SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #36

May 07, 2010

A fascinating battle is taking place today in the struggle between those who recognize the need to move quickly to continuous security monitoring (of critical controls) and those who are clinging to the now discredited practice of preparing out-of-date, paper-based reports about security. A US Office-of-Management-and-Budget-led initiative to improve the metrics by which agencies assessed cyber threats was 50% successful and 50% hijacked by the report writers. All the federal CISOs were asked this morning to help shape the metrics. We'll let you know week by week how the battle goes. It matters because billions of dollars were thrown away (according to sworn Congressional testimony) on the discredited reports. Once the federal government makes the transition to automation, the defense industrial base, and then the rest of the US critical infrastructure will shift quickly. And that will radically improve the job prospects for people who can reduce risk vs. those who just write about risk.

Alan

---

TOP OF THE NEWS

FISMA 2.0 Advances in the US House of Representatives
FCC Unveils Broadband Regulation Plans
Draft Data Protection Legislation in US House

THE REST OF THE WEEK'S NEWS

Microsoft Will Issue Two Security Bulletins on May 11
Microsoft's April Bulletins Included Three Undisclosed Fixes
DNSSEC Root Servers' Switchover Now Complete
Man Arrested for Alleged ATM Tampering Scheme
Media Organizations Ask Judge to Unseal Gizmodo Search Warrant Docs
Facebook Fixes Bugs That Exposes Friends' Chats and Pending Friends Requests
Over Use of "Cyberwar" Concerns Some Experts
Report Finds Pennsylvania School District "Overzealous" in Use of Surveillance Technology
Worm Spreading Through Yahoo Instant Messenger
UK Information Commissioner Enforcement Powers Growing

---

*************************** Sponsored By SANS ***************************
At some of the larger hacker conferences, it can be difficult to get to know other attendees and the speakers as you get lost in the shuffle. With detailed sessions, informal breaks, and evening events, the SANS Penetration Testing & Vulnerability Assessment Summit is organized to support networking with other like-minded penetration testing and vulnerability assessment professionals, building relationships, participating in the community, and sharing best practices.

http://www.sans.org/info/58933
*************************************************************************

TRAINING UPDATE
-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

-- SANS Secure Europe Amsterdam 2010, June 21-July 3, 2010 8 courses.
http://www.sans.org/secure-amsterdam-2010/

-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 39 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Geneva, Singapore, Canberra and Portland all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

---

TOP OF THE NEWS

FISMA 2.0 Advances in the US House of Representatives

A bill that transforms FISMA from encouraging paper-pushing to automated monitoring of security advanced in the House. The bill also calls for the jobs of the White House Cyber Czar and Chief Technology Officer to be permanent and subject to Senate Confirmation.
-http://www.nextgov.com/nextgov/ng_20100505_8690.php?oref=topnews

FCC Unveils Broadband Regulation Plans (May 6, 2010)

US Federal Communications Commission (FCC) chairman Julius Genachowski has revealed the commission's plan to regulate broadband Internet service. Earlier this spring, a US federal appeals court ruled that the FCC had exceeded its authority when it imposed sanctions on Comcast for throttling Internet traffic from BitTorrent. Shortly after the decision was announced, there was speculation that the FCC may seek to reclassify broadband as a telecommunications service so that it would fall under FCC oversight. On Thursday, May 6, Genachowski spoke of his support of a "restrained approach" to broadband net neutrality. Called the "Third Way," the plan is premised on the assertion that there is already sufficient power to regulate broadband under current law because the FCC considers broadband a cross between an information service and a utility. The FCC's agenda includes "extending broadband to all Americans, protecting consumers, ensuring fair competition, and preserving a free and open Internet."
-http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleI
D=224700985
-http://www.nytimes.com/2010/05/06/technology/06broadband.html?ref=technology
-http://www.washingtonpost.com/wp-dyn/content/article/2010/05/05/AR2010050505323.
html?wprss=rss_technology
-http://www.usatoday.com/tech/news/2010-05-05-fcc-broadband-rules_N.htm
[Editor's Note (Pescatore): From the early 1980's to the early 1990's I worked for GTE, which was a big telephone company for those of you are puzzled when someone mentions "dialing" a phone number. That spanned the period of tightly regulated telephone industry to mostly deregulated - it seemed that most regulations were issued to undo damage done by previous regulations. It is really hard for me to find the actual problem here with broadband that someone feels is requiring regulation to solve. ]

