber security program. Representative Langevin, who also co-chaired the Center for Strategic and International Studies Commission on Cybersecurity for the 44th Presidency, expressed the Commission's vision of cyber security leadership as part of the White House rather than residing within a single agency.
-http://www.house.gov/apps/list/speech/ri02_langevin/stmtcyber032409.html
-http://fcw.com/Articles/2009/03/26/cyber-Langevin.aspx

A Federal CIO Perspective On NIST 800-53 and the Twenty Most Important Security Controls (CAG) (March 26, 2009)

Dan Mintz just retired from the CIO position at the US Department of Transportation. At the request of the editor of Government Computer News, Dan looked closely at the question of whether the controls listed in 800-53 or the Twenty Critical Controls (the CAG) should become the prioritized focus of security assessments and grading of federal cybersecurity. Among his observations: "it is not just possible, but necessary, to establish priorities. If the FISMA checklist tied to the NIST guidelines calls for 200 controls to be implemented, but the resources are only available to do a partial implementation initially, there is a tendency to just try and check off as many as possible without deciding which are most important to do first." And that the twenty controls "could at least be partially automated and thus more effectively integrated into future security activities. The result is to strengthen the security infrastructure."
-http://gcn.com/Articles/2009/03/26/Another-View-audit-guidelines.aspx?s=gcndaily
_270309&Page=1

China's Defense Spending is Way Up (March 26 & 27, 2009)

According to the Pentagon's annual report, "Military Power of the People's Republic of China (PRC) 2009," China's defense spending is significantly higher than that of other countries in the same region. The report also says that China has launched repeated intrusions on computer networks around the world, including those of the US government. The report did not say whether the intrusions were conducted by the Chinese government, military or with the support or tacit approval of either. The report notes that cyber intrusions last spring at India's Ministry of External Affairs and the Belgian government were believed to originate from China. In addition, the contents of a US government laptop were allegedly copied while the US Commerce secretary was visiting the country.
-http://www.washingtontimes.com/news/2009/mar/26/pentagon-beijing-boosting-cyberw
arfare/print/
-http://www.nytimes.com/2009/03/27/world/27military.html?_r=1&hp=&pagewan
ted=print
-http://www.washingtonpost.com/wp-dyn/content/article/2009/03/25/AR2009032501058_
pf.html

High Court of England Allows Data to be Transferred to US for Madoff Investigation (March 26, 2009)

The High Court of England and Wales has ruled that data pertinent to the Bernard Madoff investigation may be transferred to the US. The Data Protection Act (DPA) prohibits exporting data to countries outside the European Economic Area unless those countries provide acceptable data privacy protection; the US is considered to be among those lacking adequate protection. However, exceptions to the DPA allow the information to be transferred. Specifically, data may be sent to countries that do not meet the requirements if "the transfer is necessary for reasons of substantial public interest, ... (and) for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings." The High Court found the exceptions to be relevant on both points.
-http://www.theregister.co.uk/2009/03/26/madoff_data_dpa_exempt/print.html

---

************************** SPONSORED LINKS ******************************

1) Complete Network Forensics - See what your security tools miss and find the root cause! Free Trial. http://www.sans.org/info/41279

2) Kiss Your Antivirus Bloatware Goodbye with VIPRE Enterprise: View the Product Demo http://www.sans.org/info/41284

3) Learn about using/implementing automated log management technologies at the Log Management Summit April 6-7. http://www.sans.org/info/41289

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Man Involved in AOL Card Fraud Sentenced (March 24 & 25, 2009)

Charlie Blount Jr. has been sentenced to four years in prison for stealing information from AOL customers and using it to create phony credit cards. Blount pleaded guilty two years ago to conspiracy to commit fraud in connection with access devices. The scheme Blount used involved sending ecards to AOL subscribers; if they clicked on the provided link, their computers became infected with malware that asked for financial information before allowing them to sign on to AOL again. Another man, Thomas Taylor, has been sentenced to four years of probation for his role in the scheme. Taylor must also pay nearly US $34,000 in restitution and serve 200 hours of community service. Another co-conspirator in the case received a seven year prison sentence last August.
-http://www.scmagazineus.com/AOL-credit-card-scammer-receives-four-years-in-jail/
article/129449/
-http://www.theregister.co.uk/2009/03/24/ecard_scammer_sentencing/

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Senator Seeks Details About Support for DHS National Cyber Security Center (March 25, 2009)

Senator Susan Collins (R-Maine), ranking member of the Senate Committee of Homeland Security and Governmental Affairs, has sent a letter to DHS Secretary Janet Napolitano asking for details on how US $6 million allocated for the DHS National Cyber Security Center (NCSC) was spent. Collins's concerns come in the wake of allegations by former NCSC director Rod Beckstrom that his organization lacked "appropriate support inside DHS during the last administration." Beckstrom, who resigned earlier this month, also alleged that NCSC was marginalized within DHS; Senator Collins's letter seeks additional information regarding those allegations as well.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9130519
Beckstrom resignation letter:
-http://epic.org/linkedfiles/ncsc_directors_resignation1.pdf
[Editor's Note (Northcutt): There is some evidence that U.S. citizens are weary of divisive politics. I relate, but I am much more tired of government turf battles that leave our country exposed and vulnerable. There are two sides to every story of course, but Mr. Beckstorm's letter (linked to above) makes an important statement. I urge all concerned NewsBites readers to read it and think about his points. ]

