SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XII - Issue #44
June 04, 2010
Just for a smile: Dilbert on Cyber Defense in Depth http://www.dilbert.com/dyn/str_strip/000000000/00000000/0000000/000000/30000/400
0/000/34008/34008.strip.zoom.gif
Alan
TOP OF THE NEWS
US Cyber Command Chief Warns of Remote Network Sabotage; Defines Need For Continuous MonitoringCanada Launches Investigation into Google Wi-Fi Data Gathering
UK NHS Tops ICO's List of Breach Reports
THE REST OF THE WEEK'S NEWS
Federal Officials To Discuss Continuous Monitoring and FISMA ComplianceSpyware Variant Targets Macs
Microsoft to Release 10 Security Bulletins on June 8
Click-jacking Attacks Spreading Through Facebook
Cyber Attacks a Top Risk for US Power Grid
Home Windows Machine Proves Detrimental to Bank Account
Active Exploits Detected for Flaw in Windows 2000
FTC Reaches Settlement with Spyware Purveyor
*********************** Sponsored By BreakingPoint **********************
What is Resiliency and why is it Important to Network Security? Does your organization measure the impact of security threats, blended traffic and extreme load on the overall performance, security and stability of network devices and systems? Take our SANS network resiliency survey and help us find out if organizations have security resiliency on their radars. Complete the survey and be entered in a drawing for a $250 American Express Gift Certificate! Results will be announced in our June 30 SANS Analysts Webcast, 1PM EST.
http://www.sans.org/info/60128
*************************************************************************
TRAINING UPDATE
- -- SANSFIRE 2010, Baltimore, June 6-14, 2010 36 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/
- -- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/
- -- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/
- -- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses
http://www.sans.org/virginia-beach-2010/
- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/
- -- Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php
Plus Amsterdam, Kuala Lumpur, Canberra and Portland all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************
TOP OF THE NEWS
US Cyber Command Chief Warns of Remote Network Sabotage; Defines Need For Continuous Monitoring (June 3, 2010)
In his first public remarks since his confirmation last month, the head of the Pentagon's Cyber Command, General Keith Alexander, said that there are signs that US military networks are being targeted for remote sabotage, and that "the potential for sabotage and destruction is now possible and something we must treat seriously." Speaking on June 1 at the Center for Strategic and International Studies (CSIS) in Washington, DC, Alexander spoke of the need to establish clear rules of engagement for cyber space and the need for improved real-time monitoring and threat-data sharing. General Alexander is also the director of the National Security Agency (NSA).-http://www.washingtonpost.com/wp-dyn/content/article/2010/06/03/AR2010060302355_
pf.html
-http://www.businessweek.com/news/2010-06-03/cyber-command-director-alexander-war
ns-of-network-sabotage-.html
-http://www.executivegov.com/2010/06/general-keith-alexander-speaks-on-cybersecur
ity-landscape/
-http://www.google.com/hostednews/afp/article/ALeqM5gu7-0iyRZOhNeGQq0hD-_mqwwpQg
[Editor's Note (Pescatore): The DoD really needs to focus on eliminating or mitigating the continuing *vulnerabilities* in DoD networks that have led to recent incidents. Fix those problems, attacks are blocked and effectiveness of all threats is greatly reduced. Focusing on the threat and monitoring attacks without focusing on eliminating DoD's vulnerabilities just means continued successful attacks.
