SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #58

July 24, 2009

A present from the Internet Storm Center handlers. The volunteers who
staff the Internet Storm Center are widely regarded as the most
knowledgeable group of cyber security experts. They come together each
summer to brief 1,000 people on new things they have been learning.
Twelve of their talks are now accessible at
https://www.sans.org/sansfire09/night.php

The Twenty Most Important Controls and Metrics for Effective Cyber
Security, published by CSIS, are quickly becoming a minimum standard of
due care for government agencies and regulated industries (see:
http://csis.org/files/media/csis/pubs/090223_cag_1_0_draft4.1.pdf)

Organizations evaluating whether and how to implement the 20 Critical
Controls (also called the CAG) will find two courses especially useful:
A two day bootcamp called Security 440 is offered in Virginia Beach in
August, San Diego in September and Chicago in October, plus live-on line
in September.
See http://www.sans.org/training/description.php?mid=1302
A full five-day program, called Security/Audit 556 will be offered in
Washington in December
http://www.sans.org/cyber-defense-initiative-2009/description.php?tid=3617

Alan

---

TOP OF THE NEWS

Study Says Government Facing Shortage of Cyber Security Talent
Kundra Letter Addresses Need to Correct Flaws in FISMA Cyber Security Metrics
Committee Attaches Disclosure Requirements to FY10 Intelligence Authorization Bill
Information Commissioner's Office Will Have Authorization to Impose Fines Next Year

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Ministry of Defence Lost Server Last Year
VULNERABILITIES
Adobe Will Patch Critical Flaw in Flash, Reader, and Acrobat Next Week
Adobe Site Offers Vulnerable Version of Reader
Conflicting Reports on Flaw in Firefox 3.5.1
UPDATES AND PATCHES
Mozilla Releases Security Update for Firefox 3.0
DATA LOSS & EXPOSURE
HSBC Firms Fined GBP 3.2 Million (US $5.28 Million) for Data Handling Problems
ATTACKS & ACTIVE EXPLOITS
Malicious Banner Ads Infect Some Digital Spy Subscribers' Computers
MISCELLANEOUS
Windows 7 Released to Manufacturing

---

****************** Sponsored By Skybox Security, Inc. *******************

Forrester Live Webcast: Rule Your Firewalls with Automated Firewall Auditing Many organizations have dozens of firewalls with hundreds of rules- making it impossible to manually assess and ensure firewall compliance and security. In this webcast, John Kindervag from Forrester and Gidi Cohen from Skybox Security discuss the critical need for better firewall management, and why automated firewall audit solutions are an indispensible IT tool. http://www.sans.org/info/46309

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition http://www.sans.org/ns2009
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days http://www.sans.org/info/43118
Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php
Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Study Says Government Facing Shortage of Cyber Security Talent (July 22 & 23, 2009)

Although President Obama has called the threat of cyber attacks "one of the most serious economic and national security challenges," the government is likely to be facing a shortage of well-qualified cyber security specialists, according to a study from the Partnership for Public Service and Booz Allen Hamilton. The report lists "four primary challenges" facing the government: an insufficient supply of talent; the decentralized culture of the government regarding human resources; a "cumbersome hiring process" that discourages talented potential applicants; and "a disconnect between front-line hiring managers and government HR specialists" regarding what constitutes a well-qualified cyber security professional. The report offers recommendations for agencies and for the administration and Congress to help overcome these hurdles.
-http://ourpublicservice.org/OPS/publications/viewcontentdetails.php?id=135
-http://www.nextgov.com/nextgov/ng_20090722_1445.php?oref=topnews
-http://www.theregister.co.uk/2009/07/22/federal_cybersecurity_shortage/
-http://news.smh.com.au/breaking-news-technology/us-lacks-tech-talent-for-cyber-d
efense-study-20090723-dug1.html
-http://www.cnn.com/2009/POLITICS/07/22/cyber.security/index.html
[Editor's Note (Northcutt): I think this is worth reading, but it is not ground breaking. The most interesting thing is the ratio of contractors to government people with IT skills. I have been spending a lot of time at DoD sites and have met a lot of people who previously were contractors and have recently converted to government employment.
-http://ourpublicservice.org/OPS/publications/download.php?id=135]

Kundra Letter Addresses Need to Correct Flaws in FISMA Cyber Security Metrics (July 21, 2009)

