SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #40

May 22, 2009

TOP OF THE NEWS

IT Managers Feel Pressured to Relax Security Policies
GAO Report Says Federal Agencies Still Have Security Control Deficiencies
Deleted Photos Do Not Always Disappear Right Away

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES
Defense Lawyer in Palin eMail Hacking Case Says Messages Already a Matter of Public Record
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Malware Infects Computers at US Marshals Service and FBI
Missing Hard Drive Holds Clinton Presidency Data
VULNERABILITIES
Java Flaw Still Unpatched in OS X
UPDATES AND PATCHES
Adobe to Establish Regular Security Updates
DATA LOSS & EXPOSURE
Laptop Stolen From Car Holds UK Soldiers' Data
Former Texas State Lottery Employee Arrested for Alleged Data Theft
ATTACKS & ACTIVE EXPLOITS
Ball State Server Breach Not Due to IIS Flaw
IMPORTANT SECURITY RESEARCH (a new section in NewsBites)
Interesting Opportunities for both AJAX Technologies and Hacking Communities

---

************************** Sponsored By CA ******************************

Web-Based Security for Business Enablement

While "secure" and "Web" were once incompatible notions, they are now co-elements that support dynamic Web-based commerce. Technologies such as Web access management, single sign-on, identity management, federation, and strong authentication - when leveraged together - represent a more efficient way to conduct IT-enabled business. This IDC whitepaper explores how competitive advantage can be effectively realized through secure Web business enablement technologies. Learn more...
http://www.sans.org/info/43893

*************************************************************************

TRAINING UPDATE

- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - Pen Testing and Web Application Attack Summit - June 1-2 http://www.sans.org/pentesting09_summit
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses) http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - National Forensiscs Summit, July 6-14 http://www.sans.org/forensics09_summit/
Looking for training in your own community? http://sans.org/community/ Save 25% on all On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

IT Managers Feel Pressured to Relax Security Policies (May 20, 2009)

According to a recent survey of 1,300 IT managers, 86 percent said they were being pressured by company executives, marketing departments, and sales departments to relax web security policies to allow access to web-based platforms such as Google Apps. Nearly half of respondents said some employees bypass security policies to access services like Twitter and Facebook. More than half of the respondents noted that they lacked the means to detect embedded malicious code and prevent URL redirect attacks.
-http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1356896,00.h
tml#
[Editor's Note (Pescatore): The risks of allowing employees to access Facebook and Twitter and the like are not all that different from allowing web access in general. Providing web security services that do inbound filtering in addition to outbound blocking is absolutely required these day - and the ability to extend that protection via proxied services to protect laptop users is needed, as well. Using Google Apps for business data storage and collaboration is a whole 'nuther' issue - a lot of missing business-strength security and reliability capabilities still need to be added.
(Ranum): It's easy to make such decisions in a short-term context since "nothing bad has happened yet." Risk-taking is rewarded in the short-term and paid for in the long run in the form of massive expenses to "fix" the problem later. Unfortunately, it's sometimes impossible to fix the problems later and we just grit our teeth and pay through the nose. That's computer security in a nutshell.
(Paller) People do a lot of risky things, such as driving cars, because the convenience and value are worth the risk. The convenience and value of cloud computing are worth the risk - but the equation becomes MUCh better if we take John Pescatore's approach and bake much stronger controls in, to lower that risk to more acceptable levels. ]

GAO Report Says Federal Agencies Still Have Security Control Deficiencies (May 21, 2009)

According to a report from the US Government Accountability Office (GAO), all but one of the 24 major government agencies have weak data access control in their information security programs. The report examines how the agencies are adopting regulations specified in the Federal information Security Management Act (FISMA).
-http://www.scmagazineus.com/GAO-report-finds-security-lagging-at-federal-agencie
s/article/137221/
-http://www.gao.gov/new.items/d09701t.pdf
[Editor's Note (Schultz): FISMA, which in reality amounts to little more than a gigantic, bureaucratic paperwork exercise, is a dinosaur. It is well time for the US government to move on to more relevant information security regulations. ]

Deleted Photos Do Not Always Disappear Right Away (May 21, 2009)

