SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #76

September 25, 2009

TOP OF THE NEWS

Construction Company Sues Bank for Money Lost in Cyber Scam
Demand Up for Technical Security Skills; Demand Fading for Security Policy/Compliance Skills
PCI DSS Compliance Survey
"Chat-in-the-Middle" Attack Preys on Online Banking Customers

THE REST OF THE WEEK'S NEWS

Cisco Releases 11 Security Advisories
Former Employee Pleads Guilty to SCADA Intrusion and Damage
DOD IG Audit Finds Data Sanitization Problems for Decommissioned IT Equipment
NIST Issues Smart Grid Interoperability Standards Draft
Apple Releases iTunes Update
New Cyber Security Research Center Opens in Belfast
DOD to Lift USB Ban With Restrictions

---

**************** Sponsored By IBM Rational AppScan *********************

IBM Security Management Solutions

The average cost of security breaches is estimated to be $6.6 million. Prepare at the Service Management Resource Center.

https://www.sans.org/info/49108

*************************************************************************

TRAINING UPDATE

-- SANS Chicago North Shore, Oct. 26-Nov. 2
https://www.sans.org/chicago09/
-- SCADA Security Summit, Stockholm, Oct. 27-30
https://www.sans.org/euscada09_summit/
-- SANS San Francisco, November 9-14
https://www.sans.org/sanfrancisco09
-- SANS Sydney, Nov.9-14
https://sans.org/sydney09/
-- SANS London, UK, Nov.28-Dec. 9
https://sans.org/london09/
-- SANS CDI, Washington DC, Dec. 11-18
https://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010. 19 courses, bonus evening presentations
https://www.sans.org/security-east-2010/
-- Looking for training in your own community?
https://sans.org/community/
-- Save on On-Demand training (30 full courses) - See samples at
https://www.sans.org/ondemand/
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Construction Company Sues Bank for Money Lost in Cyber Scam (September 23 & 24, 2009)

A Maine construction company is suing a bank for not taking adequate precautions that could have prevented cyber thieves from stealing more than half-a-million dollars from the company's account. The lawsuit was filed by Patco Construction Co. against Ocean Bank, a division of Bridgeport, Connecticut-based People's United Bank. It alleges that numerous fraudulent transactions totaling US $588,000 took place over an eight-day period in May, that they notified the bank of the situation when they discovered the transactions and that the bank did not stop subsequent fraudulent transactions. The bank did not offer two-factor authentication, relying instead on a pair of challenge security questions for transactions over US $1,000. Because most transactions exceeded this amount, the information was used often, and the attackers could have grabbed it through keystroke loggers or other malware. Patco also says that Ocean Bank failed to take note of suspicious or anomalous behavior, including the fact that all of the transfers were initiated through IP addresses that Patco had never before used to conduct transactions. While consumers often have a grace period after receiving bank statements to identify fraudulent transactions and alert the bank, businesses are often required to notify the bank of fraudulent transactions the day they occur.
-http://voices.washingtonpost.com/securityfix/2009/09/construction_firm_sues_bank
_af.html
-http://www.computerworld.com/s/article/9138467/Construction_firm_sues_after_588_
000_online_theft?source=rss_security
[Editor's Note: (Northcutt): This is a lawsuit I have been expecting for a long time. Asking the name of your pet really does not meet the spirit of two factor authentication. There are several companies positioned well for this, they call your mobile phone. Since most people that do online transactions over $1,000.00 have a mobile phone, this probably makes sense and falls into the realm of true two factor authentication, something you know (password) and something you have (mobile phone).