(Paller): In his address at CSIS, General Alexander defined a new standard of due care in cyber security, made necessary by the new level of threat. He defined the new goal, saying, "real-time situational awareness on our network to see where something bad is happening and take action there at that time." He said. "We must share indications and warning threat data at net speed." The short title used by military leaders for this new standard is "dynamic security." It means they know the status of every machine on the network at all times, they can reach into every machine for additional data on security, and they can take action to eliminate problems instantly. Barry McCullough Jr., Commander of the Navy's Tenth (Cyber) Fleet promised the Chief of Naval Operations that he would have dynamic security "in place by the end of the summer." Although that deadline may slip to the end of the year, the leadership Admiral McCullough is showing is exemplary. Civilian agencies, where the problems are just as acute as in the military, are approaching dynamic security at different speeds - ranging from "brisk" in the best agencies to "comatose." An agency scorecard will be published later this summer showing which federal CIOs have made the most progress toward dynamic security. Early data show two civilian agencies and two military services leading the way. For a copy of the scoring system, email me at apaller@sans.org. ]
Canada Launches Investigation into Google Wi-Fi Data Gathering (June 1 & 2, 2010)
Canada has joined Germany, Italy and France in launching investigations into Google's inadvertent collection of data from unsecured wireless networks. Google collected the data by accident while gathering images for its Street View service. In April, Google said it was collecting only wireless network names and media access control (MAC) addresses, but an audit requested by German authorities proved they were collecting payload data as well. Google acknowledged the issue in May. The US Federal Trade Commission (FTC) has also begun an informal investigation. Several countries have asked that Google be barred from destroying any of the data it has collected while they investigate the potential for criminal prosecution. Google has provided all the collected data to a third party company, ISEC Partners, for safekeeping. Google is facing several lawsuits as well.-http://www.computerworld.com/s/article/9177583/Google_faces_privacy_investigatio
n_in_Canada?taxonomyId=84
-http://www.msnbc.msn.com/id/37455927/ns/technology_and_science-security/
-http://lastwatchdog.com/googles-wifi-data-harvest-draws-widening-probes/
[Editor's Note (Pescatore): Just as "features and fast to market are more important than security" was baked into the DNA of software companies in the early 1990s, "collect and expose user information" is baked into the DNA of today's generation of companies that sell advertising around other peoples data. ]
UK NHS Tops ICO's List of Breach Reports (June 1, 2010)
According to statistics from the Information Commissioner's Office (ICO), the US National Health Service has reported 305 data security breaches since November 2007. During the same period, the private sector reported 288 breaches, local government reported 132 breaches, and central government reported 81 breaches. The most frequent cause of NHS breaches was hardware theft, which accounted for 116 incidents, followed by hardware loss, which accounted for 87 incidents. There were also 43 instances in which NHS information was disclosed improperly, 17 instances in which data were lost in transit, and 13 instances of improper technology disposal. In all, more than 1,000 data breaches have been reported to the ICO. In April the ICO was granted the authority to impose fines of up to GBP 500,000 (US $730,000) for serious data breaches.-http://www.kable.co.uk/nhs-data-losses-information-commissioners-office-01jun10
-http://www.zdnet.co.uk/news/compliance/2010/06/01/nhs-top-culprit-as-uk-data-bre
aches-exceed-1000-40089098/
-http://www.ico.gov.uk/upload/documents/pressreleases/2010/1000_data_breaches2805
10.pdf
-http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/br
each_notification_spreadsheet_may2010.pdf
[Editor's Note (Honan): Regarding the ICO issuing a fine of 500,000 there are certain items that the ICO will consider before issuing the fine. Before issuing a fine the ICO will determine whether there has been a serious contravention of data protection principles by the organization in control of the data, the contravention is likely to cause substantial damage or substantial distress to those impacted and either the contravention was deliberate or that the organization was aware or should have been aware that the contravention would occur and cause substantial damage or distress but the organization did not take reasonable steps to prevent the contravention. ]
**************************** Sponsored Links: **************************
1) The SANS WhatWorks in Virtualization and Cloud Computing Summit will help you better understanding of the various types of virtualization available and the kinds of problems that they're meant to solve.