Researchers have found that photos posted on social networking websites are sometimes available even after users have deleted them. The researchers posted photographs on 16 social networking and Web 2.0 sites, retained records of their associated URLs, and then deleted the images. A month after the pictures were supposed to have been removed, the researchers were able to access them through the URLs on seven of the 16 sites. Photo sharing websites like Flickr appear to do a good job to removing the images, but other sites do not remove the pictures from their photo servers even after users delete them from the main website. A Facebook spokesperson says that the URLs continue to work for a while after users delete pictures because the images will exist on the Content Delivery Network (CDN) until they are overwritten.
-http://www.theregister.co.uk/2009/05/21/zombie_photos/
-http://news.bbc.co.uk/2/hi/uk_news/8060407.stm
[Editor's Note (Schultz): These findings are not at all surprising. Wayback has been serving web pages from the past for years. ]

---

*************************** Sponsored Links: ****************************

1) See How Forrester Rates Leading Content Security Solutions. Download the Forrester Wave Report
http://www.sans.org/info/43903

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES

Defense Lawyer in Palin eMail Hacking Case Says Messages Already a Matter of Public Record (May 20, 2009)

A lawyer on the defense team for David Kernell, the Tennessee college student accused of illegally accessing the emails of Alaska Governor and then-vice-presidential candidate Sarah Palin, says that a judge had already declared Palin's emails to be a matter of public record. Furthermore, the photographs that Kernell allegedly accessed were not private either, attorney Wade Davies argued, because Governor Palin and her family had already been "the subjects of untold numbers of photo ops."
-http://www.wired.com/threatlevel/2009/05/palin-hack

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Malware Infects Computers at US Marshals Service and FBI (May 21, 2009)

Part of the computer system at the US Marshals Service was shut down Thursday morning after malware was detected. The decision was made to shut down Internet access and some email service to prevent the spread of the malware while the infection is being cleared up. No data have been compromised. The agency was running Windows-based systems that had anti-malware software installed, but the software had not been updated in more than three years despite the agency having paid for upgrades that would have protected against the malware. In addition, the Windows Operating Systems did not have the relevant patches applied that would have prevented the malware from infecting the machines.
-http://www.msnbc.msn.com/id/30873876/
-http://www.networkworld.com/news/2009/052109-marshall-malware.html?hpg1=bn
-http://www.foxnews.com/story/0,2933,521040,00.html
[Editor's Note (Ullrich): Three year old anti-virus? What took so long to get them infected?
(Honan): One thing that often gets overlooked in Incident Response is communications, especially external communications to third parties such as the media. I find it interesting that the Network World article quotes the receptionist in the US Marshals Service's Press Office. Review your IR plan to ensure that all staff know who should communicated what to whom and when they can do so.]

Missing Hard Drive Holds Clinton Presidency Data (May 19 & 20, 2009)

Federal investigators are looking into the disappearance of a hard drive from the US National Archives facility in College Park, Maryland. The drive holds a considerable amount of information from Bill Clinton's presidency. It has not yet been determined if the device was stolen or misplaced. A backup of all the information contained on the drive does exist; an initial review indicates that the drive does not contain classified information pertinent to national security. A US $50,000 reward is being offered for information leading to the device's recovery.
-http://www.nytimes.com/2009/05/20/us/20archives.html?ref=us
-http://www.washingtonpost.com/wp-dyn/content/article/2009/05/19/AR2009051903598.
html
-http://news.cnet.com/8301-1009_3-10246004-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://fcw.com/Articles/2009/05/20/Web-NARA-missing-hard-drive.aspx

VULNERABILITIES

Java Flaw Still Unpatched in OS X (May 19 & 20, 2009)

