SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #99

December 17, 2010

TOP OF THE NEWS

US Government-wide Cyber Security Legislation Will Not Pass in 2010
Assange Free on Bail With Restrictions
DoJ Attempting to Build Conspiracy Case Against Assange
HP Addresses Hidden User/Default Password Issue on MSA2000 G3 Devices

THE REST OF THE WEEK'S NEWS

Greek Police Arrest One In Connection with Anonymous Attacks
Man Admits Guilt in Music Download Scam
McDonald's Breach Points to Larger Intrusion
Microsoft's December Patch Tuesday Addresses 40 Flaws
Air Force Blocks Sites That Published Documents from WikiLeaks
Ohio State University Data Security Breach Affects 760,000
Former Employee Gets 18 Months for Revenge Cyber Attack
EDITORIAL: "Accredit and Forget It": How Some U.S. Government Agencies Cheat On Cyber Security

---

************************ Sponsored By SANS *****************************
Christmas in May: Take the SANS 2011 Annual Log Management Survey

Take the 7th Annual Log Management Survey and be entered to win a $250 American Express Gift card. This comprehensive survey has become a leading indicator of how well log management and automation helps organizations with their security and compliance needs. To take our survey, follow this link: http://www.sans.org/info/68208

The results will be released in early May during a short series of live webcasts with Jerry Shenk and Dave Shackleford.
*************************************************************************

TRAINING UPDATE
New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Washington DC in December or in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security
http://www.sans.org/security-east-2011/

-- North American SCADA 2011, Lake Buena Vista, FL, February 23-March 2, 2011
http://www.sans.org/north-american-scada-2011/

-- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Atlanta, San Francisco, Bangalore and Phoenix all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
****************************************************************************

---

TOP OF THE NEWS

US Cyber Security Legislation Will Not Pass in 2010

US Cyber Legislation is dead for this year. Congressman Langevin who helped draft the cybersecurity rider to the National Defense Authorization Act (DAA) of 2011 does not expect the rider to be included with a revised version of the bill. On the other hand, the DAA does includes provisions funding cybersecurity demonstration projects; revamping the acquisition process for cyber security; figuring out how to mitigate software vulnerabilities and supply-chain risks, and requiring the DoD to continuously monitor its information systems.

-http://www.govinfosecurity.com/articles.php?art_id=3184


[Editor's Note (Paller): No government-wide cybersecurity bill was passed in 2010 largely because Congress was reluctant to act without strong guidance from White House. I expect that will change early in 2011 with the start of a bipartisan effort, led this time by the White House, to bring about comprehensive cyber security legislation. In the mean time, several of the most important changes written into the Senate and House cyber bills in 2011, such as near-real-time continuous monitoring, are being implemented today in multiple federal agencies, through the leadership of the US Office of Management and Budget and agency CISOs and CIOs, without special legislative authority. See also the "Accredit and Forget It Commentary at the end of this issue. ]

Assange Free on Bail With Restrictions (December 16 & 17, 2010)

Julian Assange has been granted bail after spending nine days in jail in the UK. Assange will be required to wear a monitoring device and must remain within certain boundaries on a friend's country estate. He must be inside the house between 10am and 2 pm and 10 pm and 6 am and must also visit police daily. Assange plans to fight extradition to Sweden where he is to face charges of sexual molestation and rape. Assange is due back in court on January 11, 2011; his extradition hearing is scheduled for February 7 & 8, 2011.

-http://www.nytimes.com/2010/12/17/world/europe/17assange.html?hp

-http://www.wired.com/threatlevel/2010/12/assange-freed-from-prison/

-http://news.smh.com.au/breaking-news-world/jubilant-assange-celebrates-bail-2010
1217-18ztc.html

DoJ Attempting to Build Conspiracy Case Against Assange (December 15 & 16, 2010)

Federal prosecutors in the US are gathering evidence to build a conspiracy case against WikiLeaks founder Julian Assange. Justice Department officials are attempting to discern whether Assange encouraged or helped Pfc. Bradley Manning steal data from a government computer system; if he did, he could be charged as a conspirator. Prosecutors are examining the log of an online chat between Manning and Adrian Lamo in which Manning allegedly said he was in direct communication with Assange and that Assange provided him access to a server so he could upload the stolen data. The FBI has seized the computer hard drive containing the chat logs. Manning is being charged under the Espionage Act and the Computer Fraud and Abuse Act. Charging Assange under the Espionage Act would raise First Amendment issues, drawing attention to the fact that prosecutors would be targeting Assange but not the news outlets that published the leaked documents. A former federal prosecutor told lawmakers that the Justice Department could demonstrate that WikiLeaks is "fundamentally different" from traditional media outlets, thereby avoiding the First Amendment issues.