In a letter to the Government Accountability Office (GAO) director of information security issues Gregory Wilshusen, US federal CIO Vivek Kundra says that the Office of Management and Budget (OMB) is looking for new ways to measure government agencies' cyber security postures. Currently, agencies pour their reporting resources into demonstrating compliance with the Federal information Security Management Act (FISMA), which does not provide a clear picture of agencies' abilities to manage cyber threats. Kundra called FISMA compliance data "trailing, rather than leading indicators" of agencies' preparedness. Kundra noted that "we need metrics that give insight into agencies' security postures and possible vulnerabilities on an on-going basis."
-http://www.networkworld.com/news/2009/072109-omb-eyes-new-metrics-for.html
-http://gcn.com/articles/2009/07/20/kundra-gao-fisma-compliance.aspx?sc_lang=en
[Editor's Note (Schultz): FISMA was a dead horse a long time ago. Being FISMA- compliant amounts, in effect, to successfully completing a gigantic, bureaucratic paperwork exercise. Surely the US government is capable of coming up with better information security standards. ]

Committee Attaches Disclosure Requirements to FY10 Intelligence Authorization Bill (July 23, 2009)

Funding for cyber security programs initiated by the US government will depend in part upon disclosure of each program's legality and privacy impact. The Senate Intelligence Committee provisions attached to the FY10 intelligence authorization bill also require the administration to inform Congress of all new and existing cyber security programs that involve personally identifiable information.
-http://www.nextgov.com/nextgov/ng_20090723_1951.php?oref=topnews
-http://fcw.com/articles/2009/07/23/bill-to-require-added-cybersecurity-oversight
.aspx
[Editor's Note (Pescatore): Since the current administration's approach is to put cybersecurity leadership under Intelligence, the focus stays on monitoring attacks not preventing or blocking them. This is not a good thing. ]

Information Commissioner's Office Will Have Authorization to Impose Fines Next Year (July 23, 2009)

As of April 2010, the UK Information Commissioner's Office (ICO) will have the authority to levy new fines against organizations that fail to adequately protect personal data. The amount of the fines has not yet been determined. The ICO will have the power to impose fines when it determines that an organization has knowingly and/or recklessly violated one of the eight principles of the Data Protection Act.
-http://www.theregister.co.uk/2009/07/23/ico_fines/
[Editor's Note (Honan): Given that there are no mandatory breach disclosure laws in the UK, this is a positive move as there is now a financial stick to help ensure companies properly protect personal data. ]

---

THE REST OF THE WEEK'S NEWS

Ministry of Defence Lost Server Last Year (July 21, 2009)

In detailing data loss incidents as part of its Annual Report and Accounts document, the UK's Ministry of Defence (MOD) acknowledged losing a server from a secured building in 2008. MOD also listed the loss of personal data belonging to 1.7 million people when a portable hard drive disappeared from a contractor's office. In another incident last August, a MOD computer experienced "catastrophic failure" and backup was unsuccessful, resulting in the loss of medical records of approximately 1,150 servicemen and their dependents.
-http://www.eweekeurope.co.uk/news/mod-admits-losing-an-entire-server-1432

Adobe Will Patch Critical Flaw in Flash, Reader, and Acrobat Next Week (July 22 & 23, 2009)

Adobe plans to release fixes for a critical vulnerability in Flash, Reader, and Acrobat next week. The company has apparently known about the flaw for more than six months. According to the Adobe security advisory, the flaw affects current versions of Flash for Windows, Macintosh, and Linux, and the authplay.dll component that ships with current versions of Reader and Acrobat for Windows, Macintosh, and UNIX. The patches for Flash are scheduled to be available by July 30 and the patches for Reader and Acrobat on Windows and Macintosh should be available by July 31. The flaw is already being actively exploited. ISC:
-http://isc.sans.org/diary.html?storyid=6847
-http://voices.washingtonpost.com/securityfix/2009/07/attackers_target_new_adobe_
fla.html
-http://news.cnet.com/8301-27080_3-10293389-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.computerworld.com/s/article/9135826/Adobe_promises_patch_for_seven_mo
nth_old_Flash_flaw?source=rss_security
-http://www.theregister.co.uk/2009/07/22/adobe_flash_attacks_go_wild/
-http://www.v3.co.uk/v3/news/2246645/adobe-confirms-zero-day
-http://www.adobe.com/support/security/advisories/apsa09-03.html

Adobe Site Offers Vulnerable Version of Reader (July 21 & 22, 2009)

