SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #74

September 18, 2009

Companies and government agencies face a critical shortage of cybersecurity experts with sufficient hard skills to defend their systems, and military organizations have a similar shortage of people who can fight and win in cyberspace. The coolest initiative aiming at increasing the pipeline of these super-talented people is the US
Cyber Challenge. A session at Tim O'Reilly's Gov 2.0 had an interview with the winner of one of an early round of NetWars. The video clip is illuminating (and funny) and useful for motivating very talented kids you want to get engaged in cyber security.

http://blip.tv/file/2610813


Alan

---

TOP OF THE NEWS

SANS Report: Top Cyber Security Risks Underestimated By Industry/Government
HHS Harm Standard Offers HIPAA-Covered Entities Breach Notification Loophole
Trend Micro Study Finds Malware Often Remains For Months
French Legislators Approve Revamped Three-Strikes Anti-Piracy Bill

THE REST OF THE WEEK'S NEWS

IETF Publishes Draft Document on Botnet Remediation
Firefox Outdated Flash Notification Leads 10 Million to Update
Spyware Intended for Girlfriend Ended Up on Hospital Network
Sears Ordered to Destroy Collected Customer Data
Former Inmate Pleads Guilty to Stealing Prison Worker Data
TIGTA Audit Reports Find IRS Has Made Security Improvements
Heartland CEO Pushes for End-to-End Encryption

---

****************** Sponsored By IBM Rational AppScan ************************

IBM Security Management Solutions Avoid costly compliance requirement fines. Prepare at the Service

Management Resource Center.

https://www.sans.org/info/48707

*************************************************************************

TRAINING UPDATE

- - -- SANS Chicago North Shore, Oct. 26-Nov. 2, https://www.sans.org/chicago09/
- - -- SCADA Security Summit, Stockholm, Oct. 27-30, https://www.sans.org/euscada09_summit/
- - -- SANS San Francisco, November 9-14, https://www.sans.org/sanfrancisco09
- - -- SANS London, UK, Nov.28-Dec. 9, https://sans.org/london09/
- - -- SANS Sydney, Nov.9-14 https://sans.org/sydney09/
- - -- SANS CDI, Washington DC, Dec. 11-18, https://www.sans.org/cyber-defense-initiative-2009
- - -- Looking for training in your own community?
https://sans.org/community/
- - -- Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand/
- - -- For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

SANS Report: Top Cyber Security Risks Underestimated By Industry/Government (September 16, 2009)

The SANS Institute's Top Cyber Risks Report found that two types of vulnerabilities are responsible for the majority of attacks. Unpatched flaws in popular programs like Adobe Reader and Flash Player and unpatched flaws on legitimate web pages can be, and often are exploited to infect vulnerable computers and use them to commit further cyber crimes. The report also found that organizations usually take twice as long to patch web applications as they do for flaws in operating systems.
-http://www.sans.org/top-cyber-security-risks/
-http://blogs.usatoday.com/technologylive/2009/09/cyberattackers-focus-on-web-app
lications.html
-http://www.csoonline.com/article/502096/SANS_Security_Ignores_the_Two_Biggest_Cy
ber_Risks
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=220000292
-http://www.scmagazineuk.com/Businesses-fail-to-understand-threats-and-fail-to-ke
ep-patches-updated/article/149030/
-http://isc.sans.org/diary.html?storyid=7129

HHS Harm Standard Offers HIPAA-Covered Entities Breach Notification Loophole (September 16 & 17, 2009)

New rules from the US Department of Health and Human Services (HHS) exempt organizations that are subject to HIPAA from notifying consumers of data security breaches if they use encryption or data destruction or if the incident does not meet the harm standard described in the new rules. The rules describe the standard by asking the entities to determine if the breach poses a "significant risk of financial, reputational or other harm to (an) individual." If the harm standard is not met, entities are not required to notify affected individuals even if they do not employ encryption.
-http://www.theregister.co.uk/2009/09/17/healthcare_breach_disclosure/
-http://www.eweek.com/c/a/Health-Care-IT/Health-IT-Data-Breaches-No-Harm-No-Foul-
293398/
-http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf
[Editor's Note (Liston): Ok... let me get this straight: I screw up and let someone steal your data. Then *I* (an acknowledged screw-up) get to decide if my screw-up poses any harm to you!?!? What could possibly go wrong with that? Next up: rapists, murderers, and felons get to decide if they're ready to be released from prison... ]

