SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #86

October 30, 2009

Only three more days to submit entries in the DoD Cyber Crime Center Forensics Challenge. If you haven't sent your submission do it soon.

http://www.dc3.mil/2009_challenge/

---

TOP OF THE NEWS

GAO Report Exposes OMB Mismanagement of FISMA as Important Cause of US Government Cyber Security Ineffectiveness
Judge Denies Settlement Proposal in TD Ameritrade Case
Three-Quarters of Small and Mid-Sized Companies Froze or Cut Security Spending

THE REST OF THE WEEK'S NEWS

CalOptima Locates Disks Containing Patient Data
UK's Proposed Anti Piracy Policy Draws Criticism
Federal Breach Notification Law Would Help Authorities
Malware Spreading Through Phony FDIC eMails
US-CERT Warns of Blackberry Spyware
Research Project Aims to Spoil Malware's Picnic
Two Attacks Target Facebook Users
European Commission to Consider Additional Data Privacy Rules Next Year
Energy Regulators Seek Authority to Enforce Security Standards Throughout Power Grid
Firefox Update Fixes 11 Critical Flaws

---

********************* Sponsored By Palo Alto Networks *******************

Gartner's Perspective on Next-Generation Firewalls. Read this report for Gartner's definition, requirements, and recommendations about next-generation firewalls in the enterprise. If you are in a refresh cycle for your firewall or IPS, this research note is a must-read. Download a free copy now.

https://www.sans.org/info/50148

*************************************************************************

TRAINING UPDATE

-- SANS Middle East, October 31-November 11
https://www.sans.org/middleeast09/
-- SANS San Francisco, November 9-14
https://www.sans.org/sanfrancisco09
-- SANS Sydney, November 9-14
https://sans.org/sydney09/
-- SANS Hong Kong, November 9-14
https://www.sans.org/hong-kong-forensics-2009/
-- SANS Vancouver, November 14-19
https://www.sans.org/vancouver09/
-- SANS London, UK, November 28-December 9
https://sans.org/london09/
-- SANS CDI, Washington DC, December 11-18
https://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses, bonus evening presentations https://www.sans.org/security-east-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at http://www.sans.org/ondemand/">http://www.sans.org/ondemand/
Plus Oslo, New Delhi, Geneva and Qatar all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

GAO Report Exposes OMB Mismanagement of FISMA As Important Cause Of US Government Cyber Security Ineffectiveness (October 29, 2009)

A GAO report published on Thursday faults OMB for reliance on "inadequate performance measures." OMB relies too heavily on NIST's procedural guidance that agencies use to report "measures that do not demonstrate the effectiveness of control activities or the impact of information security programs." Senator Tom Carper noted that more than $5 billion has been wasted over the past five years on "ineffective and useless" certification and accreditation, producing reports that cost more than $1,400 per page and are out of date when delivered and sit in store-rooms. GAO identified five characteristics of metrics OMB should be demanding. The characteristics reinforce the need for agencies to move away from NIST procedural controls and toward controls that are performance oriented, continuous, reliable, and that are prioritized to ensure they actually reduce risk. Senator Carper's Statement:

-http://hsgac.senate.gov/public/index.cfm?FuseAction=Files.View&&FileStor
e_id=7824c6fa-c5f6-4506-a5a1-1e77de39f082
The GAO Testimony:

-http://hsgac.senate.gov/public/index.cfm?FuseAction=Files.View&FileStore_id=
9cffe896-5747-43c8-9bd7-22e21d72d799
Additional testimony from the October 29 hearing on "More Security, Less Waste":

-http://hsgac.senate.gov/public/index.cfm?FuseAction=Hearings.Hearing&Hearing
_ID=8505fb0f-bf9b-4bb4-9e25-e71154391202
(Editor's Note (Paller): GAO's findings and Senator Carper's conclusions square with concerns voiced by IT auditors in Inspectors General's offices who have complained forceful that they are required to rely on OMB-mandated NIST guidance. Then OMB demands that they publish conclusions about security when all they can measure is paperwork that does not show the effectiveness of key security controls. The GAO findings also reflect the conclusion of the majority of CIOs and CISOs, most of whom have complained loudly (albeit privately) that forced spending on consultants for FISMA reporting has so drained their budgets that they don't have enough money left to invest in the key automation that would enable rapid improvement in security.

