SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #5

January 20, 2009

A quick question for information security people in the critical infrastructure (especially power, oil & gas, communications, water, and essential manufacturing). Which control systems vendor has done a really good job of baking security into (or adding security on to) the control systems you have purchased from them? We've identified two such vendors to highlight at the SCADA Security Summit in ten days (http://www.sans.org/scada09_summit/), but are hoping asset owners can introduce us to a couple other vendors who have shown real leadership so they can also be recognized.
Alan

---

TOP OF THE NEWS

New York State Disseminates Application Security Procurement Language and Launches Cyber Academy To Ensure Students Learn To Program Securely
Privacy Rights Groups Want Strong Security Measures for Electronic Health Records
If You Can't Beat 'Em, Join 'Em
Report: Boards of Directors Not Focused on IT Security

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Store Owner Draws 33-Month Sentence for Card Skimming
Man Indicted for Selling Pirated Software
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Legislators Angry at VA's Silence About Software Glitches
POLICY AND LEGISLATION
China Considering Online Privacy Law
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
NZ Telecoms Want More Time to Develop Piracy Plan with Film and Music Companies
Isle of Man Wants Blanket P2P License
IFPI: 95 Percent of Downloaded Music is Illegal, But Legal Downloads are Up 25 Percent
ACTIVE EXPLOITS, WORMS & VIRUSES
Downadup Infection Count Up to 9 Million
DATA THEFT, LOSS & EXPOSURE
Forcht Bank Cancels 8,500 Cards After Retailer Breach

---

********************* Sponsored By Sourcefire, Inc. *********************

SANS Real-time Adaptive Security White Paper
Real-time Adaptive Security is the next step beyond an IPS implementation. It gives you full network visibility, provides context around events so you know which ones to investigate first, reduces your false positives dramatically, offers automated impact assessment, introduces automated IPS tuning, and more. Let SANS tell you how. http://www.sans.org/info/37419

*************************************************************************

TRAINING UPDATE

- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/sans2009
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/ For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

New York State Disseminates Application Security Procurement Language and Launches Cyber Academy To Ensure Students Learn To Program Securely (January 12, 2009)

New York CISO Will Pelgrin has made draft language available for organizations (including state agencies in New York and others states) to use to work with their custom software vendors to bake security in. Although the article talks about "demanding" security, in fact the New York State folks are the model of cooperative initiatives and will implement the new language in partnership with all the state vendors. Pelgrin also announced a partnership with top universities and colleges in New York and New Jersey, called the Cyber Academy, dedicated in part to ensuring all students who learn programming at those schools also master secure coding before they graduate.
-http://www.internetnews.com/dev-news/article.php/3796091

Privacy Rights Groups Want Strong Security Measures for Electronic Health Records (January 15, 2009)

US privacy rights and civil liberties advocacy groups have written legislators asking them to ensure that any adoption of electronic health records includes significant security measures. The letters from such groups at the American Civil Liberties Union (ACLU), the National Association of Social Workers and Patient Privacy Rights, ask that patients have the authority to control how their medical records are used and are protected from organizations that share and sell medical information.
-http://www.nextgov.com/nextgov/ng_20090115_7415.php
[Editor's Note (Pescatore): there have been rumblings that HIPAA has been an impediment to the adoption of electronic health records. From what I've seen, most of this has been from industry trying to sell advertising around free systems that host/store medical records for people. As stimulus money starts to flow, it is important that "opt-in" and data protection principles are not abandoned to rush to electronic health records.
(Weatherford): Just reading the 'Data Theft, Loss and Exposure' section of SANS NewsBites twice a week confirms that this is a critical issue. Interestingly, the CSIS Commission report on Cybersecurity for the 44th Presidency devotes some specific language to "Balancing Security and Civil Liberties." BTW, if you haven't read the report yet, it's a nice blueprint for President Obama. (
-http://www.csis.org/component/option,com_csis_pubs/task,view/id,5157/)]

If You Can't Beat 'Em, Join 'Em (January 19, 2009)

The music industry appears to be joining the digital download age. In the UK, a mobile phone service offered by Nokia called "Comes with Music" offers customers who purchase certain phones unlimited "free" downloads of songs from a catalog of over five million selections. Other mobile and Internet services are expected to follow suit, incorporating the cost of the music into the service and access contracts.
-http://www.nytimes.com/2009/01/19/business/worldbusiness/19digital.html?_r=1&
;ref=technology&pagewanted=print
[Editor's Note (Schultz): The RIAA and other, similar groups have tried various approaches to reducing illegal music sharing. Each has failed. The new approach described in this news item makes a great deal of sense- -because music downloading is done so widely, why not just make a large amount of music available and include the cost in ISP service fees?
(Weatherford): The future has arrived..legally! The music industry is preparing for a very difference business model. ]