(Ranum): This may be how it's all going to get sorted out, eventually. Lots of litigation (which will make lawyers happy) ending in more lines of fine print on every bank/credit contract. Ultimately, people will be forced to realize that end-point security is important, too, and - maybe - - we'll have some serious re-examination of how society at large does end-point computing. ]

Demand Up for Technical Security Skills; Demand Fading for Security Policy and Compliance Skills (September 25, 2009)

GovInfoSecurity published a certification review today that highlights the changing character of hiring interest in security people. Technical certifications have passed the management certifications as most in demand. Technical certifications from SANS/GIAC, Cisco, and Checkpoint dominated the list of those most in demand. Neither of the two certifications most often associated with management and policy were in the top ten.
-http://www.govinfosecurity.com/articles.php?art_id=1807&opg=1

PCI DSS Compliance Survey (September 23, 2009)

According to the PCI DSS (Payment Card Industry Data Security Standard) Compliance survey, commissioned by Imperva and conducted by the Ponemon Institute, approximately 70 percent of entities that handle payment card transactions view compliance as a box checking exercise rather than as central to their operations. Companies that implement PCI DSS as part of their strategic approach are less likely to experience breaches. Nearly 80 percent of those surveyed said their organizations had experienced a data security breach. Fifty-five percent of responding organizations said they protected payment card data but not other customer data, like Social Security numbers (SSNs), driver's license numbers and financial account information. Of the small businesses (501 to 1,000 employees), 28 percent are PCI DSS compliant; of large businesses (75,000 or more employees), 70 percent are PCI DSS compliant. The top reason for non-compliance is the cost associated with implementing new security programs.
-http://www.darkreading.com/security/attacks/showArticle.jhtml;?articleID=2201009
19&subSection=Attacks/breaches
-http://www.computerworld.com/s/article/9138427/PCI_survey_finds_some_merchants_d
on_t_use_antivirus_software?source=rss_security
-http://www.theregister.co.uk/2009/09/23/data_security_survey/
-http://lastwatchdog.com/pci-compliance-ineffective-stopping-data-thieves/
[Editor's Note (Schultz): The "checkbox mentality" approach to compliance is by no means limited to PCI-DSS compliance. And it is little surprise to hear once again that cost is the major reason for failure to comply. ]

"Chat-in-the-Middle" Attack Preys on Online Banking Customers (September 18 & 24, 2009)

In a new twist on phishing, cyber thieves are posing as employees in a bank's fraud detection department in a live chat. Users are directed to the site through a phishing email and are asked to type in their login credentials. The chat window then opens, and the attackers tell the victims that the fraud department of the bank is requiring additional information, including challenge questions, to validate their accounts. The cyber criminals are using the Jabber IM protocol to conduct their online conversations with the victims; the attack is being hosted on a fast-flux network.
-http://software.silicon.com/security/0,39024655,39527467,00.htm
-http://www.securecomputing.net.au/News/156603,rsa-warns-of-new-chatinthemiddle-a
ttacks.aspx

---

************************ Sponsored Links: ****************************

1) Register Today and receive 10% off for SANS vLive course SEC542, Web App Penetration Testing and Ethical Hacking, November 2nd - November 9th.

Please use the code @Risk542 when registering. https://www.sans.org/info/49113

2) REGISTER NOW for the Ask The Expert Webcast: Offense and Defense: Better Correlation

https://www.sans.org/info/49118

3) UPCOMING WEBCAST: WhatWorks in Firewalls, Enterprise Antivirus and Unified Threat Management: Virtualizing Server Security with the U.S. Army Human Resource Command

https://www.sans.org/info/49123

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Cisco Releases 11 Security Advisories (September 23 & 24, 2009)

Cisco has issued eleven security advisories to address vulnerabilities in its IOS router operating system and Unified Communications Manager; seven of the advisories address denial of service issues in the IOS. Cisco has provided updates for all the vulnerabilities.
-http://www.h-online.com/security/Flood-of-patches-from-Cisco--/news/114314
-http://www.computerworld.com/s/article/9138434/Cisco_patches_a_dozen_router_bugs
?source=rss_security
-http://www.v3.co.uk/v3/news/2250082/cisco-patches-flaws
-http://www.cisco.com/warp/public/707/cisco-sa-20090923-bundle.shtml

Former Employee Pleads Guilty to SCADA Intrusion and Damage (September 23, 2009)

