SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #29

April 14, 2009

Banks and Feds Getting Together to Solve Application Security Problem

Federal and state (and UN) web sites have been found to have downloaded unwanted code onto visitors' computers forcing them to go to other web sites that infect them with malicious payloads. US civilian government agency security leaders and application development managers are getting together with their counterparts from major banks and with NSA and SANS on April 29 in Washington to try to see what each has learned about what works in software security, and to try to reach consensus on how to make sure agency systems are not infecting citizens. Federal employees who need to attend should contact their chief information security officers. Bank employees should work through BITS. All others may register at http://www.sans.org/appsec09_summit
Alan

---

TOP OF THE NEWS

IG Report: Customs and Border Patrol Did Not Provide Sufficient Data For Review
NIST Publishes Draft eVoting Machines Guidelines
With Budgets Tight, US Companies Still Plan to Spend on IT Security

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Missing Laptop Holds Sensitive Ministry of Defence Information
POLICY AND LEGISLATION
NZ Privacy Commissioner Expresses Concern About Job Applicant Data Retention
DATA THEFT, LOSS & EXPOSURE
NC Hospital Patient Data on Computer Stolen in Georgia
Borrego Springs (CA) Bank Warns Customers of Account Data Compromise
Gexa Informs Customers of Year-Old Data Breach
ATTACKS & ACTIVE EXPLOITS
Conficker Infects Computers at University of Utah
NY Teen Says He Created Twitter Worm
MISCELLANEOUS
Chemical Facility Anti-Terrorism Standards Good Model for Compliance

---

************************* Sponsored By CA *******************************

Web-Based Security for Business Enablement

While "secure" and "Web" were once incompatible notions, they are now co-elements that support dynamic Web-based commerce. Technologies such as Web access management, single sign-on, identity management, federation, and strong authentication - when leveraged together - represent a more efficient way to conduct IT-enabled business. This IDC whitepaper explores how competitive advantage can be effectively realized through secure Web business enablement technologies. Learn more... http://www.sans.org/info/42508

*************************************************************************

TRAINING UPDATE

- - Toronto 5/5-5/13 (15 courses) http://www.sans.org/toronto09/event.php
- - SANSFire in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - New Orleans 5/5-5/10 (6 courses) http://www.sans.org/securityeast09/event.php
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- -- Plus San Diego, Amsterdam and more, too. See www.sans.org
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Looking for training in your own community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

IG Report: Customs and Border Patrol Did Not Provide Sufficient Data For Review (April 13, 2009)

According to a report from US Department of Homeland Security (DHS) Inspector General (IG) Richard L. Skinner, the Customs and Border Protection Agency "did not provide sufficient information" for the IG's office to determine if the agency had made required changes to its methods of handling and protecting information in the Automated Targeting System-Passenger (ATS-P) database. Congress has required that CBP certify that it has made the necessary improvements if it is to receive funding in fiscal 2009; Congress also required that the IG review the certifications. The IG's report goes on to say that "after reviewing CBP's Operational Program Enhancements Plan, the controls outlined in the August 2007 privacy impact assessment (PIA), and the additional supporting documentation provided, we do not foresee any significant risks to the personal data being collected and stored within ATS-P."
-http://fcw.com/Articles/2009/04/13/CBP-did-not-give-auditors-information-on-pass
enger-data-system-IG-says.aspx
-http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_09-44_Mar09.pdf
[Editor's Note (Honan): It is for reasons like this and the lack of transparency as to what happens with their personal data that many Europeans are uncomfortable with their personal information being stored and "protected" by the US Customs and Border Protection Agency. ]

NIST Publishes Draft eVoting Machines Guidelines (April 13, 2009)

The National Institute of Standards and Technology (NIST) has released a draft of voluntary standards for electronic voting machines. The current evoting machines guidelines are known as VVSG (Voluntary Voting System Guideline) 2005; the new draft guidelines are known as VVSG Next Iteration (VVSG-NI). NIST is accepting public comment on the draft document through July 1, 2009. After the standards are finalized, it will be up to state and local governments to decide if they will require their machine manufacturers to comply with them.
-http://www.techweb.com/article/showArticle?articleID=216500415§ion=News
-http://vote.nist.gov/voting-system-test-suites.htm
[Editor's Comment (Northcutt): I have always leaned heavily in the conservation and resource preservation direction, but you have to use paper sometimes. My number one guideline would be, print an auditable physical record of how the machine voted.]

