SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #15

February 22, 2011

MEASURING SECURITY EFFECTIVENESS: PROGRESS
Chief Information Security Officers (CISOs) from technology, financial,
and defense industrial base companies met at RSA last week to find a way
to work jointly to measure the effectiveness of security innovations and
security products. They are trying to make better decisions on where
to spend money, and they outlined an initial set of metrics that could
prove effective. They asked us at SANS to draw the larger security
community into the discussion. So if you feel you have expertise in this
arena and would like to participate, send us a description of a specific
measure of security effectiveness (one that would be valuable in large
organizations), and how it is used. Send it to apaller@sans.org with
subject: Security Effectiveness. Vendors are welcome as are integrators
and CISOs and others. If your measure looks promising, you'll be invited
to the table. Please do not email us without the example measure.

Alan

---

TOP OF THE NEWS

Australian Government Opens Consultation on Cybercrime Treaty
Cyber Security Bill Expressly Prohibits Internet Kill Switch
House Amendment to Spending Bill Hobbles FCC Net Neutrality Implementation

THE REST OF THE WEEK'S NEWS

Guilty Plea in eBay Fraud Case
Australian Communications Authority Questioning Telecoms About Data Security
ICE Acknowledges Error That Took Down .mooo Sites
New Technology Hinders FBI Wiretaps
Microsoft Addresses Silent Updates in Blog Posting
Microsoft Changes Stance on Internet Quarantining
Libya Cuts Internet, Bahrain Restricts Traffic

---

*************************************************************************
TRAINING UPDATE
-- North American SCADA Security 2011, Lake Buena Vista, FL, February 23-March 2 With special DHS/INL and NERC workshops plus hands-on immersion training.
http://www.sans.org/north-american-scada-2011/

-- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module
http://www.sans.org/phoenix-2011/

-- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

-- SANS 2011, Orlando, FL, March 26-April 4, 2011 40 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
http://www.sans.org/cyber-security-innovations-2011/

-- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

-- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

-- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
https://www.sans.org/cyber-security-innovations-2011/

-- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Singapore, Wellington, Barcelona, Amsterdam and Brisbane all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *********** Sponsored by Raytheon Trusted Computer Solutions ***********
Managing OS security in large enterprise environments can be a daunting responsibility. Make it easy to consistently and predictably harden new or repurposed systems with Security Blanket, an automated tool for 'once click' hardening. Whether you lock down to industry guidelines or a customized profile, Security Blanket automatically hardens systems for you. Free trial available!

http://www.sans.org/info/71544
****************************************************************************

---

TOP OF THE NEWS

Australian Government Opens Consultation on Cybercrime Treaty (February 21, 2011)

The Australian government is seeking public comments on a proposed cyber crime treaty that would allow the government to order real-time network traffic data collection. Australia is considering signing the Council of Europe Convention on Cybercrime, which was established in 2004. Australia is in line with much of the treaty already, but the treaty's provisions for collection and storage of traffic data would require legislative amendments.
-http://www.securecomputing.net.au/News/248569,feds-seek-comments-on-cybercrime-t
reaty.aspx
-http://www.telecomseurope.net/content/australia-consults-cyber-crime-treaty
-http://www.theaustralian.com.au/australian-it/police-empowered-to-raid-net-for-c
rime/story-e6frgakx-1226008211518

Cyber Security Bill Expressly Prohibits Internet Kill Switch (February 18, 2011)

