SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XII - Issue #38
May 14, 2010
Two "good news" government security stories became public this morning, and one heads-up.
(1) Greg Schaffer, DHS' new Assistant Secretary for cyber security and communications, unveiled a new information sharing program with financial institutions and some other long-sought innovations in making sensitive threat information more accessible to industry. It's the first story under Top of the News.
(2) The second story will show up in the press later today. It is the herald of a multi-hundred-million-dollar shift in contracting for federal IT and cyber security services. Yesterday the US Department of State told its IT service provider contractors that they would all recompete for a new five-year contract with a much higher level of security built in. Sixty percent of the technical labor at State is contracted so this is a huge initiative. There is general consensus that this is critically necessary in order strengthen the defenses of .mil and .gov. Too many organizations fracture the leadership of their technical labor responsible for security and configuration management (servers, routers, firewalls, enterprise networks). What the State Department is about to do, similar to the B1-B bomber contracts from 20 years ago is to link all these businesses in associate contractor agreements which are contractually binding and linked to performance. Not surprisingly, they will measure their performance on defensive cyber security by the risk dashboard.
(3) Do you have anyone in your organization called a security architect - - or security engineer or IA architect or engineer? If you do, you might find it useful to know that only about 30% of the people holding those titles have ... (see the story at the end of this issue, called "Security Architects and Engineers Seek Higher Standards of Professional Qualifications").
Alan
TOP OF THE NEWS
DHS Piloting New Cyber Threat Information Sharing ProgramGerman Court Says WiFi Owners Must Secure Networks
General Alexander Confirmed as Head of Defense Department's US Cyber Command
Cyber Thieves Clog Phones With Nuisance Calls While They Plunder Bank Accounts
THE REST OF THE WEEK'S NEWS
Facebook Introduces New Security MeasuresStolen Facebook Account Hawker Identified.
Laptop Stolen From Contractor's Office Holds Army Reservists' Information
Northrop Grumman to Sponsor Air Force Association's Cyber Patriot III Tournament
Microsoft and Adobe Issue Security Updates
Majority of Phishing Attacks are the Work of One Group
Mozilla Tools Tests Plug-in Safety For Other Browsers
Guilty Plea Expected From Second Man in Demo of Botnet For Sale Case
Security Architects and Engineers Seek Higher Standards of Professional Qualifications
********************* Sponsored By Athena Security *********************
Download the First and Only Free Firewall Rulebase Browser
For Cisco, Check Point and Netscreen firewall engineers. This free tool lets you slice and dice any firewall-related question you have about your network, service objects and security rules. Easily locate the rules and objects that you can reuse to handle change requests.
Save loads of time. Get it today.
http://www.sans.org/info/59203
*************************************************************************
TRAINING UPDATE
-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/
-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/
-- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/
-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 39 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php
Plus Singapore, Amsterdam, Canberra and Portland all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************
TOP OF THE NEWS
DHS Piloting New Cyber Threat Information Sharing Program (May 14, 2010)
The Us Department of Homeland Security (DHS) and the Defense Department are partnering with several financial services companies to test a new model of cyber threat information sharing. The program allows participants to share cyber threat information in real time and to examine network intrusions and activity. The long term goal is to allow DHS to look at cyber threat data across the government and private sectors, as many components of the country's critical infrastructure are private, and improve cyber security for everyone.-http://www.federalnewsradio.com/index.php?nid=35&sid=1957093
German Court Says WiFi Owners Must Secure Networks (May 12 & 13, 2010)
Germany's top criminal court has ruled that people who have wireless networks must secure them with passwords or face a fine of 100 euros (US $126) if other people use their networks to download content illegally. "Private users are obligated to check whether their wireless connection is adequately secured to the danger of unauthorized third parties abusing it to commit copyright violation." The decision stems from a case in which a copyright holder sued a network owner because his music was downloaded and was later made available for filesharing. The network owner had proof that he was away from his home at the time the music was downloaded.-http://www.msnbc.msn.com/id/37107291/ns/technology_and_science-security/
-http://www.theregister.co.uk/2010/05/13/open_wifi_fines_germany/
-http://www.scmagazineuk.com/german-wifi-owners-are-now-liable-for-what-third-par
ty-users-download-while-connected-to-their-network/article/170061/