Report: Boards of Directors Not Focused on IT Security (December 4, 2008)

According to Carnegie Mellon University's CyLab Governance of Enterprise Security Survey, "boards (of directors) are taking risk management seriously, but there is still a gap in understanding the linkage between IT and enterprise risk management." Just 36 percent of respondents indicated that the board of directors at their company was directly involved in the management of the company's information security. The statistics were gathered from a pool of 703 respondents who serve on boards of US-listed public companies. Among the recommendations offered in the study are including IT risks in enterprise risk management planning and establishing a cross-organizational team that will coordinate and communicate about privacy and security.
-http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1341038,00.h
tml
-http://www.bankinfosecurity.com/external/CMU-Governance-report-120408.pdf
[Editor's Note (Paller): What is even sadder than boards of directors not taking security seriously is that college computer science faculty - at Carnegie Mellon where CyLab is and at other great research schools - are systematically ignoring the teaching of secure coding. CyLab could have a profound impact on security in software if it focused its formidable research resources on the parts of Carnegie Mellon that are producing software 'experts' who don't write software securely, and help them become the nation's leaders in teaching secure coding as part of the core curriculum for computer science and related disciplines. ]

---

************************ SPONSORED LINKS ******************************

1) Take part in the SANS 5th Annual Log Management Survey: A Leading Source for Actionable Data on Key Issues and Trends. http://www.sans.org/info/37424
2) Visit the SANS Vendor Demo resource page to see the latest INFOSEC products & solutions in action! http://www.sans.org/info/37429

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Store Owner Draws 33-Month Sentence for Card Skimming (January 16, 2009)

A Redmond, Washington tobacco store owner has been sentenced to nearly three years in prison for skimming payment card information. Hrant "Mike" Aslanyan admitted that he used a card skimmer in his shop to steal information from more than 300 customers. He then used the stolen information to make fraudulent transactions totaling approximately US $300,000. Aslanyan received a 33 month prison sentence to be followed by five years of supervised release. He was also ordered to pay more than US $214,000 in restitution.
-http://blog.seattletimes.nwsource.com/crime/2009/01/16/skimming_sends_redmond_to
bacco.html

Man Indicted for Selling Pirated Software (January 15, 2009)

An Arizona man has been indicted for selling phony software in online auctions. Kurt Kunselman faces charges of wire fraud, criminal copyright infringement and destruction of records with intent to obstruct a federal investigation. Kunselman allegedly offered for sale on eBay illegal copies of software, the copyrights of which are owned by an Oregon company. He is scheduled to appear before a US Magistrate next week.
-http://phoenix.fbi.gov/dojpressrel/2009/ph011509.htm

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Legislators Angry at VA's Silence About Software Glitches (January 12, 15 & 16, 2009)

US legislators are demanding to know more about a software problem at the VA that put patient care at risk. While there have been no reports that patients were harmed by the problem, the potential for serious consequences existed. The glitches resulted in some patients' information appearing under another patient's name and doctors' orders to stop certain treatments were not clearly displayed, resulting in prolonged IV drug infusions. The VA has known about the glitch since August 2008 and was criticized for not promptly notifying Congress of the problems. Saying that the problem demonstrates a "dangerous lack of accountability," the Chairman of the House Veterans Affairs Committee says he will launch an investigation into the matter.
-http://www.google.com/hostednews/ap/article/ALeqM5hzWcaC_f76P1tpPibAn0aRA83TLQD9
5N3VOO2
-http://www.nextgov.com/nextgov/ng_20090116_9064.php
-http://www.washingtonpost.com/wp-dyn/content/article/2009/01/15/AR2009011501874.
html
[Editor's Note (Northcutt): I suppose the VA should have reported the problem to Congress, but if every software glitch was reported to Congress, nothing would get done. From what I have been reading, the VA system has reduced errors overall and was used to treat 5.8 million patients. President Bush signed the Medicare Prescription Modernization Act (MMA) into law, and Electronic Health Records (HER) was part of President Obama's campaign as a key to reduce health care costs. Massachusetts already transmits 14% of prescriptions electronically, Governors in Arizona and Pennsylvania have signed executive orders to implement e-prescriptions, and the rules for the Medicare Prescription Modernization Act require implementation of MCPDP SCRIPT 8.1 by April of this year. There is no stopping EHR, but we have to do the software right. Lives are at stake, though I will take my chances on an e- prescription over my doctor's handwriting any day of the week. These systems need to be white box/black box tested against the SANS Top 25 Coding Errors and be developed with an engineering methodology such as McGraw's touchpoints. And we need to start building privacy into the system or you can bet your bottom dollar some moron will mail Britney Spears medical record to a tabloid, which might sound funny until it happens to someone in your family.
-http://www.sans.org/top25errors/
-http://www.ssi-sans.org/resources/blog/black_white_box_test.php
-http://www.ehealthinitiative.org/assets/Documents/eHI_CIMM_ePrescribing_Report_6
-10-08_FINAL.pdf]