Mario Azar has pleaded guilty to one count of damaging computer systems for tampering with the Supervisory Control and Data Acquisition (SCADA) system of Pacific Energy Resources in Long Beach, California, after learning he was not going to be offered a permanent position with the company. The intrusion caused the company to "lose control" of its computer systems in spring of 2008. Azar has helped set up the SCADA system, which is used for company communications between headquarters and oil platforms and for detecting leaks on the platforms. The intrusion did not cause any leaks, but did cost the company thousands of dollars to repair. He faces up to 10 years in prison when he is sentenced later this year.
-http://www.networkworld.com/news/2009/092309-contractor-pleads-guilty-to-scada.h
tml
[Editor's Note (Pescatore): I don't think this caused them to "lose control," it sounds like they never really had control. Control would have meant have some forms of superuser privilege management on critical systems. ]

DOD IG Audit Finds Data Sanitization Problems for Decommissioned IT Equipment (September 21 & 23, 2009)

According to an audit report from the US Defense Department (DOD) Inspector General, some organizations within the Department are still disposing of information technology equipment without first scrubbing the data it contains. In addition, the report notes that some DOD guidance for equipment disposal was so out of date that it could not deal with certain newer data storage technologies.
-http://fcw.com/articles/2009/09/23/inspector-general-audit.aspx
-http://www.dodig.mil/Audit/reports/fy09/09-104.pdf

NIST Issues Smart Grid Interoperability Standards Draft (September 24, 2009)

The National Institute of Standards and Technology (NIST) has issued a draft report, the NIST Framework and Roadmap Smart Grid Interoperability Standards. The report lists 77 smart grid standards to help "achieve interoperability of Smart Grid devices and systems."
-http://www.nytimes.com/gwire/2009/09/24/24greenwire-obama-admin-releases-initial
-smart-grid-standa-98180.html
-http://www.nextgov.com/nextgov/ng_20090924_3288.php?oref=topnews
-http://www.nist.gov/public_affairs/releases/smartgrid_interoperability.pdf

Apple Releases iTunes Update (September 23 & 24, 2009)

Apple has issued a security update for iTunes that protects the music player against certain maliciously crafted playlists. The flaw can be exploited on Mac OS X or Windows systems. iTunes 9.0.1 addresses the buffer overflow vulnerability in the handling of .pls files as well as other issues that can cause iTunes to become unresponsive or quit unexpectedly. The update comes just two weeks after iTunes 9.0 was released on September 9.
-http://news.zdnet.co.uk/security/0,1000000189,39763722,00.htm
-http://www.securityfocus.com/brief/1015
-http://www.h-online.com/security/Apple-plugs-critical-vulnerability-in-iTunes--/
news/114301
-http://support.apple.com/kb/HT3884

New Cyber Security Research Center Opens in Belfast (September 24, 2009)

The Centre for Secure Information Technologies (CSIT) opened this week in Belfast, Northern Ireland. The security research center will develop technologies both to protect data and to protect people's physical security. Although the center was officially launched this week, it has been operational for the last six months. Among the center's projects is the development of processors powerful enough to screen vast quantities of data for malicious content and suspicious behavior.
-http://www.theregister.co.uk/2009/09/24/csit_queens_opens/
-http://news.zdnet.co.uk/security/0,1000000189,39762142,00.htm
-http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/8271301.stm

DOD to Lift USB Ban With Restrictions (September 21 & 22, 2009)

The US DOD plans to lift its ban on USB drives in a very restricted way. Only USB drives that have been both approved and procured by DOD will be permitted to be used on department computers. The ban was imposed late last year after a worm spread across DOD networks. "The days of using personally owned flash media or using flash media collected at conferences or trade shows is long gone," according to the blog of Navy CIO Robert Carey.
-http://www.darkreading.com/insiderthreat/security/storage/showArticle.jhtml?arti
cleID=220100601
-http://www.govinfosecurity.com/articles.php?art_id=1797
[Editor's Note (Pescatore): This is a good step forward - something the Navy had been looking at several years ago. But, malware will get on approved USB devices, too. They also need to fix the root problem of why the worm succeeded. ]

---

**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/