SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #68

August 28, 2009

TOP OF THE NEWS

Appeals Court Says Plain View Doctrine Does Not Apply to Electronic Searches
Proposal Would Require UK ISPs to Suspend Internet Connections of Habitual Copyright Violators
More Insider Security Incidents Are Accidental Than Deliberate
Pay for Cyber Security Certifications Exceed All Others; Certain Skills In High Demand

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS & SENTENCES
Gonzalez Reportedly in Plea Talks with Government
Tenenbaum Pleads Guilty to Fraud
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
FBI Investigating Mysterious Laptop Deliveries
Lost USB Stick Contains Nearly Three Times as Many Records as First Reported
DHS to Conduct Cyber Storm III Drill in September 2010
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Judge Orders Torrent Site to Remove Links to Copyrighted Material
VULNERABILITIES
Cross-Site Scripting Flaw in Twitter
UPDATES AND PATCHES
Google Addresses Serious Flaws in Chrome Update
STUDIES AND STATISTICS
National Search for The Best Security Awareness Videos

---

******************** Sponsored By HP (SPI Dynamics) *********************

Today's security challenges: Hundreds of applications. Few security experts. Looming compliance deadlines. Tight budgets. Join HP & security experts from around the world for a virtual conference on Sept. 29-30. We'll discuss these challenges in the context of emerging Web 2.0 & Cloud technologies. "HP Functionality, Performance & Security Testing in today's application realities." Register Now.

https://www.sans.org/info/47899

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition
https://www.sans.org/ns2009
- - SANS Virginia Beach August 28 - Sept. 4. 11 full-length courses plus short courses:
https://www.sans.org/vabeach09/
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days
https://www.sans.org/info/43118
- - Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand/
- - For a list of all upcoming events, on-line and live:
http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Appeals Court Says Plain View Doctrine Does Not Apply to Electronic Searches (August 27, 2009)

A federal appeals court has ruled that the so-called "plain view doctrine," under which evidence may be seized if it is within plain view during a legitimate search, does not apply to electronic searches. At issue are records pertaining to a government investigation of a company suspected of providing illegal steroids to professional baseball players. Investigators had obtained a warrant to search computers at Comprehensive Drug Testing, Inc. for records of 10 specific players. Instead, the investigators seized and examined records of hundreds of other players and other individuals. In the opinion, Chief Judge Alex Kozinski observed that the government ignored caveats in the warrant and should not be permitted to "benefit from its own wrongdoing." Judge Kozinski also said that if the government's argument prevailed, its prosecutors would be impelled to seize more information than they need. "The process of segregating electronic data that is seizable from that which is not must not become a vehicle for the government to gain access to data which it has no probable cause to collect."
-http://www.computerworld.com/s/article/9137209/Court_ruling_limits_electronic_se
arches?source=rss_security
-http://www.ca9.uscourts.gov/datastore/opinions/2009/08/26/05-10067eb.pdf
[Editor's Note (Schultz): This is an extremely significant ruling, one that is likely to set a precedent in electronic data searches for years to come. ]

Proposal Would Require UK ISPs to Suspend Internet Connections of Habitual Copyright Violators (August 25 & 26, 2009)

The UK government is considering establishing a policy that would require Internet service providers (ISPs) to suspend the Internet service of customers who are downloading copyrighted material in violation of copyright law. Earlier versions of the proposals recommended a graduated response to subscribers found to be violating copyright laws; under those recommendations, subscribers would be notified that their activity was illegal, and if they persisted, their Internet connection would be slowed. The added disincentive of suspending subscriber's Internet connections was proposed when copyright holders complained that the earlier version did not go far enough. The proposal would need to be approved by British Parliament before it takes effect. UK ISP Talk Talk says the new proposal probably "breach
[es ]
fundamental rights." Other ISPs are unhappy about the possibility as well.
-http://www.computerworld.com/s/article/9137169/British_proposal_to_cut_Web_acces
s_to_copyright_infringers_draws_protest
-http://www.msnbc.msn.com/id/32551437/ns/technology_and_science-security/
-http://www.timesonline.co.uk/tol/news/politics/article6809329.ece
-http://news.bbc.co.uk/2/hi/technology/8219652.stm

More Insider Security Incidents Are Accidental Than Deliberate (August 25 & 27, 2009)