Judge Denies Settlement Proposal in TD Ameritrade Case (October 27 & 28, 2009)

A federal judge has denied a proposed settlement in the TD Ameritrade data security breach case. In 2007, the personal information of more than 6 million Ameritrade customers was compromised and was later used to send spam. The judge said that the proposed settlement was not "fair, reasonable or adequate," and that it benefits Ameritrade more than it benefits the plaintiffs. In addition, the judge said that the additional security measures the company proposed to put in place as part of the settlement are measures any company should be implementing as a matter of course.
-http://www.computerworld.com/s/article/9139988/Judge_says_TD_Ameritrade_s_propos
ed_security_fixes_aren_t_enough?taxonomyId=1&pageNumber=1
-http://www.storefrontbacktalk.com/supply-chain/are-judges-cracking-down-on-data-
breach-corporate-victims/

Three-Quarters of Small and Mid-Sized Companies Froze or Cut Security Spending (October 28 & 29, 2009)

A McAfee survey of 100 small to medium-sized companies in each of nine countries around the world found that while 71 percent believe a data security breach could put them out of business, three-quarters of the companies either froze or reduced their information security spending in 2009. Two-thirds of the companies responding said they spend less than three hours a week on security. Twenty percent of the companies surveyed said they had experienced a data security breach within the past year; mitigating the damage from the breaches cost an average of US $41,000.
-http://www.securityfocus.com/brief/1029
-http://news.cnet.com/8301-1009_3-10384916-83.html
-http://www.mcafee.com/us/research/security_paradox/index.html
[Editor's Note (Northcutt): Small businesses face an increasing unsolvable problem. Attack vectors are vast. Security vendors want to deliver point solutions focusing on small fractions of possible attacks. I am running one of the four major endpoint whitelist security products and yes, it detects all change, but I have no way to know if it is a good change or a bad change. Securia PSI has been a bright light, but I am not sure where they are taking their product mix. A small business cannot possibly know if it is running a safe configuration. More and more, I think we need some sort of reference operating system that we can download and overwrite what we have on our endpoints. From the small to medium business owner standpoint, if you can't solve the problem, why spend money on it?

(Ullrich): I don't think the report's assumption that more spending would have improved security is necessarily true. It is easy to spend money on junk when it comes to security products. ]

---

************************ Sponsored Links: ****************************

1) Incident detection in the large-scale enterprise. -What works? Incident Detection Summit December 9-10.

https://www.sans.org/info/50153

2) UPCOMING WEBCAST: Making Database Security an IT Security Priority Wednesday, November 4, 2009 at 1:00 PM EST

https://www.sans.org/info/50158

Sponsored by Oracle. Sign up to participate in this webcast and you will be the first to read a new, comprehensive whitepaper on this subject.

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

CalOptima Locates Disks Containing Patient Data (October 29, 2009)

Several disks that disappeared when they were sent through the mail two weeks ago have been located at a US Postal Service facility in Atlanta, GA. The disks had been sent via certified US mail to California managed health care provider CalOptima from a vendor, but when the package arrived, the smaller package inside was missing. The unencrypted disks contain patient names, addresses, dates of birth, medical procedure and diagnosis codes and in some cases, social security numbers (SSNs). Now that the disks have been recovered, CalOptima no longer plans to notify the 68,000 affected individuals.
-http://www.computerworld.com/s/article/9140122/CalOptima_recovers_discs_with_per
sonal_data_on_68_000_members?taxonomyId=17
[Editor's Note (Ullrich): Unencrypted disks and patient data. I would be concerned even if they don't go missing. How would you ever know that someone didn't make a copy? (and can we just get over it, and make all of our social security numbers public?) ]

UK's Proposed Anti Piracy Policy Draws Criticism (October 28 & 29, 2009)