VULNERABILITIES

Overflow Flaws in Sun Java Runtime Environment Unpacking Utility (March 26, 2009)

Integer and buffer overflow vulnerabilities in Sun Microsystems' Java Runtime Environment (JRE) "unpack200" JAR unpacking utility could be exploited to gain elevated privileges on vulnerable systems and to inject and execute arbitrary code. The vulnerability affects Java JDK and JRE version 5.0 Update 17 and version 6 Update 12 as well as earlier versions, with the exception of versions 1.4.2 and 1.3.1. Users are encouraged to update to Java 5 Update 18 or Java 6 Update 13.
-http://www.h-online.com/security/Security-vulnerability-in-Sun-s-Java-environmen
t--/news/112933
-http://sunsolve.sun.com/search/document.do?assetkey=1-66-254570-1

UPDATES AND PATCHES

Firefox Update Slated for Next Week (March 26, 2009)

Mozilla plans to release Firefox version 3.0.8 early next week; included in the update is a fix for a recently disclosed vulnerability. The memory corruption flaw could be exploited to execute code on vulnerable computers. The flaw exists in Firefox versions 3.0 through 3.0.7 running on all operating systems. For the exploit to work, users would need to be tricked into viewing a maliciously crafted XML file.
-http://www.h-online.com/security/Firefox-critical-vulnerability-patched-in-3-0-8
-due-next-week--/news/112938
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9130559&source=rss_topic17
-https://wiki.mozilla.org/Releases/Firefox_3.0.8

Cisco Updates Address 11 Vulnerabilities in IOS (March 25 & 26, 2009)

Cisco has released eight updates to address 11 security flaws in its Internet Operating System (IOS) software. The vulnerabilities affect TCP, UDP, mobile and VPN. The flaws could be exploited to block traffic to or gain access to vulnerable routers, cause vulnerable routers to crash, or gain access to password files. Cisco is not aware of any active exploits for the flaws.
-http://www.scmagazineus.com/Cisco-releases-security-updates-for-IOS/article/1294
60/
-http://www.h-online.com/security/Cisco-patches-several-vulnerabilities-in-IOS--/
news/112935
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9130469&source=rss_topic17
-http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml

Adobe Updates Fix Code Injection Flaw in Linux Versions of Reader and Acrobat (March 25, 2009)

Adobe has released updates to address a critical security flaw in Adobe Reader and Acrobat for UNIX and Linux. Adobe released updates to fix the vulnerability in Windows and Mac versions of the software earlier this month. The flaw could be exploited to allow code injection and execution; users are urged to apply the updates as soon as possible.
-http://www.h-online.com/security/Adobe-fixes-critical-vulnerability-in-Unix-vers
ions-of-Acrobat-and-Reader--/news/112924

MALWARE, ATTACKS & ACTIVE EXPLOITS

Conficker Update Slated for April 1 (March 23, 25 & 26, 2009)

April 1, 2009 marks a significant shift for the Conficker botnet, but researchers are at a loss to determine what is going to happen. On April 1, PCs infected with the Conficker worm will begin contacting 500 randomly chosen domains from 50,000 possible domains that could offer updates telling the program what to do.
-http://www.theregister.co.uk/2009/03/26/conficker_activation_analysis/
-http://www.eweek.com/c/a/Security/Conficker-The-Windows-Worm-That-Wont-Go-Away-5
29249/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9130228&intsrc=hm_list
[Editor's Note (Schultz): Conficker is not only the most prolific worm ever ,and its unpredictability in attacking domains makes its end anytime in the near future very unlikely. Many information security professionals, myself very much included, were wrong in pronouncing the day of the widespread worm over.
(Honan): F-Secure provides a reasonable set of Questions and Answers on Conficker to help cut through some of the hype
-http://www.f-secure.com/weblog/archives/00001636.html]

Ransomware Scheme Incorporates Phony Antivirus Program (March 25, 2009)

A sophisticated form of ransomware is spreading on the Internet. Users are tricked into downloading malware that appears to be a legitimate utility called Antivirus2009. The malware actually encrypts numerous document types. When the user tries to open one of the encrypted files, an alert pops up, offering a utility, FileFix Pro 2009, that can decrypt the file. The application decrypts one document, then demands that the user pay US $50 to buy the software to decrypt the rest.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9130539&source=rss_topic17
-http://www.theregister.co.uk/2009/03/25/scareware_ransomware/
-http://www.zdnetasia.com/news/security/0,39044215,62052554,00.htm

COOL TRAINING EVENTS

Penetration Testing Summit

Where else can you find the best speakers from other hacker conferences all at one program: HD Moore on the future of Metasploit; Joshua Wright on evolving wireless attacks; Jeremiah Grossman on the Top Ten Web Hacking Techniques; Robert "rSnake" Hansen on web app vulnerabilities; Paul Asadoorian on late-breaking pen test techniques; Larry Pesce on using document metadata in pen tests; Jason Ostrum on VoIP pen testing; Ed Skoudis on secrets of pen testing?
The Summit is June 1 and 2 in Las Vegas. Registration information is here:
-http://www.sans.org/pentesting09_summit/

Application Security Summit - April 9 - Washington DC.

Learn from actual users which application security tools and processes work best and participate in establishing requirements that may be used for large scale procurement of these tools across government.
-http://www.sans.org/appsec09_summit/

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/