According to research from RSA, more security incidents arise from incompetence than from malicious insider attacks. Although security spending is focused more on stemming the threat of deliberate insider attacks than on preventing accidental breaches, 52 percent of the 400 survey respondents said they perceived insider incidents as accidental; just 19 percent perceived them to be deliberate.
-http://www.theregister.co.uk/2009/08/25/rsa_accidental_security_breach_survey/
-http://news.bbc.co.uk/2/hi/technology/8215467.stm

[Editor's Note (Schultz): The results of the RSA study dovetail nicely with the results of similar studies conducted earlier. A tenable hypothesis is that individuals who are unhappy or angry at work tend to exert less effort, making them more mistake-prone.

(Hoelzer): Finally a main stream report of what we in the trenches have been trying to tell business for years. We'll have to see if this allows businesses to approach risk and controls more appropriately.

(Honan: I have always been sceptical about the high percentage of attacks attributed to insiders. I recommend that you analyse your own security incident data to see how many security incidents were accidental, how many were due to insiders being duped by external parties and how many were deliberate insider attacks. Having that type of data would be invaluable in developing your security awareness programmes.]

Pay for Cyber Security Certifications Exceed All Others; Certain Skills In High Demand (July 26, 2009)

While pay for all certifications fell by more than four percent in the second quarter of 2009, pay for security certifications rose two percent, according to the Foote Partners Quarterly IT Pay Update, which aggregates information provided by 84,000 IT professionals at 2,000 employers. The difference is even greater over the past six months. Because employers use compensation strategically and tactically to attract and retain critical talent, this variance shows the increasing importance employers are placing on cyber security skills. In fact, the Foote Partners updated Hot List of the certifications most in demand showed six of the top ten certifications were security certifications including the number one rated CERT: GIAC Certified Incident Handler. A surprising finding is that neither CISSP nor CISM showed up on the Hot List that included 24 certifications in all. Instead the Hot Certifications were the very technical security certs from GIAC and Checkpoint and Cisco. Moreover, although CISSP certification is still ranked number three on the list of highest paid certifications, GIAC Security Leadership and GIAC Security Engineer certifications passed CISSP for the first time. In an interview with Bank Information Security, David Foote reports a surge in demand for security people with strong technical skills including incident analysis and handling, IDS, firewalls, forensics, and vulnerability analysis.
-http://www.footepartners.com/FooteNewsRelease_July2009ITlabortrends_072609V2.pdf
[Editor's Note (Honan): While technical skills are critical to implementing effective security controls we should not forget that security professionals need to hone the softer skills of communication (both verbal and oral), people skills and developing policies and procedures.]

---

************************** Sponsored Links: ***************************

1) Very cool summit on data leakage protection - probably the best that has ever been run. Agenda at:

https://www.sans.org/data-leakage-prevention-2009/agenda.php

2) Register today for SANS vLive course, Audit 423: SANS(r) +S(tm)(tm) Training for the CISA(r) Certification Exam and receive 10% discount.

https://www.sans.org/info/47904

3) Be sure to register NOW for the Tool Talk Webcast: The Future of SIM and Log Management - Becoming a Part of the Mainstream, IT Operations and Service Delivery.

http://www.sans.org/info/47909

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Gonzalez Reportedly in Plea Talks with Government (August 27, 2009)

An unnamed source says that accused hacker Albert Gonzalez is in plea talks with the US government. Gonzalez was allegedly involved in a number of data security breaches, including those at Heartland Payment Systems and Hannaford Bros. In all more than 170 million credit and debit card accounts were compromised.
-http://www.msnbc.msn.com/id/32586024/ns/technology_and_science-security/

Tenenbaum Pleads Guilty to Fraud (August 26 & 27, 2009)

Ehud Tenenbaum has pleaded guilty to one count of bank card fraud for his role in break-ins in which more than US $10 million were stolen. He was arrested in Canada in 2008 in connection with another scheme, but before he was prosecuted there, the US extradited Tenenbaum to face charges in this case. He will face up to 15 years in prison when he is sentenced in November. More than a decade ago, Tenenbaum made headlines for hacking into computer networks at the Pentagon and NASA.
-http://www.wired.com/threatlevel/2009/08/analyzer/
-http://www.scmagazineus.com/Hacker-pleads-guilty-in-massive-bank-fraud-case/arti
cle/147363/
-http://www.theregister.co.uk/2009/08/26/analyzer_hacker_guilty_plea/
[Editor's Note (Northcutt): Suppose he gets the max, 15 years, at the pace technology is changing when he gets out, it will be a Rip Van Winkle experience. In fact Rip slept for 20 years in 1819 time, that would be what??? 500 "twitter" years in our time? ]