Legislation introduced in the US Senate late last week clarifies the intent of the bill's sponsors. The Cybersecurity and Internet Freedom Act specifically denies the President the "authority to shut down the Internet." The new language comes in response to reports that the bill's sponsors had written a provision for an Internet kill switch into the legislation. The new bill would require critical infrastructure operators and owners to address vulnerabilities on their networks.
-http://www.computerworld.com/s/article/9210339/Bill_would_prohibit_Internet_kill
_switch_?taxonomyId=17
-http://hsgac.senate.gov/public/index.cfm?FuseAction=Press.MajorityNews&Conte
ntRecord_id=3623b3da-5056-8059-7644-0dcbd7558317
[Editor's Note (Schultz): Opponents of giving the U.S. President the right to shut down the Internet are like those who oppose a mayor of a city being flooded by broken water mains being given the right to shut off the water. As useful as it is, the Internet is also capable of being used as a destructive weapon, and at least to some degree it has already been used in this way numerous times. Someone must have the authority to make decisions concerning its continued operation in case it is used outright as a weapon.
(Northcutt) There is a link to the .pdf of the proposed law in senate.gov link or you can use the one below. I just did a fast scan and didn't see anything onerous. In the winners and losers column, I noticed US-CERT seemed to be a winner and NIST a loser. I did not see anything saying federal employees and contractors would have to get security certifications, in one of the earlier versions there seemed to be language to that effect.
-http://hsgac.senate.gov/public/index.cfm?FuseAction=Files.View&FileStore_id=
16941f6e-cccf-42c0-ab6e-ac6968f2c789]
]

House Amendment to Spending Bill Hobbles FCC Net Neutrality Implementation (February 17, 2011)

US legislators have voted for an amendment to the HR 1, a congressional annual government funding bill that would bar the Federal Communications Commission (FCC) from using any of the funds it receives to implement the net neutrality rules it proposed in December 2010. House Republicans say the FCC's plan overreaches its authority. The bill now goes to the Senate.
-http://voices.washingtonpost.com/posttech/2011/02/house_votes_to_stop_funds_for.
html
-http://www.computerworld.com/s/article/9210159/House_passes_defunding_of_Net_neu
trality_rules

---

*************************** Sponsored Links: *****************************
1) Special Webcast February 23: How to Avoid Being Compromised! Featuring Dr. Eric Cole, Part 1 http://www.sans.org/info/70078
************************************************************************************

---

THE REST OF THE WEEK'S NEWS

Guilty Plea in eBay Fraud Case (February 18, 2011)

Adrian Ghighina has pleaded guilty to conspiracy and wire fraud for his role in a scheme that defrauded customers of eBay and other online marketplaces of US $2.7 million. Ghighina, who is Romanian, entered his plea in US District Court in Illinois. He acted as a transaction middleman, collecting payments for non-existent merchandise and sending it to his co-conspirators, minus a 20 to 40 percent fee. Ten other people have already been charged in connection with the scheme. As part of the scam, people took over legitimate accounts and used phony escrow services. More than 1,000 people are believed to have been affected.
-http://www.theregister.co.uk/2011/02/18/romanian_auction_fraudster_pleads_guilty
/
-http://www.justice.gov/opa/pr/2011/February/11-crm-206.html

Australian Communications Authority Questioning Telecoms About Data Security (February 18, 2011)

Following Vodafone's exposure of customer data, the Australian Communications and Media Authority (ACMA) is starting to crack down on other telecommunications providers. Ten major players in Australia's telecommunications market have been contacted by ACMA, which is seeking answers to questions about how each company handles customer information security.
-http://www.theage.com.au/technology/technology-news/crackdown-on-telco-privacy-a
fter-vodafone-bungle-20110218-1az3j.html

ICE Acknowledges Error That Took Down .mooo Sites (February 18, 2011)

The US Department of Homeland Security's (DHS) Immigrations and Customs Enforcement (ICE) has acknowledged that in the course of an operation to shutter sites allegedly trafficking in child pornography, 84,000 non-offending web subdomains were inadvertently taken off line as well. ICE took down the entire .mooo domain instead of targeting specific sites. It took about three days for the sites to be fully restored.
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=229218959&cid=RSSfeed_IWK_All
-http://www.techdirt.com/articles/20110220/17533013176/ice-finally-admits-it-tota
lly-screwed-up-next-time-perhaps-itll-try-due-process.shtml

New Technology Hinders FBI Wiretaps (February 17, 2011)