POLICY AND LEGISLATION

China Considering Online Privacy Law (January 3 & 8, 2009)

The Chinese legislature is considering a law that would crack down on the practice of searching for personal information about individuals and posting that information online, a practice known in the country as "human flesh search engine." The law would apply to people who post information violating others' privacy as well as their website service providers. Portals must comply with victims' requests to have the offending information removed. The proposed legislation was prompted by a lawsuit brought by a man whose reputation was defamed and who received death threats after someone else posted information about his personal problems online.
-http://www.themalaysianinsider.com/index.php/world/15152-cyber-hunters-in-china-
in-for-crash-landing
-http://www.usatoday.com/tech/world/2009-01-08-chinainternet_N.htm

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

NZ Telecoms Want More Time to Develop Piracy Plan with Film and Music Companies (January 20, 2009)

New Zealand telecommunications companies want to extend the February 28 deadline set for a law that would require them to take action against customers who are suspected of copyright violations. The Telecommunications Carriers Forum says the deadline does not allow enough time to work out a plan with film and music companies. Among the problems is the requirement that ISPs terminate Internet accounts of customers who are allegedly downloading content in violation of copyright law; ISPs could face legal action from their customers as a result.
-http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=105525
98

Isle of Man Wants Blanket P2P License (January 19, 2009)

The Isle of Man is seeking to impose a compulsory tax on all broadband ISP subscribers that would enable them to share music with impunity. Geoff Taylor, chief executive of the BPI, approves of the idea. (The BPI is the body that represents British recorded music business.) Some have voiced concern about a mandatory license. A significant number of Internet users are not music sharers and would therefore be required to pay for a service they do not intend to use. In addition, if such a subscription were voluntary, providers would compete for users' business. Record labels could make more money by reaching similar agreements with individual ISPs.
-http://www.theregister.co.uk/2009/01/19/isle_of_man_music_tax/

IFPI: 95 Percent of Downloaded Music is Illegal, But Legal Downloads are Up 25 Percent (January 16 & 19, 2009)

According to a report from the International Federation of the Phonographic Industry (IFPI), 95 percent of all downloaded music is illegal. IFPI statistics indicate that last year, 40 billion music files were shared in violation of copyright law, while just 1.4 billion tracks were downloaded legally. The legal download business has grown 25 percent over the last year to approximately US $3.7 billion and accounts for 20 percent of all sales of recorded music. IFPI chairman John Kennedy said "The recorded music industry is reinventing itself and its business models."
-http://news.bbc.co.uk/2/hi/technology/7832396.stm
-http://www.smh.com.au/news/technology/biztech/almost-all-music-downloads-illegal
-report/2009/01/19/1232213500539.html?page=fullpage#contentSwap1

ACTIVE EXPLOITS, WORMS & VIRUSES

Downadup Infection Count Up to 9 Million (January 18, 2009)

The cyber virus that has been spreading quickly on Windows machines has now infected nearly 9 million PCs worldwide, according to one company's estimate. The virus appears to be spreading scareware, malware that pops up phony alerts about infections on machines in an attempt to get users to purchase phony security software. The malware, which is known as Downadup, Conficker and Kido, exploits a vulnerability that Microsoft addressed with an out-of-cycle patch in October. The malware has been added to the most recent version of Microsoft's Malicious Software Removal Tool, which was released on January 13. The malware can also spread through network shares.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/01/17/AR2009011701778.
html
-http://voices.washingtonpost.com/securityfix/2009/01/tricky_windows_worm_wallops
_mi.html?wprss=securityfix
-http://www.heise-online.co.uk/security/F-Secure-now-claims-nine-million-Conficke
r-infections--/news/112441
-http://news.bbc.co.uk/2/hi/technology/7832652.stm

DATA THEFT, LOSS & EXPOSURE

Forcht Bank Cancels 8,500 Cards After Retailer Breach (January 12 & 19, 2009)

Kentucky's Forcht Bank has cancelled approximately 8,500 debit cards after learning of a data security breach at an unnamed retailer. The affected customers will receive new cards shortly. There have been no reports of fraudulent activity on any of the Forcht bank accounts, but bank officials decided to reissue cards as a precaution. The breach affected cards from multiple banks and debit and ATM networks. The bank learned of the breach from its debit card processor, STAR, which is used by about 2 million ATM and retail locations across the US.
-http://www.thetimestribune.com/local/local_story_019085151.html
-http://www.forchtbankky.com/?page=alert

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescactore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/