FBI Investigating Mysterious Laptop Deliveries (August 27, 2009)

The FBI is investigating the origin of five Hewlett-Packard laptops sent to West Virginia Governor Joe Manchin earlier this month. Other laptops had been anonymously ordered for other officials in 10 states in all; four were delivered, and six were intercepted. The laptops sent to Governor Manchin are now being held by state police as evidence. Officials in Vermont and Wyoming have received mysterious laptop deliveries as well. Some officials are concerned that the machines may be infected with malware; it is also possible that they are part of a fraud operation.
-http://www.computerworld.com/s/article/9137208/FBI_investigating_mystery_laptops
_sent_to_governors?source=rss_security
[Editor's Note (Hoelzer): This is one of the only stories to send chills down my spine in recent memory. First, what a great way to execute an attack; second, how many laptops have been received by who knows whom and already been put into play?]

Lost USB Stick Contains Nearly Three Times as Many Records as First Reported (August 26 & 27, 2009)

The UK Home Office has acknowledged that there were more data on a lost USB stick than was previously declared. The memory device, lost by PA Consulting, held 377,000 records, nearly three times the number reported earlier. The additional 250,000 records hold information about the Drug Intervention Programme. The remaining records contain information about prisoners and those with criminal offenses. The device has not been found.
-http://news.zdnet.co.uk/security/0,1000000189,39730190,00.htm
-http://www.v3.co.uk/v3/news/2248501/home-office-loss-revised

DHS to Conduct Cyber Storm III Drill in September 2010 (August 26, 2009)

The US Department of Homeland Security (DHS) plans to conduct a large-scale cyber security drill in September 2010 to test the Obama administration's proposed national cyber response plan. Two earlier drills took place in February 2006 and March 2008. The first exercise, Cyber Storm I, focused on the abilities of various sectors of the national infrastructure to recover from Internet outages. Cyber Storm II focused on the Internet as an attack vector for malware and other cyber attacks. DHS would like to see Cyber Storm III address policy issues, including information sharing and clearly defining roles and responsibilities. "One objective of Cyber Storm III is to harmonize the various alert level systems used in government and the private sector so that all stakeholders at least speak the same language." The impact of the exercise will be measured by follow-through; many of the recommendations derived from the last two drills have not been implemented.
-http://www.nextgov.com/nextgov/ng_20090826_9168.php

Judge Orders Torrent Site to Remove Links to Copyrighted Material (August 26, 2009)

A Dutch court has ruled that Mininova, the self-proclaimed "largest torrent search engine and directory on the net," must remove links to copyrighted material within three months or face a fine of as much as five million euros (US $7.2 million). According to research referenced by the court, 80 to 90 percent of the files available to Mininova users are copyrighted material. The court found that "Mininova encourages users of its platform to make copyrighted material accessible via its platform" and helps users find copyrighted works they wish to download.
-http://news.smh.com.au/breaking-news-technology/dutch-judge-threatens-fines-for-
filesharing-website-20090827-ezw9.html
-http://www.theregister.co.uk/2009/08/26/mininova_loses_lawsuit/
-http://www.msnbc.msn.com/id/32568115/ns/technology_and_science-security/

Cross-Site Scripting Flaw in Twitter (August 26, 2009)

Twitter has been attempting to fix a cross-site scripting vulnerability that could be exploited to hijack users' accounts or redirect users to malicious sites, but attempts thus far have not been successful. The flaw can be exploited by tricking users into simply viewing a message. The vulnerability is in an application programming interface (API). Twitter said it previously fixed the flaw, but the attackers found a way to circumvent it.
-http://www.computerworld.com/s/article/9137164/Twitter_fails_to_fix_massive_cros
s_site_scripting_bug_researcher_says_?source=rss_security
-http://www.theregister.co.uk/2009/08/26/another_twitter_vulnerability/
-http://www.h-online.com/security/Twitter-fails-to-block-Cross-Site-Scripting-fla
w--/news/114092

