SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #31

April 21, 2009

TOP OF THE NEWS

Spies Penetrate Pentagon's Joint Fighter-Jet Project
British Council Violated Data Protection Act, Says Information Commissioner's Office
UK's Regulation of Investigatory Powers Act Under Review Due to Alleged Overuse
Dept. of Health and Human Services Issues Electronic Health Record Data Security Guidance

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Aneesh Chopra Named White House CTO
Newly Released Documents Shed (a Bit) More Light on FBI's Spyware
NSA Wiretaps Have Exceeded Limits
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Guilty Plea in Pirated Software Case
DATA BREACHES, LOSS & EXPOSURE
MySpace Employee Stole Co-Workers' Personal Information
ATTACKS & ACTIVE EXPLOITS
Secure Shell Attacks
MISCELLANEOUS
Baker College Wins Cyber Defense Competition

---

********************** Sponsored By Tufin Technologies ******************

Slash Costs with Automated Firewall Security Audits

For security executives and administrators, Tufin SecureTrack is the key to fast, accurate firewall audits. Lean how you can reduce opex and increase network security by automating manual, repetitive firewall administration tasks and optimizing rulebases to improve performance.

Learn more - click for a free Tufin Polo shirt and a chance to win an Apple iPod Touch. http://www.sans.org/info/42684
*************************************************************************

TRAINING UPDATE

- - Toronto 5/5-5/13 (15 courses) http://www.sans.org/toronto09/event.php
- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - New Orleans 5/5-5/10 (6 courses) http://www.sans.org/securityeast09/event.php
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- -- Plus San Diego, Amsterdam and more, too. See www.sans.org
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Looking for training in your own community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Spies Penetrate Pentagon's Joint Fighter-Jet Project (April 21, 2009)

Cyber spies have stolen tens of terabytes of design data on the US's most expensive costliest weapons system -- the $300 billion Joint Strike Fighte project. Similar breaches have been found in the Air Force's Air Traffic Control System. The attacks began as far back as 2007 and continued into 2008. The spies encrypted the data that they stole, making it difficult for investigators to know exactly what data was taken. The fact that fighter data was lost to cyber spies was first disclosed by U.S. counterintelligence chief Joel Brenner. Brenner also expressed concern about spies taking control of air traffic control systems, saying there could come a time when "a fighter pilot can not trust his radar."
-http://online.wsj.com/article/SB124027491029837401.html

British Council Violated Data Protection Act, Says Information Commissioner's Office (April 17 & 20, 2009)

The UK Information Commissioner's Office says that the British Council's loss of an unencrypted disk containing personally identifiable information constitutes a breach of the Data Protection Act. The disk holds sensitive data belonging to more than 2,000 staff members. The breach was reported to the ICO promptly; the ICO has required the British Council to officially agree to a number of security measures to guard against future data loss. Among those measures are ensuring that all portable and mobile data storage devices are encrypted.
-http://www.computing.co.uk/computing/news/2240575/british-council-breacheds
-http://www.theregister.co.uk/2009/04/20/british_council_data_loss/

UK's Regulation of Investigatory Powers Act Under Review Due to Alleged Overuse (April 17, 2009)

UK Home Secretary Jacqui Smith has announced a review of the Regulation of Investigatory Powers Act (RIPA) following complaints that the powers had been invoked for trivial offenses, including littering and taxi overcharging. The review invites public feedback. The review seeks input on which public authorities should have the authority to invoke RIPA.
-http://www.vnunet.com/computing/news/2240543/government-announces-review
-http://nds.coi.gov.uk/Content/Detail.asp?ReleaseID=398807&NewsAreaID=2

Dept. of Health and Human Services Issues Electronic Health Record Data Security Guidance (April 20, 2009)

The US Department of Health and Human Services has released a document offering guidance on protecting electronic health record data. The document says that electronic medical data must be rendered "unusable, unreadable or indecipherable" to those who do not have the authority to view them, and recommends encryption and destruction as acceptable methods of meeting those requirements. The document is tied to two sets of breach notification regulations required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the economic stimulus bill. One set of notification guidelines will be issued by HHS, and the second will be issued by the Federal Trade Commission for entities not covered by the Health Insurance Portability and Accountability Act (HIPAA). Organizations that comply with the guidelines set forth in the document will not be held to breach notification requirements. HHS will accept public comments on the document through May 21, 2009.
-http://fcw.com/Articles/2009/04/20/HHS-releases-guidance-on-securing-electronic-
health-data.aspx
-http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi.pdf
-http://www.nextgov.com/nextgov/ng_20090420_8620.php
-http://govhealthit.com/articles/2009/04/20/health-it-privacy-guidelines.aspx
[Editor's Note (Pescatore): The real key is enforcing existing regulations around personal health information vs. any real need for new regulations.
(Liston): I completely disagree with giving these companies a free pass from breach notification simply because they checked the "we encrypt" box on some form. Doing encryption is easy... doing encryption well is hard. Also, encrypting data-at-rest and data-in-motion is wonderful, but what if a breach targets data-in-use? ]

---

************************* Sponsored Links: *****************************

1) Patriot Technologies Websense Hosted Email and Web Security Solution. View ThreatSeeker Network video at http://www.sans.org/info/42689

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Aneesh Chopra Named White House CTO (April 18 & 20, 2009)