Trend Micro Study Finds Malware Often Remains For Months (September 15 & 16, 2009)

A study from Trend Micro found that malware sticks around on computers it infects. Of 100 million IP addresses studied, 80 percent that had been infected remained infected 30 days later; fifty percent remained infected 10 months later. The reason for the long latency periods is that often the malware does not do anything to attract attention, such as consuming system resources. Many of the infected machines are part of botnets, meaning they receive regular updates, which may also help the malware evade detection.
-http://www.scmagazineus.com/Study-Malware-persists-on-compromised-machines/artic
le/149089/
-http://www.theregister.co.uk/2009/09/15/malware_persistence/
-http://blog.trendmicro.com/the-internet-infestation-how-bad-is-it-really/
[Editor's Note (Liston): Well, duh! I don't find this surprising in the least. Anymore, malware has a business model... and nothing interferes with that model more than having your malware *removed*. ]

French Legislators Approve Revamped Three-Strikes Anti-Piracy Bill (September 15 & 16, 2009)

By a 285 to 225 vote, French legislators have approved a law that would put in place a system that could be employed to cut off Internet access of persistent illegal downloaders. A similar bill was passed earlier this year, but its constitutionality was successfully challenged. The law would allow a new anti-piracy agency, Hadopi, to sever users' Internet connections, but would require an order from a judge. Violators would face maximum penalties of a 300,000 Euro fine and two years in jail; penalties for families whose children download are less stringent. The law would also require that people with wi-fi connections prevent those connections from being abused. The legislation was approved by the legislature's lower house; it now goes before the upper house.
-http://news.bbc.co.uk/2/hi/technology/8257720.stm
-http://euobserver.com/9/28673
-http://news.zdnet.co.uk/internet/0,1000000097,39753515,00.htm

---

************************ Sponsored Links: *******************************

1) View new Top Layer Security Intrusion Prevention System Demo and learn about Free IPS Program

http://www.sans.org/info/48712

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

IETF Publishes Draft Document on Botnet Remediation (September 15 & 17, 2009)

The Internet Engineering Task Force (IETF) has published a draft standard for Internet service providers (ISPs) regarding how to clean up botnet infestations. The document describes how to detect botnets and identify affected computers; how to notify subscribers whose computers have been compromised; and how to direct the subscribers to clean the malware from their machines. The standards do not address how botnet clean-up efforts would be paid for, nor do they address possible redress for subscribers who refuse to clean the malware from their computers.
-http://www.theregister.co.uk/2009/09/17/ietf_botnet_clean_up/
-http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-03
[Editor's Note (Liston): Having run various incarnations of tarpit and honeypot sensors over the years, I've notified hundreds of companies and individuals that their machines were behaving badly on the Internet. Based on that, I can tell you that this is an incredibly difficult, time consuming, frustrating, and thankless task. While I applaud the IETF's efforts, I also know that what this standard fails to address, cost and redress, are what will eventually doom this effort to failure. ]

Firefox Outdated Flash Notification Leads 10 Million to Update (September 17, 2009)

Approximately 10 million Firefox users have followed the link provided by the newest release of Firefox that allows them to update the version of Adobe Flash running on their computers. Firefox version 3.5.3 alerts users if they are running outdated versions of Flash. An estimated 75 percent of Firefox users are believed to be running outdated versions of Flash.
-http://www.scmagazineus.com/Firefox-finds-users-interested-in-updating-Flash-Pla
yer/article/149172/
-http://www.computerworld.com/s/article/9138207/Firefox_s_Flash_check_drives_10M_
to_Adobe_s_download?source=rss_security

Spyware Intended for Girlfriend Ended Up on Hospital Network (September 17, 2009)

An Ohio man will plead guilty to federal charges after spyware he sent to a woman ended up on a hospital computer system. Scott Graham intended the spyware to be installed on the computer of a woman with whom he had been in a relationship, but instead, she opened the email at work, infecting the computer systems at Akron Children's Hospital. The spyware sent more than 1,000 screen shots to Graham's email; the stolen data included confidential patient information and email and financial data of four other hospital employees. Graham will plead guilty to one count of illegally intercepting electronic communications and will pay US $33,000 in damages to the hospital. He will face a maximum prison sentence of five years.
-http://www.computerworld.com/s/article/9138208/Misdirected_spyware_infects_Ohio_
hospital?source=rss_security
[Editor's Note (Liston): While Mr. Graham is getting a well deserved trip to the woodshed, what about the hospital? Aren't they culpable in the least? What failures on their part allowed an employee to access personal email and *install* (I'm familiar with this particular programming gem, and no, it doesn't auto-install...) spyware on their systems?