[Editor's Note (Northcutt): We all need to keep our eyes open, because if the access point itself has vulnerabilities that lead to filesharing then who is to blame. Joshua Wright, InGuardians researcher and author of the SANS Wireless security class, discovered that the Verizon MiFi access point has a predictable WPA key based on the SSID which has a predictable ID so you know it is Verizon. So if you meet the letter of the law, and "protect" your network and someone computes the WPA key and downloads files over your network, who gets sued and why? ]
General Alexander Confirmed as Head of Defense Department's US Cyber Command (May 11 & 12, 2010)
The US Senate has unanimously confirmed General Keith B. Alexander as the head of the US military's US Cyber Command. General Alexander is also the director of the National Security Agency (NSA). The Senate also elevated Alexander from lieutenant general to four-star general. During his confirmation hearing, Alexander said that the Cyber Command will focus on cyber defense, but acknowledged that "under the right circumstances," Cyber Command could use offense cyber measures.-http://www.washingtonpost.com/wp-dyn/content/article/2010/05/10/AR2010051005251_
pf.html
-http://www.computerworld.com/s/article/9176573/Update_Senate_confirms_Alexander_
as_chief_of_U.S._Cyber_Command?taxonomyId=82
-http://www.theregister.co.uk/2010/05/12/alexander_cyber_confirmation/
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=224701513
-http://www.federalnewsradio.com/?nid=35&sid=1956202
Cyber Thieves Clog Phones With Nuisance Calls While They Plunder Bank Accounts (May 12, 2010)
Cyber thieves targeting financial accounts have added another tactic to their schemes: denial-of-service attacks on telephones. The attack floods victims' phones with calls - either dead air or recorded advertisements - during the period of time when their financial institution is likely to call to verify that contact information has been changed. They also initiate transactions, then call to complain that the transaction did not go through and confirm that they have been having telephone problems.-http://www.wired.com/threatlevel/2010/05/telephony-dos/
THE REST OF THE WEEK'S NEWS
Facebook Introduces New Security Measures (May 13, 2010)
Facebook has introduced two new security measures to help prevent account hijacking. Facebook users can now approve the specific devices from which they access Facebook and receive email or text message alerts when attempts to access their access their accounts are made from devices not on the list. If a user attempts to log in from an unfamiliar device, Facebook will now ask that user additional security questions. In addition, Facebook users will soon be able to see the location of the most recent log in attempts.-http://www.computerworld.com/s/article/9176752/Facebook_unveils_new_security_fea
tures
-http://gadgetwise.blogs.nytimes.com/2010/05/13/facebook-moves-to-thwart-cybercro
oks/
-http://www.msnbc.msn.com/id/37136041/ns/technology_and_science-security/
[Editor's Note (Pescatore): Ah, the old myth that showing the user their last login adds some security value! If the door to your house displayed the last time you walked through it, would you really be able to say "Hey, someone has been in here since I was last in here"? People use computers and online services very differently today than back in the "log-in once a day" TSO days. The first measure (device restriction) is not a bad move as a form of two-factor authentication, but again - these days people use many, many devices and change them often. Facebook and Google and other advertising supported services should focus more on making stronger authentication approaches like test messaging challenges easier to use and even often incentives to their use. ]
Stolen Facebook Account Hawker Identified (May 13, 2010)
Facebook has identified the person who offered access credentials for 1.5 million Facebook accounts in underground forums. The individual, who used the online name of Kirllos, offered batches of 1,000 accounts for between US $25 and US $45. With the help of forensic specialists, Facebook now says they know Kirllos's identity; while a name was not provided, a company spokesperson acknowledged that the person operated out of Russia. The spokesperson also said that it is unlikely that Kirllos had the number of accounts he claimed.-http://www.computerworld.com/s/article/9176744/Facebook_IDs_hacker_who_tried_to_
sell_1.5M_accounts?taxonomyId=17
Laptop Stolen From Contractor's Office Holds Army Reservists' Information (May 13, 2010)
The US Army Reserve Command is notifying approximately 207,000 reservists that their personally identifiable information is on a CD-ROM in a laptop computer stolen from a government contractor. The compromised data include names, addresses and Social Security numbers (SSNs). The computer may also contain information about reservists' dependents and spouses. The computer was one of three stolen from the Morrow, Georgia offices of Serco Inc.-http://krebsonsecurity.com/2010/05/stolen-laptop-exposes-personal-data-on-207000
-army-reservists/
-http://www.govinfosecurity.com/articles.php?art_id=2527
[Editor's Note (Pescatore): Here's hoping the contract the contractor was working under had the terms and conditions about meeting government security requirements which include laptop data encryption. ]
Northrop Grumman to Sponsor Air Force Association's Cyber Patriot III Tournament (May 12 & 13, 2010)
Northrop Grumman will be the "Presenting Sponsor" of the Air Force Association's Cyber Patriot III cyber defense competition for high school students. The year-long competition aims to mentor teams of high school students through a series of cyber security exercises and to identify and encourage those who will become the next generation of cyber security specialists. The US currently has approximately 1,000 qualified cyber security specialists, but needs 20 to 30 times that many. The competition is open to all high school students; the competition allows for 100,000 participants.-http://www.nextgov.com/nextgov/ng_20100512_1157.php?oref=topnews