Cross-Site Scripting Flaw in Twitter (August 26, 2009)

Twitter has been attempting to fix a cross-site scripting vulnerability that could be exploited to hijack users' accounts or redirect users to malicious sites, but attempts thus far have not been successful. The flaw can be exploited by tricking users into simply viewing a message. The vulnerability is in an application programming interface (API). Twitter said it previously fixed the flaw, but the attackers found a way to circumvent it.
-http://www.computerworld.com/s/article/9137164/Twitter_fails_to_fix_massive_cros
s_site_scripting_bug_researcher_says_?source=rss_security
-http://www.theregister.co.uk/2009/08/26/another_twitter_vulnerability/
-http://www.h-online.com/security/Twitter-fails-to-block-Cross-Site-Scripting-fla
w--/news/114092

Google Addresses Serious Flaws in Chrome Update (August 26 & 27, 2009)

Google has released version 2.0.172.43 of its chrome browser to address several vulnerabilities. A severe flaw in the V8 JavaScript engine could be exploited to execute arbitrary code or read unauthorized memory. Two flaws in the libxml2 library could be exploited to crash the browser or execute arbitrary code. Google has also changed the way Chrome processes SSL certificates; the browser will not connect with sites using certificates that are signed with the MD2 or MD4 hash algorithms.
-http://googlechromereleases.blogspot.com/2009/08/stable-update-security-fixes.ht
ml
-http://www.h-online.com/security/Google-closes-three-vulnerabilities-in-Chrome-2
--/news/114088
-http://www.scmagazineuk.com/Google-releases-high-severity-rated-fixes-for-vulner
abilities-in-Chrome/article/147393/
-http://www.theregister.co.uk/2009/08/26/chrome_patch/
-http://news.cnet.com/8301-30685_3-10317320-264.html?part=rss&subj=news&t
ag=2547-1009_3-0-20

Google Addresses Serious Flaws in Chrome Update (August 26 & 27, 2009)

Google has released version 2.0.172.43 of its chrome browser to address several vulnerabilities. A severe flaw in the V8 JavaScript engine could be exploited to execute arbitrary code or read unauthorized memory. Two flaws in the libxml2 library could be exploited to crash the browser or execute arbitrary code. Google has also changed the way Chrome processes SSL certificates; the browser will not connect with sites using certificates that are signed with the MD2 or MD4 hash algorithms.
-http://googlechromereleases.blogspot.com/2009/08/stable-update-security-fixes.ht
ml
-http://www.h-online.com/security/Google-closes-three-vulnerabilities-in-Chrome-2
--/news/114088
-http://www.scmagazineuk.com/Google-releases-high-severity-rated-fixes-for-vulner
abilities-in-Chrome/article/147393/
-http://www.theregister.co.uk/2009/08/26/chrome_patch/
-http://news.cnet.com/8301-30685_3-10317320-264.html?part=rss&subj=news&t
ag=2547-1009_3-0-20

National Search for The Best Security Awareness Videos (October 28, 2009)

A national competition is being conducted to find the most powerful, timely, and effective video segments (delivered over the web) for educating users on current threats and what they need to know to protect themselves. The nomination period runs until September 10, 2009. If you have found a video or series of videos that make an important difference in user behavior, please send a pointer (name of video, contact person, email, phone, and why you think it is effective) to apaller@sans.org with subject: videos. Our goal is to find the best videos and conduct a global procurement on behalf of the 12,000 organizations that regularly send students to SANS training. The developers of the video will see a significant financial reward - far larger than they could earn by trying to sell directly -- and the user organizations will know they are getting the best videos at a much lower cost than they could negotiate as a single entity.

National Search for The Best Security Awareness Videos (October 28, 2009)

A national competition is being conducted to find the most powerful, timely, and effective video segments (delivered over the web) for educating users on current threats and what they need to know to protect themselves. The nomination period runs until September 10, 2009. If you have found a video or series of videos that make an important difference in user behavior, please send a pointer (name of video, contact person, email, phone, and why you think it is effective) to apaller@sans.org with subject: videos. Our goal is to find the best videos and conduct a global procurement on behalf of the 12,000 organizations that regularly send students to SANS training. The developers of the video will see a significant financial reward - far larger than they could earn by trying to sell directly -- and the user organizations will know they are getting the best videos at a much lower cost than they could negotiate as a single entity.

---

**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/