With Budgets Tight, US Companies Still Plan to Spend on IT Security (April 13, 2009)

The results of a survey from Robert Half Technology indicate that a majority of companies plan to invest in IT security projects despite the tough economy. Seventy percent of chief information officers responding to the survey said their organizations plan to spend funds on IT security initiatives. The survey includes responses from 1,400 CIOs at US companies with 100 or more employees. Other IT areas in which the CIOs expected to invest include virtualization, data center efficiency, VoIP and social networking.
-http://www.csoonline.com/article/489109/Report_Security_Tops_IT_Budget_Prioritie
s
[Editor's Note (Pescatore): Threat-facing security spending is usually pretty recession-proof. However, spending that is tied to business expansion obviously does get hit, so there is slowdown in desktop and branch-office related security spending.
(Skoudis): I was surprised to see social networking as an investment area for enterprise CIOs. Yes, I know it's a hot area, but I didn't expect one-fifth of CIOs would mention it as an area to invest their precious resources in. Given the security issues that are rampant in social networking and money flowing into that space, it's going to keep us security professionals busy for quite some time, no doubt. ]

---

************************** SPONSORED LINKS ******************************

1) InstantSecurityPolicy.com - Custom IT Security Policies Created and Delivered Online; Quick, Comprehensive, and Complete. http://www.sans.org/info/42513

2) Complete Firewall Security Audits in 25% of the time with Tufin. Learn how and get your free shirt. http://www.sans.org/info/42518

3) Patriot Technologies Websense Hosted Email and Web Security Solution. View ThreatSeeker Network video at http://www.sans.org/info/42523

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Missing Laptop Holds Sensitive Ministry of Defence Information (April 12 & 13, 2009)

The UK Ministry of Defence (MoD) has admitted that a laptop computer containing sensitive SAS (Special Air Service) information is missing. The unclassified data include names of SAS soldiers as well as information about the Signals Regiment's training exercises; MoD said it does not hold information about missions. The data on the computer were not encrypted.
-http://www.telegraph.co.uk/news/newstopics/politics/defence/5146702/Laptop-with-
names-of-SAS-men-is-missing.html
-http://www.sundaymercury.net/news/midlands-news/2009/04/12/sas-computer-hard-dri
ve-lost-in-latest-security-blunder-66331-23367641/
-http://www.mirror.co.uk/news/top-stories/2009/04/13/tories-demand-answers-over-l
ost-sas-computer-hard-drive-115875-21275414/
[Editor's Note (Northcutt): I will be the first to admit I did not read the white paper since they want you to put in your details, but if you look to the right on the page the URL below points to you see some disturbing facts including 56% of business managers have disengaged their laptop's encryption. Thanks to www.twitter.com/drinfosec for the link.
-http://www.absolute.com/public/landing/PI109/default.asp?ref=PI109]

POLICY AND LEGISLATION

NZ Privacy Commissioner Expresses Concern About Job Applicant Data Retention (April 12, 2009)

New Zealand's Privacy Commissioner has warned that employers and companies that conduct background checks on potential employees may be violating the country's Privacy Act. For example, applicants for 24 new jobs advertised by the country's Tertiary Education Commission (TEC) were requested to sign a consent form allowing a third party to conduct background, resume and reference checks, and to allow "any relevant third party" to supply additional information. They were also asked to agree to allow the third party company to hold their application information indefinitely, even if they are not hired.
-http://www.odt.co.nz/news/national/51227/job-vetting-practices-may-breach-privac
y-act