The version of Adobe Reader currently offered for download on the company's website leaves users' computers vulnerable to attacks. Adobe Reader version 9.1 contains several security flaws that are patched in updated versions of the program; the most current version of Reader available is 9.1.2. It should be noted that Reader 9.1 includes an updater, which will eventually search for more current updates, but Adobe is facing criticism for not placing the most thoroughly vetted versions of their program on the download site. Adobe's practice has been to issue the single dot releases, such as 9.0 and 9.1, as "full installers," while double dot releases, such as 9.1.1 and 9.1.2, are patches only and require that the applicable full release already be installed.
-http://www.h-online.com/security/Adobe-continues-distributing-insecure-Reader--/
news/113809
-http://www.computerworld.com/s/article/9135740/Adobe_admits_users_vulnerable_aft
er_downloading_Reader
-http://www.theregister.co.uk/2009/07/22/outdated_adobe_reader_downloads/

Conflicting Reports on Flaw in Firefox 3.5.1 (July 19 & 20, 2009)

While reports from several sources suggest that the just-released update for Firefox, version 3.5.1, contains a code injection flaw, Mozilla maintains that the vulnerability is "a non-exploitable denial-of-service due to memory exhaustion." The flaw has been demonstrated to crash the browser. Proof-of-concept exploit code for the vulnerability has been published.
-http://isc.sans.org/diary.html?storyid=6838
-http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-no
t-exploitable-cve-2009-2479/
-http://www.theregister.co.uk/2009/07/20/firefox_flaw/
-http://www.h-online.com/security/Buffer-overflow-in-Firefox-3-5-1-Update--/news/
113792

Mozilla Releases Security Update for Firefox 3.0 (July 22, 2009)

Mozilla has released an update for Firefox 3.0.x that addresses several critical vulnerabilities in the older version of the browser. Many of the vulnerabilities addressed in the Firefox 3.1.12 release are fixed in Firefox 3.5.x. Mozilla issued Firefox 3.5 in June and last week released an update, version 3.5.1, to address a critical vulnerability. Users still running Firefox 3.0.x are urged to upgrade to 3.5.x at their earliest convenience as Mozilla will cease support for Firefox 3.0.x in January 2010.
-http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.
12
-http://www.computerworld.com/s/article/9135794/Mozilla_patches_11_serious_bugs_i
n_older_Firefox_3?source=rss_security
-http://www.theregister.co.uk/2009/07/22/older_firefox_update/
-http://www.h-online.com/security/Firefox-3-0-12-patches-critical-vulnerabilities
--/news/113816
-http://news.cnet.com/8301-1009_3-10292587-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20s

HSBC Firms Fined GBP 3.2 Million (US $5.28 Million) for Data Handling Problems (July 22 & 23, 2009)

The Financial Services Authority (FSA) has fined three HSBC firms GBP 3.2 million (US $5.28 million) for careless handling of customers' personal information. In February 2008, HSBC, the largest bank in Europe, sent an unencrypted CD containing information on approximately 369,000 insurance policies to an office in Folkestone through the mail. The CD was lost; the data security breach affected more than 180,000 customers. The ensuing investigation revealed that HSBC had lost another disk containing customer data when they were sent through the mail and that "large amounts of unencrypted customer details had been sent via post or courier to their parties."
-http://www.h-online.com/security/HSBC-fined-Lb3-2-million-for-data-loss--/news/1
13833
-http://news.bbc.co.uk/2/hi/business/8162787.stm
-http://www.v3.co.uk/v3/news/2246556/hsbc-hit-3m-fine-breach
-http://www.zdnetasia.com/news/business/0,39044229,62056295,00.htm
-http://www.fsa.gov.uk/pages/Library/Communication/PR/2009/099.shtml

Malicious Banner Ads Infect Some Digital Spy Subscribers' Computers (July 20, 2009)

The computers of US and Australian subscribers to the Digital Spy gossip website have been infected with malware from banner ads on the site. Infected users have reported anti-virus scanners warning of malware and being redirected to sites they did not intend to visit. The malicious content came through an advertising exchange and affected other sites in addition to Digital Spy.
-http://www.theregister.co.uk/2009/07/20/digital_spy_malware/

Windows 7 Released to Manufacturing (July 22 & 23, 2009)

Microsoft Windows 7 and Microsoft Windows Server 2008 R2 have been released to manufacturing, putting the operating system on track for a late October launch. The RTM will be available to Microsoft partners over the next few weeks to allow time to ensure product interoperability.
-http://www.microsoft.com/Presspass/press/2009/jul09/07-22Windows7RTMPR.mspx
-http://www.usatoday.com/tech/products/software/2009-07-23-microsoft-windows_N.ht
m?csp=34
-http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?a
rticleID=218600379
-http://money.cnn.com/2009/07/23/technology/microsoft_windows_7/?postversion=2009
072313
[Editor's Note (Schultz): I, for one, cannot wait for Windows 7. Vista just hasn't worked out for me, and Windows 7 appears to solve most of the usability and performance problems with which Vista has been plagued. ]

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/