(Schultz): This by all appearances is yet another case in point of inadequate information security practices in hospitals. This hospital should have mandated the use of end point security software that would have detected the spyware and kept it from being installed in the first place.

(Northcutt): I wonder if this will impact his relationship with his girlfriend? Before you spy on someone you are in a relationship with consider:
-http://marriage.about.com/od/trustissues/a/spying.htm
-http://www.articlesbase.com/marriage-articles/cheating-spouse-stories-is-it-lega
l-to-spy-69732.html
-http://www.kissmegoodnight.com/dating-advice-and-tips/my_girlfriend_is_spying.sh
tml]

Sears Ordered to Destroy Collected Customer Data (September 16, 2009)

The US Federal Trade Commission (FTC) has ordered Sears to destroy customer data it collected with online tracking software. Sears paid customers to participate in a research project that monitored their browsing activity, but the company was not forthcoming about exactly what information was to be collected. The software collected data from third party websites, including online banking sessions, prescription drug purchases and data about web-based email messages.
-http://www.theregister.co.uk/2009/09/16/sears_to_destroy_tracking_software_data/
-http://www.ftc.gov/os/caselist/0823099/090604searsdo.pdf

Former Inmate Pleads Guilty to Stealing Prison Worker Data (September 16, 2009)

Former prison inmate Francis G. Janosko has pleaded guilty to one charge of intentional damage to a protected computer for breaking into a prison computer system and accessing personal information of more than 1,100 prison employees. In return for his guilty plea, aggravated identity theft charges against Janosko were dropped. The breach occurred while Janosko was serving time for a parole violation. The compromised data include names, addresses and Social security numbers (SSNs). The computer he used was supposed to be limited to legal research use.
-http://www.theregister.co.uk/2009/09/16/prison_computer_hack_guilty_plea/
-http://www.patriotledger.com/news/x1554702936/Former-inmate-pleads-guilty-to-hac
king-prison-computer-system

TIGTA Audit Reports Find IRS Has Made Security Improvements (September 15. 2009)

The Treasury Inspector general for tax administration (TIGTA) has released two audit reports regarding the US Internal Revenue Service's (IRS) attention to security issues raised in earlier reports. The first report finds that the IRS has installed encryption technology on 99 percent of its laptop computers; the action was taken in response to the results of a March 2007 audit. Other actions taken to mitigate concerns about lack of protection of sensitive data on electronic media include encrypting data transferred to flash drives and other removable storage devices. The new report also indicates that the IRS needs to improve security incident tracking processes. A second audit report released on Monday, September 14 found that 10 of 16 security issues that affect the IRS customer account data engine indentified in an earlier audit report have been resolved.
-http://www.nextgov.com/nextgov/ng_20090915_8372.php
-http://www.treas.gov/tigta/auditreports/2009reports/200920120fr.pdf
-http://www.treas.gov/tigta/auditreports/2009reports/200920100fr.pdf

Heartland CEO Pushes for End-to-End Encryption (September 14 & 15, 2009)

Heartland Payment Systems CEO Robert Carr told a US Senate committee that the payment card industry needs to adopt end-to-end encryption to protect consumers, financial institutions and payment processors from payment card fraud. Heartland acknowledged a data breach earlier this year that exposed millions of payment card accounts. Heartland is also installing tamper-resistant point-of-sale terminals at its retailers. Lawmakers also questioned Carr about why it took the company 18 months to figure out that payment card information was being stolen. The Smart Card Alliance says that end-to-end encryption is not the answer to protecting card data, and is instead calling for "contactless chips with dynamic cryptograms."
-http://www.networkworld.com/news/2009/091409-heartland-ceo-credit-card-encryptio
n.html
-http://www.darkreading.com/database_security/security/encryption/showArticle.jht
ml?articleID=220000501&subSection=Encryption

---

**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/