DATA THEFT, LOSS & EXPOSURE

NC Hospital Patient Data on Computer Stolen in Georgia (April 13, 2009)

Officials at Moses Cone Health System in Greensboro, NC have begun notifying more than 14,000 patients that their personal information was on a laptop computer stolen while in the possession of consulting firm VHA. The computer was stolen on March 9 from the vehicle of a VHA employee in Georgia. The hospital learned of the theft four days later, but waited until this week to make the theft public. VHA had the information on the computer because it was conducting analysis to help the hospital improve patient care and reduce costs. The data were not encrypted. The theft affects cardiology and orthopedic patients treated at Moses Cone Memorial Hospital or Wesley Long Community Hospital between February 2004 and February 2009. The data include confidential patient information and some Social Security numbers (SSNs).
-http://www.news-record.com/content/2009/04/13/article/laptop_stolen_contains_inf
ormation_from_14000_moses_cone_patients
-http://www.mosescone.com/body.cfm?xyzpdqabc=0&id=11&action=detail&re
f=3840
[Editor's Note (Schultz): Regarding what happened in this news item, I have learned much from a friend of mine, Gal Shpanzer. He never leaves his laptop in any vehicle that he has parked, to the point that he will bring his laptop with him, even if he goes into a restaurant.
(Ranum): How did patient data wind up on a consultant's laptop!? Never mind encryption - again - what kind of information systems allow consultants' laptops access to live customer data in the first place? ]

Borrego Springs (CA) Bank Warns Customers of Account Data Compromise (April 10 & 11, 2009)

Borrego Springs Bank in California has sent letters to all its customers, warning them that their bank account information was compromised when seven laptop computers were stolen from the Laguna Hills office of Vavrinek, Trine, Day and Co., an accounting company. The computers were stolen on March 5, but the outside company did not notify the bank until March 18. The compromised data include names, bank account numbers and balances. The stolen computers hold data from other banks as well. The data are not encrypted.
-http://www3.signonsandiego.com/stories/2009/apr/10/1b10data191738-bank-warns-cus
tomers-after-theft/
-http://www3.signonsandiego.com/stories/2009/apr/11/1b11bank22626-other-banks-dat
a-stolen-computers/?zIndex=80884
[Editor's Note (Liston): Almost every week, we have stories of laptop theft that contain the phrase, "...the data was not encrypted." Wake up people! If you have sensitive information on a machine that is DESIGNED to be carried off, you NEED to encrypt that data. It isn't all that hard, it isn't expensive, and I think we're to the point now where it should be considered negligence if it isn't being done.
(Northcutt): One of the classic questions in incident handling is whether you watch and learn, or you terminate, access and clean? Most of the time, you choose the second. The question is whether law enforcement will learn enough from the delay to compensate for the angst of people who had their information compromised for a long time. Also, please try to forgive me for bashing Texas again, but there are a large number of states with Data Breach Laws; some of their citizens may be impacted by this decision. I wasn't there, don't know all the facts, but this smacks of arrogance:
-http://www.csoonline.com/article/221322/CSO_Disclosure_Series_Data_Breach_Notifi
cation_Laws_State_By_State]

Gexa Informs Customers of Year-Old Data Breach (April 1, 10, & 11)

Gexa Energy is just now informing its customers that their personally identifiable information may have been compromised in a data security breach last spring. The Houston, Texas company sent letters to affected customers on April 2, 2009, informing them that an intruder accessed customer data on April 30, 2008. Gexa says it was asked by law enforcement to remain silent about the intrusion during the investigation. There are no reports of any of the data having been misused, and indictments are reportedly forthcoming against an individual. The compromised data include names, addresses and SSNs.
-http://www.caller.com/news/2009/apr/10/gexa_energy_lost_info/
-http://abclocal.go.com/ktrk/story?section=news/consumer&id=6740632