-http://www.wired.com/threatlevel/2010/12/wikileaks-conspiracy-case/

-http://www.wired.com/threatlevel/2010/12/wikileaks-and-espionage-act/

-http://www.nytimes.com/2010/12/16/world/16wiki.html?_r=2&src=twt&twt=nyt
imes

HP Addresses Hidden User/Default Password Issue on MSA2000 G3 Devices (December 14, 2010)

A security flaw has been discovered on HP MSA2000 G3 modular storage arrays. The flaw involves a hidden user, which does not show up in the user manager. The username and password for the hidden user are hardcoded, meaning they cannot be changed or deleted, and they are very simple. HP has released a support document about the issue that provides instructions for changing the password. The process will need to be repeated any time the administrator restores factory settings with the restore defaults command, because the system will revert to the default username and password. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=10090

-http://www.securityweek.com/backdoor-vulnerability-discovered-hp-msa2000-storage
-systems

-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&
amp;objectID=c02662287


[Editor's Note (Paller): This HP problem is the tip of the iceberg. Storage devices, printers, and many other network-attached appliances have installed back doors into thousands of organizations and the buyers don't know. ]

---

THE REST OF THE WEEK'S NEWS

Greek Police Arrest One In Connection with Anonymous Attacks (December 16, 2010)

Law enforcement authorities in Greece have arrested an individual believed to be a spokesperson for a loosely organized hacktivist group known as Anonymous. Two teenagers arrested earlier this month in the Netherlands are also believed to be part of the group, which has gained notoriety for launching attacks on anti-piracy websites and more recently, for allegedly launching attacks on sites that have been identified as hostile to WikiLeaks.
Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=10045

-http://www.theregister.co.uk/2010/12/16/anonymous_arrests/


[Editor's Note (Honan): Metadata within a document released by the Anonymous group led the police to this suspect. Metadata in documents can contain information such as the author, revision levels, the computer name the document was written on, as well as tracked changes amongst other items. Microsoft has a good overview of how to do sanitize the metadata in documents at
-http://office.microsoft.com/en-us/excel-help/find-and-remove-metadata-hidden-inf
ormation-in-your-legal-documents-HA001077646.aspx?redir=0]

Man Admits Guilt in Music Download Scam (December 15 & 16, 2010)

A 19-year-old UK man has admitted to participating in a scheme in which a group of people posted their own songs to iTunes and Amazon, then used stolen credit card information to purchase the tracks, generating fraudulent royalty payments. Between January 2008 and June 2009 the group allegedly downloaded songs 6,000 times. Lamar Johnson pleaded guilty to conspiracy to defraud; the 11 other defendants in the case are scheduled to appear in court on January 25, 2011.

-http://www.theregister.co.uk/2010/12/16/itunes_royalty_scam/

-http://www.bbc.co.uk/news/uk-england-12001116

McDonald's Breach Points to Larger Intrusion (December 15, 2010)

The compromise of McDonald's customer data on a third party site has led to speculation that it was part of a larger security breach, potentially affecting more than 105 companies. McDonald's did not identify the third party site involved in the intrusion, but federal investigators believe it is Atlanta-based email marketing service company Silverpop, which earlier this week sent customers a notice that it had suffered a cyber security breach that affected a "small percentage" of customers. Federal investigators believe that Silverpop may not have been the only organization targeted in the attack.