-http://www.thenewnewinternet.com/2010/05/13/northrop-grumman-to-help-find-nextge
n-cyber-pros/
Microsoft and Adobe Issue Security Updates (May 12, 2010)
Microsoft and Adobe both issued security updates on Tuesday, May 11. Microsoft's release included two bulletins, both rated critical; each bulletin addresses one vulnerability. The first patch fixes a remote code execution flaw in Outlook Express, Windows Mail, and Windows Live Mail; the other Microsoft bulletin fixes a remote code execution flaw in the Microsoft Visual Basic for Applications component of Microsoft Office. The Adobe update addresses a variety of flaws in its Cold Fusion and Shockwave Player software.-http://isc.sans.org/diary.html?storyid=8776
-http://www.microsoft.com/technet/security/bulletin/ms10-may.mspx
-http://krebsonsecurity.com/2010/05/microsoft-adobe-push-critical-security-update
s/#more-2996
-http://www.theregister.co.uk/2010/05/12/may_patch_tuesday/
-http://www.adobe.com/support/security/bulletins/apsb10-12.html
Majority of Phishing Attacks are the Work of One Group (May 12, 2010)
According to a report from the Anti-Phishing Working Group (APWG), one phishing gang in Eastern Europe is believed to be responsible for about two-thirds of all phishing attacks. Of the 127,000 phishing attempts tracked by the APWG, 84,000 appear to have originated with this group. The Global Phishing Survey: Trends and Domain Name Use in[the Second half of 2009 ]
also notes that the group, which has been dubbed "Avalanche," has changed the way it operates and is running on a 'greatly reduced scale." The majority of phishing attacks appear to come from just five top-level domains.
-http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey_2H2009.pdf
-http://www.darkreading.com/vulnerability_management/security/cybercrime/showArti
cle.jhtml?articleID=224701763&cid=RSSfeed
-http://www.computerworld.com/s/article/9176661/Report_blames_Avalanche_group_for
_most_phishing?taxonomyId=144
Mozilla Tools Tests Plug-in Safety For Other Browsers (May 11 & 12, 2010)
Mozilla has launched a tool that users of other browsers can use to test whether or not plug-ins are secure. The tool is an offshoot of a Firefox feature launched last year that checks Firefox for plug-ins that need to be updated. Mozilla launched the tool for Chrome, Opera, Safari and Internet Explorer because "plug-in safety is an issue for the web as a whole." Coverage for Internet Explorer is not as extensive as for the other browsers because "IE requires specific code to be written for each plug-in."-http://www.computerworld.com/s/article/9176630/Firefox_lends_security_hand_to_ri
val_browsers?taxonomyId=85
-http://www.theregister.co.uk/2010/05/11/mozilla_plugin_check/
Guilty Plea Expected From Second Man in Demo of Botnet For Sale Case (May 11, 2010)
A second man is expected to plead guilty in connection with botnet attacks on two Internet service providers (ISPs) in 2006. Thomas James Frederick Smith will plead guilty on June 10, 2010, according to court filings. He and David Anthony Edwards created a botnet of 22,000 compromised computers and used to launch attacks on the ISPs as a demonstration for prospective clients. The pair hoped to sell the botnet's services to others. Both men face sentences of up to five years in prison and fines of US $250,000.-http://www.pcworld.com/businesscenter/article/196056/guilty_plea_after_botnet_te
sted_with_ddos_on_isp.html
Security Architects and Engineers Seek Higher Standards of Professional Qualifications (May 12, 2010)
Do you have anyone in your organization called a security architect - or security engineer or IA architect or engineer? If you do, you might find it useful to know that only about 30% of the people holding those titles have substantial security architecture or engineering knowledge. The rest do not know the key questions that seasoned security architects and engineers ask, they cannot do quick and reliable risk assessments, they do not have models of successful designs nor do they have the examples of failures nor the rest of the body of knowledge that defines an engineer or architect. They were able to take the titles because few employers knew what a good security architect or good security engineer needed to know. Worse still, some government security organizations completely devalued the titles by certifying people as security engineers and architects if they knew federal regulations and project management even if they had *no* technical security talent at all.The bar for holding those titles is now rising. A consortium of organizations where security architecture matters (you can guess which ones they are) is meeting the last week in May to provide a foundation for the missing body of knowledge and to begin the national consensus building project that will lead to a trusted designation as a security engineer or architect. If any of the people who work with you are really good security architects or engineers (even if they don't hold those titles) please encourage them to come to the kick-off meeting that will launch the national consensus-building project. And if some people want to be really good but haven't yet been connected with the network of seasoned architects and engineers who can help build their skills, they can come too, to learn and help make the work accessible. Information:
-http://www.sans.org/security-architecture-summit-2010/
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/