http://www.sans.org/info/60133
*************************************************************************
THE REST OF THE WEEK'S NEWS
Federal Officials To Discuss Continuous Monitoring and FISMA Compliance (June 4, 2010)
The three federal officials who have had and are having the greatest impact on eliminating waste in Federal cyber security reporting will be speaking on June 15 at the Reagan Center in Washington DC. Their purpose is to help federal CIOs and other federal officials (above GS 13), and officers of the large service providers, understand the issues and the way forward. This breakfast also be one of the first public discussions of CAESARS - the new online reporting framework. Panelists include Matt Coose, Director of Federal Network Security, John Streufert, CISO of US Department of State, and Jerry Davis, CISO of NASA. The discussion will be moderated by Tim Clark, founder and long-time editor and publisher of Government Executive Magazine. There is no cost, but only federal officials and other qualified persons may attend. It is a key installment in the "Cybersecurity Insiders Program."-http://www.govexec.com/cyber_insider/
[Editor's Note (Paller): The Government Executive magazine folks just told me that they have an absolute capacity of 200 seats, and that 158 are already spoken for. So register quickly if you are going to be in DC and have the qualifying job level. ]
Spyware Variant Targets Macs (June 1, 2010)
Spyware that targets Mac users has been detected on three widely-used download sites. The OSX/OpinionSpy software spreads through the Softpedia, MacUpdate and VersionTracker sites. OpinionSpy scans hard drives for information and injects code into certain applications that allows it to search for email addresses, message headers and other information. The spyware downloads during the installation process of certain applications and screensavers the users download from those sites. OpinionSpy is a variant of spyware that has been infecting Windows machines since 2008. The spyware asks for the users' administrative passwords, claiming the software that will be installed will collect browsing and online shopping history. Instead, OpinionSpy installs and "runs as root ... with full rights to access and change any file on the infected ... computer."-http://www.theregister.co.uk/2010/06/01/mac_spyware/
-http://voices.washingtonpost.com/fasterforward/2010/06/mac_spyware_alert_is_noth
ing_n.html
-http://www.pcworld.com/businesscenter/article/197696/security_firm_discovers_spy
ware_in_mac_software.html
[Editor's Note (Pescatore): While there is *less* Mac malware around than PC malware, there is plenty around. The new calculus of targeted attacks means using a low market share product gains you *no* security through obscurity - if you are using Macs or Linux or whatever, when someone targets you they go after the numerous vulnerabilities in those platforms - or in reality, the vulnerabilities of your users. ]
Microsoft to Release 10 Security Bulletins on June 8 (June 3, 2010)
On Tuesday, June 8, Microsoft will issue 10 security bulletins. Three of the bulletins have maximum severity ratings of critical; the rest are rated important. The vulnerabilities could be exploited to allow remote code execution, elevation of privileges and tampering. The updates will address a total of 34 vulnerabilities in Microsoft Windows, Internet Explorer (IE), Microsoft Office and Microsoft Server Software. Examples of flaws for which fixes will soon be available include: 1) a flaw in SharePoint that was disclosed late last April and that could be exploited to allow elevation of privileges, and 2) an information disclosure flaw in IE that was disclosed last February.-http://www.zdnet.com/blog/security/patch-tuesday-heads-up-10-bulletins-34-flaws-
ie-windows-affected/6593
-http://www.scmagazineus.com/sharepoint-ie-part-of-microsoft-patch-plans/article/
171660/
Click-jacking Attacks Spreading Through Facebook (June 1, 2 & 3, 2010)
Click-jacking or like-jacking attacks are spreading through Facebook. If Facebook users click on the specially-crafted links created to be enticing, they are taken to a page that appears to be empty with a message that instructs them to "click here to continue." An invisible iFrame publishes the content, including the link, on the user's status page. At the moment, the attacks are little more than a nuisance, but they could be altered to be malicious. Internet Storm Center:-http://isc.sans.org/diary.html?storyid=8893
-http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=
225300286
-http://news.bbc.co.uk/2/hi/technology/10224434.stm
-http://www.theregister.co.uk/2010/06/01/facebook_clickjacking_worm/
-http://www.computerworld.com/s/article/9177618/Facebook_likejacking_attacks_cont
inue_with_flesh_appeal?taxonomyId=17
[Editor's Note (Pescatore): This type of "clickjacking" attack was detailed back in 2008, but is really just a web-enabled variant of bad user interface design. There are things web sites can do to minimize this attack (like x-frame-options and other things) but most web sites haven't done them. Even off the web, UI "overlay" issues have long been the bane of trying to use digital signatures on PCs - how can you prove what the user clicked on actually signed what they thought they were signing? ]
Cyber Attacks a Top Risk for US Power Grid (June 2, 2010)
According to a report from the North American Electric Reliability Corp. (NERC), the three top threats to the US power grid are cyber attacks, pandemics and electromagnetic disturbances. The report, "High-Impact, Low-Frequency Risk to the North American Bulk Power System," recommends that power grid providers and the government be better coordinated. A coordinated cyber attack in concert with a physical attack is the top concern. NERC president and CEO Gerry Cauley said there has been "suspicious activity around control systems."-http://www.csoonline.com/article/595729/Cyberattacks_Top_threat_to_U.S._power_gr
id?source=CSONLE_nlt_update_2010-06-03
[Editor's Note (Pescatore): A good deal of overhype here. The effort focused solely on those 3 threats, so it was guaranteed they'd be the top 3! There wasn't a cyber-attack category; it was coordinated physical/cyber attack. This is why the most frequent, high impact risk wasn't discussed - lack of maintenance of the physical plant has almost invariably been the cause of major outages for the past several years.