President Barack Obama has named Aneesh P. Chopra as White House chief technology officer (CTO). Chopra is currently Virginia's secretary of technology. Chopra will be the first person to hold the new position. He will work closely with Vivek Kundra, who last month was named the country's first federal chief information officer (CIO).
-http://blogs.wsj.com/digits/2009/04/18/tech-industry-cheers-as-obama-taps-aneesh
-chopra-for-cto/
-http://www.nextgov.com/nextgov/ng_20090418_7191.php
-http://gcn.com/Articles/2009/04/18/Obama-Aneesh-Chopra-CTO.aspxs
-http://www.scmagazineus.com/Obama-appoints-federal-CTO-industry-applauds-choice/
article/130917/
-http://www.washingtonpost.com/wp-dyn/content/article/2009/04/18/AR2009041801980_
pf.html

Newly Released Documents Shed (a Bit) More Light on FBI's Spyware (April 16, 2009)

Documents obtained under the Freedom of Information Act (FOIA) indicate that the FBI has used technology known as a computer and Internet protocol address verifier, or CIPAV, in a number of cases over the last seven years. CIPAV is spyware that is placed on target computers to gather specific information and send it back to an FBI server. The public became aware of CIPAV in 2007 when it was used to track down the source of a bomb threat against a high school in Washington State. The documents do not detail CIPAV's capabilities, but an affidavit in the Washington case indicates that the information it collects includes the machine's IP and MAC addresses; open ports; programs running on the machine; current logged-in user name and last-visited URL. CIPAV is of particular use to the FBI because it is able to trace even suspects who use proxy servers and other anonymization techniques.
-http://blog.wired.com/27bstroke6/2009/04/fbi-spyware-pro.html

NSA Wiretaps Have Exceeded Limits (April 15, 2009)

US government officials said that the National Security Agency's (NSA) domestic wiretaps have gone beyond established legal limits. The problems were detected during a periodic Justice Department review of NSA activities; officials at DoJ "took comprehensive steps to correct the situation and bring the program into compliance." Last July, legislators passed and then-president Bush signed into law the Foreign Intelligence Surveillance Act (FISA), which gave NSA the authority to conduct wiretaps without warrants against foreign terror and espionage suspects.
-http://www.nytimes.com/2009/04/16/us/16nsa.html?pagewanted=print
-http://www.securityfocus.com/brief/949
[Editor's Note (Schultz): This news item shows just how important President Obama's efforts to get the US government back to operating in accordance with the US Constitution are. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Guilty Plea in Pirated Software Case (April 17, 2009)

Gregory William Fair has pleaded guilty to charges of criminal copyright infringement and mail fraud stemming from the sale of pirated software on eBay. Fair sold counterfeit copies of Adobe software through the online auction site using multiple user IDs; the retail market value of the products he sold is estimated to be US $1 million. Fair will forfeit his earnings from the transactions. Fair faces up to 20 years in prison and a fine of up to US $500,000; his sentencing is scheduled for July 8.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9131736&taxonomyId=17&intsrc=kc_top

DATA BREACHES, LOSS & EXPOSURE

MySpace Employee Stole Co-Workers' Personal Information (April 18 & 20, 2009)

A MySpace employee allegedly stole personal information, including Social Security numbers (SSNs), of his co-workers. The individual has been identified and fired, but MySpace headquarters remained closed last Thursday; employees were instructed to work from home. The reason given was that MySpace needed conduct analysis of its computer systems "to reduce the possibility of any future breaches." Employees were notified of the breach and assured that the compromised data do not include bank account or medical information.
-http://www.siliconrepublic.com/news/article/12780/digital-life/myspace-insider-d
ata-breach-leads-to-hq-shutdown
-http://www.switched.com/2009/04/18/myspace-fires-employee-after-data-breach/

ATTACKS & ACTIVE EXPLOITS

Secure Shell Attacks (April 18, 2009)

Administrators are being urged to protect their networks from a new wave of Secure Shell (SSH) attacks. The brute force attacks try to crack user names and passwords to gain access to servers. Advice for lessening the likelihood of an attack includes creating complicated usernames and passwords, moving SSH off port 22, and monitoring logs for suspicious activity. This story was first reported by the SANS Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=6214
-http://www.vnunet.com/vnunet/news/2240614/ssh-server-attacks-resurface
[Editor's Note (Schultz): Two of these three recommendations seem sound to me. Moving ssh off of tcp port 22 seems like a "security by obscurity" measure to me, however. Experienced attackers do not need much time to recognize ssh traffic, regardless of the destination port.
(Liston): I recommend disabling password authentication entirely and allowing only PublicKey authentication. I run an SSH honeypot and I can indeed corroborate a huge uptick in PW brute-forcing attacks, most of which are coming from previously compromised machines. Over the past month, I've had over 26,500 separate login attempts from 42 different attacking IPs, using 16,500 different username/pw combinations (10,000 different passwords have been tried for "root"). I've also spent a great deal of personal time lately tracking down the right person inside companies, who SHOULD KNOW BETTER, to tell them that they're running an 0wned box. Monitor both your inbound AND outbound traffic for any spike in SSH connects... these attacks aren't subtle in the least. ]

MISCELLANEOUS

Baker College Wins Cyber Defense Competition (April 20, 2009)

A team of eight students from Baker College in Flint, Michigan took top honors at the National Collegiate Cyber Defense Competition, held April 17-19 in San Antonio, Texas. The contest requires the teams to keep fictional business networks secure and operational while under hostile attack. In 2005, just five teams competed; this year's competition drew 65 teams that were winnowed down at regional competitions prior to last weekend's event.
-http://sev.prnewswire.com/high-tech-security/20090420/DC0144520042009-1.html

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/