ATTACKS & ACTIVE EXPLOITS

Conficker Infects Computers at University of Utah (April 10 & 12, 2009)

More than 700 computers at the University of Utah are known to be infected with the Conficker worm. Some of the infected computers are at the university's three hospitals. A spokesman for the university's health sciences department said that patient information has not been compromised. Staff and students have received information about how to remove the malware from their computers. Internet access was cut off for several hours while IT staff worked to isolate the malware and eliminate it.
-http://www.msnbc.msn.com/id/30179873/
-http://www.sltrib.com/news/ci_12118088
[Editor's Note (Schultz): Sorry, University of Utah, but saying that patient information was not compromised is by no means any kind of moral victory or assurance to the public. How could this university be so naive to think that somehow a vulnerability for which a patch was available *last fall* could not cause damage and harm to medical patients and experimental subjects? ]

NY Teen Says He Created Twitter Worm (April 12, 2009)

A New York teenager has claimed responsibility for a Twitter worm that began spreading over the weekend. The worm posts messages to users' pages without their knowledge. The 17-year-old said he created the worm because he was bored, but didn't expect that it "would spread as far or as fast as it did." Twitter said it fixed the vulnerability exploited by the worm, but variants continued to spread. Twitter has said it is taking steps to halt the spread of the new variants and instances of the worm do seem to be declining. The worm exploits a cross-site scripting vulnerability, leading to speculation that Twitter's first attempt at blocking the malware focused on signature recognition rather than addressing the underlying problem.
-http://news.cnet.com/8301-1009_3-10217684-83.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9131478&source=rss_topic17
-http://www.h-online.com/security/StalkDaily-Mikeyy-continues-to-flood-Twitter--/
news/113053
-http://www.theregister.co.uk/2009/04/13/weekend_twitter_worm_attacks/
[Editor's Comment (Pescatore): This is part of the usual arc of consumer grade technology learning late in life that security is important. Skype, Google, Facebook - same thing. This will not change in the near term - all business use of those technologies should budget for security expenditures to contain the risk of using them.
(Skoudis): It's really a bummer when a young person hacks target systems and blames their indiscretions on "boredom". It's even worse when the attacker claims (according to the CNET article), "One day he hopes to get a job as a security analyst." Well, don't tarnish your reputation, kid, if you want to keep doors open for that goal! Do something positive. Start a blog that helps people defend themselves. Or write articles on how to secure systems. Build your name and reputation in a positive way. There are plenty of areas in the information security space ripe for collaboration and contribution that do not involve violating the law. This whole situation is very sad.
(Northcutt): In Twitter's defense, signatures are usually the fastest fix you can put in place. And they can ALWAYS be circumvented, so you have to fix the root cause problem. However, what is a bit hard for all the reporters to understand is sometimes the root problem is in a routine that is, I kid you not, a hundred lines of code. You can't always get instant turnaround. All that said, safe browsing is everyone's responsibility. If you were running Firefox with the NoScript plugin you could be clicking on profiles from here to doomsday with no ill effects. ]

MISCELLANEOUS

Chemical Facility Anti-Terrorism Standards Good Model for Compliance (April 9, 2009)

Safety and security practices established at US chemical facilities in response to DHS's Chemical Facility Anti-Terrorism Standards (CFATS) could translate well to other industries. CFATS compelled chemical facilities to conduct site vulnerability assessments, which include looking closely at physical security, cyber security and safety systems and prioritizing the issues with regard to which had the greatest potential for evolving into serious security or safety concerns for the plant and its surroundings. The assessment is followed by a site security plan and implementation. Some of the chemical facilities chose to implement integrated security approaches, which allows identification and control of who goes in and out of the facility; tracking of movement within the facility; controlling access to restricted areas; tracking and locating personnel and equipment; protecting networks from cyber attacks; responding to alarms and events; and sharing information to reduce spending.
-http://www.csoonline.com/article/print/488249

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/