UK Internet service provider (ISP) TalkTalk has threatened to initiate legal action if a plan to cut Internet service to illegal filesharers is approved. TalkTalk objects to the plan's implication that users would be "guilty until proven innocent." The plan, introduced by Britain's business secretary Lord Mandelson, would first impose download caps or bandwidth restrictions on illegal filesharers; those who persisted in the illegal activity could have their access cut. Lord Mandelson said that just one in every 20 music tracks downloaded in the UK is legal.
-http://www.scmagazineuk.com/ISP-may-take-legal-action-if-Mandelson-ruling-on-cut
ting-off-users-is-approved/article/156416/
-http://news.bbc.co.uk/2/hi/technology/8328820.stm
-http://www.siliconrepublic.com/news/article/14256/new-media/uk-to-block-illegal-
file-sharers-mandelson

Federal Breach Notification Law Would Help Authorities (October 28, 2009)

FBI Criminal Cyber Section chief Jeffrey Troy said that a federal law requiring entities to report data security breaches to federal authorities "would help us tremendously." If information about cyber attacks were pooled, the FBI could draw connections between events and help warn others and encourage them to take steps to protect themselves. About 90 percent of US states have data notification bills, but federal legislation has yet to be enacted. Federal agencies are already required to report data security breaches to US-CERT.
-http://www.computerworld.com/s/article/9140064/FBI_National_data_breach_law_woul
d_help_fight_cybercrime?source=rss_security
-http://www.nextgov.com/nextgov/ng_20091028_3572.php?oref=topnews
[Editor's Note (Pescatore): The vast majority of data breach disclosures do not provide attack information, because the vast majority of data disclosures are due to mistakes, not attacks. Breach disclosure is a good thing just the way the newspapers publishing which restaurants were closed down by the health department is a good thing - more information for consumers about who has sloppy practices. ]

Malware Spreading Through Phony FDIC eMails (October 27 & 28, 2009)

There are reports of phony FDIC notification emails that attempt to infect users' computers with the ZBot Trojan horse program. The emails tell the recipients that their banks have filed for bankruptcy and that the banks' asserts are now under the control of the FDIC. The links offered in the message lead to a page that offers users a chance to see their "personal FDIC insurance file(s)," but which actually installs the Zeus or ZBot Trojan on their PCs.
-http://voices.washingtonpost.com/securityfix/2009/10/nastygram_spoofed_fdic_bank
_fa.html
-http://www.darkreading.com/vulnerability_management/security/antivirus/showArtic
le.jhtml?articleID=221100094&subSection=Antivirus
-http://www.cio.com/article/506142/New_Spam_Your_Bank_has_Failed_Download_This_Tr
ojan

US-CERT Warns of Blackberry Spyware (October 27, 28 & 29, 2009)

The US-CERT has issued a warning about a free spyware program called PhoneSnoop that can be used to bug BlackBerry phones. If the program is installed, one call from a designated number can turn the phones into listening devices, capable of eavesdropping on everything that happens nearby. The person who created the program said it was done as a proof-of-concept to demonstrate the vulnerabilities inherent in being careless with the phones. Users could be tricked into downloading PhoneSnoop onto their phones, or it could be installed by someone else with access to the device. US-CERT recommends that BlackBerry users use passwords to prevent other people from accessing the phones and to allow downloads only from trusted sources.
-http://www.h-online.com/security/news/item/BlackBerry-spyware-alert-843992.html
-http://news.cnet.com/8301-27080_3-10384179-245.html
-http://www.securecomputing.net.au/News/159209,us-cert-warns-of-malware-attack-ag
ainst-blackberry.aspx
-http://www.us-cert.gov/current/index.html#blackberry_phonesnoop_application_used
_to
[Editor's Note (Schultz): Smart phones and other mobile devices are increasingly becoming the target of malware writers. Several excellent talks on this subject were presented at the recent Black Hat Conference. ]

Research Project Aims to Spoil Malware's Picnic (October 28, 2009)