(Northcutt): Let's all make sure we keep this in perspective. Cyber attacks are possible and if we put in a smart grid without redundant security controls, inevitable. However, in a year where an unpronounceable volcano shut down air traffic and an oil well spill looks like it will devastate the Caribbean, we would be wisest to put electromagnetic disturbances at the top of the list and far and above the other two threats. One potential issue is the sun "acting out", but if a terrorist organization is able to acquire a nuclear weapon and set off an air burst, that would also cause the power infrastructure to go topsy turvy. However, our risk could be greatly reduced if we just segmented our power grid a bit more. I just put in solar and the inspectors would not approve me (without jumping through even more hoops) going off the grid. Get this, if there is a power outage, they want my system to shut down too. The reason they give is to keep my system from electrocuting power line workers. I am all for that, but we have not one, but two, disconnect switch points in the system, yet to get my permits, I had to agree to be part of their grid, under their control. ]
Home Windows Machine Proves Detrimental to Bank Account (June 2, 2010)
A businessman learned the hard way that using his home Windows computer to authorize a transfer from his company's bank account was a bad idea. David Green always used his Mac laptop to access the account, but in late April, he found himself sick at home without the computer, so he decided to authorize a necessary transfer from his home computer, which had apparently been infected with a password-stealing Trojan horse program. Within days of the home-authorized transaction, Green found that cyber thieves had drained the account of nearly US $100,000. Just US $22,000 of the US $98,000 stolen has been recovered. Green's company now has a strict online bank account access policy in place; transfer authorizations can now be made only from Green's Mac.-http://krebsonsecurity.com/2010/06/using-windows-for-a-day-cost-mac-user-100000/
[Editor's Note (Schultz): This sorry episode provides excellent material for security training and awareness programs.
(Honan): Before everyone runs out to change their banking PCs from Windows to Macs remember that more and more malware is targeting the Mac platform (see the piece on that story elsewhere in this NewsBites.) A better approach would be to ensure that you conduct sensitive online business only from a secure computer, regardless of the operating system it is using. ]
Active Exploits Detected for Flaw in Windows 2000 (June 2, 2010)
Cyber criminals are exploiting a flaw in machines running Windows 2000 that do not have the most recent Windows Media Service patch installed. The attacks thus far have been limited in their scope. Microsoft patched the remote code execution vulnerability with its MS10-025 security update on April 13, but the company had to reissue the fix two weeks later because the first update did not adequately address the problem. When the attack is successful, remote desktop access is enabled on the computer and password logging tools are installed. The attack can only work on machines on which the Windows Media Services port 1775 has not been blocked at the firewall.-http://www.computerworld.com/s/article/9177616/After_buggy_patch_criminals_explo
it_Windows_2000_flaw?taxonomyId=17
-http://www.techeye.net/security/cyber-crims-attack-dodgy-windows-2000
-http://www.microsoft.com/technet/security/Bulletin/MS10-025.mspx
FTC Reaches Settlement with Spyware Purveyor (June 2 & 3, 2010)
The Federal Trade Commission (FTC) and CyberSpy software have reached a settlement regarding the company's RemoteSpy product. In 2008, the FTC sued CyberSpy for selling RemoteSpy as a completely undetectable keystroke logger. The settlement allows CyberSpy to keep selling the product, but must not provide instructions for installing the software surreptitiously on others' computers. The software must notify users when it is going to install and obtain their consent. The company must also inform users that abuse of the software may constitute violation of state or federal law. The company was also ordered to remove legacy versions of the software from machines on which it has already been installed. The software is now being touted as a tool to keep track of what happens on one's own computer.-http://www.computerworld.com/s/article/9177620/FTC_cracks_down_on_spyware_seller
?taxonomyId=17
-http://www.pogowasright.org/?p=10780
-http://www.ftc.gov/opa/2010/06/cyberspy.shtm
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