In December 2008, Sun Microsystems warned of a flaw in its Java virtual machine that could be exploited to execute code on vulnerable computers. Although the problem has been addressed in Windows and major Linux distributions, Apple has not issued a fix for the vulnerability, despite having recently issued a major security upgrade. The flaw is being actively exploited, and attack code that specifically targets the flaw in Mac OS X has been posted in an attempt to draw attention to the unpatched vulnerability. Mac users are urged to disable Java applets in their browsers until a fix is made available.
-http://www.theregister.co.uk/2009/05/19/unpatched_apple_vulnerability/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9133350
-http://www.techweb.com/article/showArticle?articleID=217600344§ion=News
-http://www.h-online.com/security/Exploit-for-unpatched-vulnerability-in-Mac-OS-X
-Update--/news/113337
[Editor's Note (Schultz): Mac users too often assume that their machines are not vulnerable to attacks, but reality dictates otherwise. News of this latest security flaw is yet another indication that Mac OS X is by no means invincible to attacks.
(Ullrich): Apple's reliance on third party / open source software, and it's inability to release timely patches in sync with other vendors is a big threat currently only mitigated by the obscurity of the platform. A modern day software company just can't afford to wait months to release a patch for a publicly known vulnerability. Microsoft learned this lesson the hard way. ]

UPDATES AND PATCHES

Adobe to Establish Regular Security Updates (May 20 & 21, 2009)

Adobe has announced that it will institute a quarterly security update schedule for its Reader and Acrobat products to harden code and improve its response to reported security flaws. Adobe plans to start the program this summer; it will be timed to coordinate with Microsoft's monthly security bulletin release. The quarterly updates will not include fixes for Flash Player, Adobe Air or other products.
-http://blogs.zdnet.com/security/?p=3442
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9133348
-http://www.securecomputing.net.au/News/145611,adobe-to-issue-scheduled-patches-i
nvest-more-in-code-review.aspx
-http://www.h-online.com/security/Adobe-to-release-quarterly-security-updates--/n
ews/113346

DATA LOSS & EXPOSURE

Laptop Stolen From Car Holds UK Soldiers' Data (May 20, 2009)

A laptop computer stolen from a parked car near Edinburgh holds personally identifiable information of thousands of soldiers. The computer was left in the vehicle overnight late last month by a Ministry of Defence employee. The computer had been missing until a woman who found it discovered the confidential data on it and turned it in to authorities. Military police and detectives from the police force's Crime Investigation Department (CID) are investigating the incident.
-http://news.scotsman.com/scotland/Army39s-stolen--laptop-sparks.5283785.jp

Former Texas State Lottery Employee Arrested for Alleged Data Theft (May 20, 2009)

A man who used to work for the Texas state lottery has been arrested and charged with possession of personally identifiable information of 140 lottery employees and winners. Joseph Mueggenborg had been working for the Lottery Commission in 2007 when the data were allegedly taken; he was fired from his position at the Comptroller of Public Accounts in August 2008 after the data were discovered on a computer at that agency. The stolen data include names and Social Security numbers (SSNs). When authorities arrested Mueggenborg earlier this week, they discovered he was receiving training for another state government job, this one at the Texas Department of Licensing and Regulation. A spokesperson for that department said they were unaware that Mueggenborg had been fired from his previous job and was under investigation when he was hired less than a month ago.
-http://www.chron.com/disp/story.mpl/front/6434281.html

ATTACKS & ACTIVE EXPLOITS

Ball State Server Breach Not Due to IIS Flaw (May 21, 2009)

Ball State University network administrators now say that a computer security breach at the Muncie, Indiana school was due to misuse of an authorized Ball State user account and not to an exploit of a known zero-day privilege elevation vulnerability in Microsoft's Internet Information Services (IIS) web server, as was previously reported. Microsoft issued a warning about the flaw earlier this week; the vulnerability affects IIS version 5 and 6.
-http://www.theregister.co.uk/2009/05/21/ball_state_retracts/
-http://www.theregister.co.uk/2009/05/20/iis_bug_fells_university_server/
The Internet Storm Center posted pointers to information from Microsoft to help administrators find and deal with this vulnerability
-http://isc.sans.org/diary.html?storyid=6433&rss

IMPORTANT SECURITY RESEARCH

Interesting Opportunities for both AJAX Technologies and Hacking Communities

XMLHttpRequest, the backbone of Web 2.0 applications, is a powerful JavaScript function that allows the flexible creation of HTTP requests. There is no doubt that the security research community and hackers will leverage this newly gained cross domain function in their future arsenal, but first, they'll have to get past the various controls put in place by the W3C standard. Find out more about the effective web app and secure coding practices at
-http://www.sans.org/reading_room/application_security/.
The series of papers also includes Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them, which describes some of the best defenses against improper input validation and output filtering.

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/