FBI general counsel Valerie Caproni told legislators that the proliferation of web-based email, social networking sites and peer-to-peer services are making it more difficult for her agency to conduct wiretaps. Many of the new services are not covered under the Communications Assistance for Law Enforcement Act (CALEA), which requires wiretapping capabilities in communications systems. Caproni said she is not seeking the expansion of CALEA powers, but did not offer any immediate solutions to the problem.
-http://www.computerworld.com/s/article/9210121/FBI_Web_based_services_hurting_wi
retapping_efforts?taxonomyId=84
-http://www.securecomputing.net.au/News/248715,fbi-eyes-p2p-webmail-for-wire-tapp
ing.aspx

Microsoft Addresses Silent Updates in Blog Posting (February 16, 2011)

Microsoft has admitted that it has been issuing "silent" updates for some time. The fixes are not documented in security bulletins and are usually delivered to address variants of vulnerabilities for which fixes have already been issued.
-http://www.theregister.co.uk/2011/02/16/ms_silent_security_fix_rationale/
-http://blogs.technet.com/b/srd/archive/2011/02/14/additional-fixes-in-microsoft-
security-bulletins.aspx

Microsoft Changes Stance on Internet Quarantining (February 15 & 18, 2011)

Microsoft's Scott Charney has had a change of heart about where the responsibility for keeping inadequately protected machines off the Internet should lie. Last year at the RSA conference, Charney, who is Corporate VP for Trustworthy Computing, said that ISPs should take the lead, possibly scanning machines and quarantining those deemed unsafe. Speaking again at RSA this year, Charney says he "realize
[s ]
that there are many flaws with that model." Users may perceive the scans as invasive, and an unpatched machine could keep someone who uses it for communication from reaching emergency services. The biggest stumbling block, said Charney, is the cost imposed on ISPs. The new position would have web service providers impose requirements on users.
-http://www.pcworld.com/businesscenter/article/219728/microsoft_has_a_change_of_h
eart_on_how_to_keep_internet_safe.html
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=229218672&subSection=All+Stories
-http://www.h-online.com/security/news/item/Microsoft-backtracks-over-internet-qu
arantine-1192691.html
[Editor's Note (Pescatore): The economics make *more* sense for ISPs to play a role in blocking compromised PCs, as the ISPs' bandwidth gets consumed by those machines trying to infect everyone else. This will become even more true as wireless Internet access increases. It is also always better to address the problem as far upstream as possible.
(Ranum): Scott is really doing some amazing contortions to avoid having to address the simple fact that Microsoft's products could be better than they are. ]

Libya Cuts Internet, Bahrain Restricts Traffic (February 15, 18 & 21, 2011)

There are reports that Internet access in Libya has been shut down. In that country, the "Internet is essentially owned and controlled by the government through a telecommunication company," which is chaired by the eldest son of Moammar Gadhafi. The government of Bahrain has reportedly restricted Internet traffic and blocked access to YouTube in an effort to impede protesters' momentum. The government claims the Internet traffic is lower because connections are overwhelmed. Last week, US Secretary of State Hillary Clinton announced her department's policy on Internet freedom.
-http://www.eweek.com/c/a/Security/Bahrain-Restricts-Internet-Traffic-Blocks-YouT
ube-in-Crackdown-on-Protests-386152/
-http://www.computerworld.com/s/article/9210440/Update_As_violence_escalates_Liby
a_cuts_off_the_Internet?taxonomyId=17
-http://www.zdnet.com/blog/networking/libya-turns-off-the-internet-and-the-massac
res-begin/711
-http://www.ibtimes.com/articles/114678/20110221/libya-bahrain-could-try-internet
-kill-switch.htm
-http://www.nytimes.com/2011/02/15/world/15clinton.html?_r=2&hp
[Editor's Note (Schultz): We've all realized that over the years the Internet has opened new horizons and dimensions for people. What some of us have not really seen until recent years is that the Internet can also serve as a powerful catalyst for political change, particularly in countries in which dictators have ruled for years.
(Honan): The recent happenings in Tunisia, Bahrain, Egypt and now Libya should serve as a warning to companies considering outsourcing services to countries with regimes that control access to the Internet in a similar way. Those companies should conduct a proper risk assessment for the services being outsourced and look at business continuity options in the event Internet access is cut off. Even if your company is not outsourcing directly to these countries you should question your suppliers whether they do in order to ensure the security of your supply chain. ]

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/