Draft Data Protection Legislation in US House (May 4 & 5, 2010)

Draft data privacy legislation introduced by US lawmakers would restrict the way organizations can gather, retain and use personal information they collect from customers. The draft draws a distinction between covered information, which is opt-out, and sensitive information, which is opt-in. Covered information would include names, street addresses, phone numbers, email addresses and government issued identification numbers, including Social Security numbers (SSNs). Sensitive information includes medical records, race and ethnicity, sexual orientation, financial records and geolocation data. The proposal has met with criticism for "codify
[ing ]
current online privacy practices that exist more for the benefit of companies than customers." The proposed legislation is meeting with criticism from both sides. Consumer rights advocates say it does not go far enough, and businesses say it goes too far.
-http://fcw.com/articles/2010/05/04/web-consumer-privacy-bill.aspx?admgarea=TC_SE
CCYBERSEC
-http://arstechnica.com/tech-policy/news/2010/05/religion-sex-money-location-bill
-makes-them-sensitive-info.ars
-http://www.computerworld.com/s/article/9176311/Lawmakers_unveil_online_privacy_b
ill?taxonomyId=84
-http://www.theregister.co.uk/2010/05/05/us_privacy_bill/
-http://www.scmagazineus.com/congressmen-propose-draft-online-privacy-bill/articl
e/169522/
-http://news.cnet.com/8301-13578_3-20004165-38.html?part=rss&subj=news&ta
g=2547-1_3-0-20
[Editor's Note (Schultz): The reactions to this proposed legislation mirror the political bifurcation that is crippling the United States. ]

---

*************************** Sponsored Link: *****************************
1) REGISTER NOW FOR THE UPCOMING WEBCAST: Simplifying Fine-Grained Security for Enterprise Applications with Entitlements Management, Sponsored By: Oracle

http://www.sans.org/info/58938
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft Will Issue Two Security Bulletins on May 11 (May 6, 2010)

On Tuesday, May 11, 2010, Microsoft will issue two security bulletins to address remote execution vulnerabilities. Both bulletins are rated critical. The updates affect Microsoft Windows 2000, XP, Vista, Server 2003, and Server 2008; Microsoft Office; Microsoft Visual Basic for Application and Visual Basic for Applications software development kit. Microsoft will not be issuing a fix for the recently-disclosed SharePoint vulnerability this month or for a vulnerability in Internet Explorer that was disclosed in February. Microsoft has suggested a workaround for the SharePoint vulnerability, and considers the IE issue "low-risk." Microsoft is also reminding users that it will cease support for Windows 2000 and XP SP2 after July 13, 2010.
-http://www.microsoft.com/technet/security/Bulletin/MS10-may.mspx
-http://www.computerworld.com/s/article/9176390/Microsoft_goes_small_for_next_wee
k_s_Patch_Tuesday
-http://news.cnet.com/8301-27080_3-20004345-245.html?tag=mncol;title`
[Editor's Note (Pescatore): Gee, its nice to see a success story, especially with BIND being a key part of all this. Maybe the folks who did this upgrade could take a look at the stock market's software? ]

Microsoft's April Bulletins Included Three Undisclosed Fixes (May 5 & 6, 2010)