-http://www.scmagazineus.com/exposed-mcdonalds-data-may-be-linked-to-third-party/
article/192885/


[Editor's Note (Honan): When negotiating with an external provider to host your data, include in the section in the contract covering security roles and responsibilities, a clause stating the provider must notify you if they, or the services to one of their other customers, suffer a security breach that could impact your data/service. ]

Microsoft's December Patch Tuesday Addresses 40 Flaws (December 15, 2010)

Microsoft has released security updates to address 40 vulnerabilities in its products, including five critical flaws in Internet explorer (IE); all versions of the company's browser are affected. Some of the flaws have already been actively exploited. However, a recently reported CSS flaw in IE was not fixed in this batch. Another critical flaw that has been addressed in this release is a font handling problem that could allow remote code execution on newer Windows releases. Among the other issues addressed in this batch of patches is a privilege escalation flaw in Task Scheduler, the last of the known vulnerabilities exploited by Stuxnet.
Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=10081

-http://www.theregister.co.uk/2010/12/15/dec_patch_tuesday/

-http://krebsonsecurity.com/2010/03/secret-obsession-odd-windows-crash-alerts/

-http://www.h-online.com/security/news/item/Microsoft-closes-IE-and-Stuxnet-holes
-1153145.html

-http://www.microsoft.com/technet/security/Bulletin/MS10-dec.mspx

Air Force Blocks Sites That Published Documents from WikiLeaks (December 15, 2010)

The US Air Force has blocked employees' access to websites that published sensitive documents released by WikiLeaks. Air Force personnel cannot access The New York Times, The Guardian, Der Spiegel, Le Monde or more than 20 other online publications from their government computers. When they attempt to go to those sites, they instead see a screen that says "Access denied: Internet usage is logged and monitored."

-http://www.theregister.co.uk/2010/12/15/air_force_blocks_wikileaks/

Ohio State University Data Security Breach Affects 760,000 (December 15 & 16, 2010)

Ohio State University is notifying 760,000 current and former students, faculty, staff, applicants and others affiliated with the school that their personal information may have been compromised. The intruder or intruders gained unauthorized access to an Ohio State server; the incident was discovered in October during a routine security review. The compromised information includes names, Social Security numbers (SSNs) and dates of birth. Cyber forensic experts brought in to assess the breach determined that the purpose of the intrusion was to use the system to launch attacks on online businesses.

-http://www.esecurityplanet.com/news/article.php/3917501/Ohio-State-Deals-With-Ma
ssive-Data-Breach.htm

-http://www.darkreading.com/database-security/167901020/security/privacy/22880067
7/server-breach-at-ohio-state-exposes-data-of-760-000.html

Former Employee Gets 18 Months for Revenge Cyber Attack (December 14, 2010)

A former employee of Florida's Suncoast Community Health Center has been sentenced to 18 months in federal prison for breaking into the organization's computer system. Patricia Marie Fowler was fired on March 13, 2009 for insubordination; four days later, she launched an attack, deleting records and passwords that prevented legitimate users from accessing the system. Following her release, Fowler will serve three years probation and will have to pay more than US $17,000 in restitution.

-http://www.theregister.co.uk/2010/12/14/healthcare_bofh_turned_hacker_jailed/

-http://tampa.fbi.gov/dojpressrel/pressrel10/ta120710.htm

EDITORIAL: "Accredit and Forget It": How Some U.S. Government Agencies Fib On Cyber Security (Alan Paller)

First a few words about how the system works: Before a federal system is allowed to go online, it must be given "Approval To Operate" (ATO) status. Only a Designated Accrediting Authority (DAA) is allowed to accredit a system and give it an ATO. Any security weaknesses exposed to the DAA generally needs to have a fix defined and scheduled for implementation and listed in an Information Technology (IT) Security Plan of Action and Milestones (POA&M). If there is no plan to fix the weaknesses, the system is not supposed to be granted ATO status. That's how the system works, but with one damaging addition. A lot of the most important fixes are not made - ever. They stay on the POA&M for so many months or years, without action, that the whole process has been given the nickname "accredit and forget it." Sometimes the agencies notice how long they have ignored an important action. When they do, they take it off the POA&M and put it back on, with a new start date. That way it doesn't look like it was ignored, even though it was. Then last week we learned from a contractor that one of the large civilian agencies has automated the process of changing the date. If an action has stayed on a POA&M for too long, the computers automatically change its start date so it appears to have been just added. That way it doesn't look like the agency is skimping on security. If senior executives in the White House want to wake up a the CIOs and show them security matters, they could make that "automated fibbing system" a very public career-ending mistake for the CIO of that agency.

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Adv isory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is a security professional currently involved in independent security research.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/