Researchers at Wake Forest University and the Pacific Northwest National Laboratory have developed an army of digital ants designed to help sniff out malware. Each of the ants is designed to detect basic processes, like connection rates or CPU utilization, and leave a digital pheromone encouraging other ants to take a look if it senses an anomaly. Suspicious activity is reported to a digital sentinel. If the sentinel determines that something suspicious is really going on, it reports to a digital sergeant which in turn alerts a human being. There are different sorts of ants at the lowest levels; those that do not find valuable information eventually die off, but those that do discover important information are rewarded. If a certain type of ant proves especially adept at detecting anomalies, then more ants of that type are created. Researchers have so far created four of the 64 types of ants they intend to develop.
-http://dsc.discovery.com/news/2009/10/28/digital-ants-computer.html
[Editor's Note (Schultz): This sounds like a giant breakthrough in the war against malware. Regardless of whether or not it works as well as these researchers believe, it shows that a distributed approach to detecting and eradicating malware is the most promising one. Over the years simply running anti-malware software on each host has not proven very effective. ]

Two Attacks Target Facebook Users (October 28 & 29, 2009)

Phishers have been targeting Facebook users with an attack designed to steal account usernames, passwords and other sensitive information. Victims receive massages indicating their passwords have been reset as a security precaution; an accompanying attachment purports to contain the new password, but actually contains a Trojan downloader program known as Bredolab. Infected computers could potentially become part of a botnet. A second Facebook attack arrives as an invitation to use a new login procedure; the spoofed login page appears with the username already filled in and asks for the password. Users are then prompted to download the update, which is actually a variant of the Zbot Trojan.
-http://www.computerworld.com/s/article/9140058/Massive_bot_attack_spoofs_Faceboo
k_password_messages?source=rss_security
-http://news.cnet.com/8301-17939_109-10384028-2.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.darkreading.com/security/attacks/showArticle.jhtml;jsessionid=GRQ315J
U2HN51QE1GHPSKH4ATMY32JVN?articleID=221100157&subSection=Attacks/breaches
-http://www.scmagazineuk.com/Second-Facebook-spam-email-campaign-detected-this-we
ek/article/156415/
-http://blogs.usatoday.com/technologylive/2009/10/facebook-users-under-cyberattac
k.html
-http://news.cnet.com/8301-27080_3-10385498-245.html

European Commission to Consider Additional Data Privacy Rules Next Year (October 29, 2009)

In 2010, the European Commission plans to review privacy and data protection rules in the European Union. While the Commission has a telecommunications package that addresses data breach response, it will also consider new rules that would require organizations to publicly acknowledge data loss incidents. The entities would be required to notify authorities and those affected by the breaches.
-http://www.theregister.co.uk/2009/10/28/data_breach_law/
-http://www.euractiv.com/en/infosociety/brussels-tighten-data-protection-rules/ar
ticle-186779

Energy Regulators Seek Authority to Enforce Security Standards Throughout Power Grid (October 27 & 28, 2009)

The Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corp. (NERC), and the US Department of Energy say that pending legislation in the US House of representatives could help protect the country's power grid from cyber attacks. Presently, FERC does not have authority "to address cyber or other national security threats to the reliability of our transmission and power system." FERC regulates the bulk power system, which comprises power generation and high voltage systems, but does not include distribution substations and lower voltage power distribution networks.
-http://gcn.com/Articles/2009/10/28/Smrt-Grid-security-hearing-102809.aspx?Page=1
-http://www.nextgov.com/nextgov/ng_20091027_3165.php

Firefox Update Fixes 11 Critical Flaws (October 27, 2009)

Mozilla has updated its Firefox 3.5 web browser to address 16 security flaws. Firefox 3.5.4 includes fixes for 11 critical flaws, some of which could possibly be exploited to execute arbitrary code. Mozilla also released Firefox 3.0.15, which contains nine fixes, four designated critical. Mozilla plans to discontinue support for Firefox 3.0 in January 2010.
-http://www.computerworld.com/s/article/9140008/Mozilla_fixes_16_flaws_with_Firef
ox_3.5.4?taxonomyId=17
-http://www.h-online.com/security/news/item/Mozilla-fixes-critical-bugs-with-Fire
fox-3-5-4-and-3-0-15-843475.html

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit:

http://portal.sans.org/