In last month's security update, Microsoft secretly patched three undisclosed vulnerabilities. Two silently patched flaws in MS10-024 could have been exploited to intercept email sent through Exchange and Windows SMTP service. That bulletin was rated "important." The third undisclosed patch was included in MS10-028. Microsoft acknowledged that it released fixes for flaws that it did not disclose to users. There is some concern about the risk level, as the researcher who disclosed the email flaws says they are more serious than the bulletin's overall rating indicated. As for the concern that there were no CVE numbers assigned to the flaws, Microsoft does not assign CVE numbers to flaws found by its own team.
-http://www.theregister.co.uk/2010/05/05/secret_microsoft_patch/
-http://www.computerworld.com/s/article/9176373/Security_firm_reveals_Microsoft_s
_silent_patches?taxonomyId=17
[Editor's Note (Pescatore): There is no hard and fast rule here, but "responsible disclosure" is a two way street - it applies to both external finders of vulnerabilities and software vendors who find vulnerabilities in their products. As the CERT says "In our experience, if there is not responsible, qualified disclosure of vulnerability information, then researchers, programmers, system administrators, and other IT professionals who discover vulnerabilities often feel they have no choice but to make the information public in an attempt to coerce the vendors into addressing the problem." ]

DNSSEC Root Servers' Switchover Now Complete (May 6, 2010)

As of Wednesday, May 5, all 13 of the authoritative root servers for the domain name system are running the DNS Security Extensions (DNSSEC) protocol. The protocol is designed to help prevent cache poisoning and other DNS attacks.
-http://www.h-online.com/security/news/item/DNSSEC-on-all-root-servers-994744.htm
l
[Editor's Note (Northcutt): This is good news. We are a bit late to this party, and I wonder how much of the chain we will be able to apply the DNS security extensions to before practical measures to defeat them are available. Maybe I am tired and cranky, but I think we may have to start increasing the penalties for these types of crimes, something like two strikes and you are out, and try to get deterrence to be a force in the equation. Technology doesn't seem to cut it. Here is a purely theoretical paper outlining potential attacks against DNSSEC:
-http://www.isoc.org/isoc/conferences/ndss/10/pdf/17.pdf]

Man Arrested for Alleged ATM Tampering Scheme (May 4 & 5, 2010)

Thor Alexander Morris has been charged with trying to reprogram ATMs. Morris hoped to exploit configurations on certain machines to program them to dispense higher denomination bills than were requested. Morris allegedly contacted an ex-con and asked him for information about the locations of vulnerable ATMs. The man Morris contacted passed on information to the FBI, who arrested Morris as soon as he tried to orchestrate the scheme. Morris was arrested in Houston while allegedly attempting to reprogram an ATM to act as if it was stocked with US $1 bills instead of US $20 bills.
-http://www.h-online.com/security/news/item/Man-charged-in-US-for-reprogramming-c
ash-machines-993798.html
-http://www.wired.com/threatlevel/2010/05/thor/
-http://www.theregister.co.uk/2010/05/04/atm_hacking_spree_foiled/

Media Organizations Ask Judge to Unseal Gizmodo Search Warrant Docs (May 5 & 6, 2010)

At a hearing on Thursday, May 6 at 2 pm PT, the First Amendment Coalition and several media outlets asked a judge to unseal the search warrant affidavit used to conduct a raid on the home of Gizmodo editor Jason Chen regarding the publication's purchase of a prototype iPhone that had been found in a bar. The judge refused. The raid occurred on April 23, 2010; officers seized six computers and other items from Chen's home. According to California law, search warrant documents are usually made public once the search is complete, and no more than 10 days after the warrant is issued.
-http://news.cnet.com/8301-13579_3-20004389-37.html
-http://www.wired.com/threatlevel/2010/05/gizmodo-warrant/
-http://www.businessweek.com/news/2010-05-06/iphone-search-warrant-documents-shou
ld-be-public-judge-told.html

Facebook Fixes Bugs That Exposes Friends' Chats and Pending Friends Requests (May 5 & 6, 2010)

Facebook temporarily disabled its chat function to address a serious security problem that allowed users to view friends' chat sessions. Ironically, the problem arose through the "Preview My Profile" security feature that allows users to see what their profile settings look like to their Facebook friends. While in this mode, the users were able to view others' chat sessions. Facebook also fixed a bug that allowed users to view their friends' pending friend requests.
-http://www.h-online.com/security/news/item/Facebook-closes-serious-security-hole
-994419.html
-http://www.cbc.ca/consumer/story/2010/05/06/facebook-privacy-chat.html
-http://news.cnet.com/8301-13577_3-20004213-36.html?tag=mncol;title
-http://www.theregister.co.uk/2010/05/05/facebook_eavesdropping_bug/
-http://news.bbc.co.uk/2/hi/technology/10099178.stm

Over Use of "Cyberwar" Concerns Some Experts (May 5, 2010)

Experts gathered this week in Dallas, Texas for the Worldwide Cybersecurity Summit. Some cautioned against the use of the term "cyber war" as a catchall phrase to mean everything from fraudulent financial transactions to attacks on critical infrastructure networks that could threaten lives. Classifying all criminal computer activity as cyber warfare could, in the minds of organizations, place the responsibility for addressing the problem in the hands of the government, when it is a problem that needs to be addressed by the public and private sectors working together. Microsoft's Scott Charney believes cyber threats need to be differentiated and has offered suggestions for four categories: conventional cyber crime, military espionage, economic espionage, and cyber warfare. Even then, rules for cyber warfare need to be thoughtfully considered and thought out because a country could find itself at "war" with an individual. The term may also play into the difficulties countries have experienced in drafting international cyber crime cooperation agreements.
-http://www.msnbc.msn.com/id/36969943/ns/technology_and_science-security/
[Editor's Note (Pescatore): The term is definitely overused and overhyped and directs attention in the wrong direction. Focus on the threat is great for selling novels, focus on the vulnerabilities is what protects business. ]

Report Finds Pennsylvania School District "Overzealous" in Use of Surveillance Technology (May 4, 2010)

A report on the use of surveillance technology on laptop computers used by Lower Merion (Pennsylvania) School District students concluded that the district was "overzealous' in its use of LANrev's TheftTrack feature. LANrev allowed the district to install software and updates and maintain the computers, but also has a video surveillance feature that the district used to locate computers that were reported missing. In some cases, tracking remained activated even after the computer was located. The software took more than 58,000 pictures of students in their homes. An acceptable use policy signed by students and their families predated the program in which the laptops were distributed to students and therefore did not address certain pertinent issues. The report blames the issue on "... the district's failure to implement policies, procedures, and record-keeping requirements, and the overzealous and questionable use of technology by IS personnel without any apparent regard for privacy considerations or sufficient consultation with administrators." The report was produced by the law firm hired by the school district to defend it in the lawsuit filed by the family of a student of whom pictures were taken.
-http://www.philly.com/inquirer/education/20100504_Web_cam_report_blasts_Lower_Me
rion_school_district.html?viewAll=y
-http://www.lmsd.org/documents/news/100503_ballard_spahr_report.pdf

Worm Spreading Through Yahoo Instant Messenger (May 3, 4 & 6, 2010)

A new variant of an old worm is spreading through Yahoo Instant Messenger. The malware spreads as a purported photo link that appears to be from people on users' contact lists. Earlier in the week, the worm was spreading largely in Romania, but it was expected to reach the US soon. The user is tricked into saving what appears to be a JPG or GIF file that is really malware. Once it makes its way onto users' machines, the worm creates a backdoor on the computer. It also spreads through network shares, peer-to-peer filesharing services and USB drives.
-http://darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleI
D=224700541&subSection=Attacks/breaches
-http://news.cnet.com/8301-27080_3-20004368-245.html?tag=mncol;title
-http://news.techworld.com/security/3222479/fast-spreading-p2p-worm-targets-usb-d
rives/

UK Information Commissioner Enforcement Powers Growing (April 27, 2010)

The UK Information Commissioner's Office's (ICO) new authority to impose fines of up to GBP 500,000 (US $743,000) for data protection violations puts teeth in the office's enforcement powers. Organizations are more likely to take greater precautions with consumer data. Deputy Information Commissioner David Smith also says that within the next 18 months, the UK must introduce breach notification legislation for telecommunications companies to comply with a European Union directive. Breach disclosure is currently voluntary in the UK.
-http://www.computerweekly.com/Articles/2010/04/27/241061/Mandatory-data-breach-n
otification-on-the-horizon-says.htm

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/