SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #22

March 18, 2011

TOP OF THE NEWS

RSA Deeply Penetrated; Says SecurID Information Stolen
Proposed Legislation Would Replace FISMA Paperwork with Real-Time Monitoring
Private Sector Needs to Do a Better Job on Cyber Security

THE REST OF THE WEEK'S NEWS

Judge OK's Sony's Request to Subpoena Hotz's PayPal Records
Rustock Botnet Offline
RIM Suggests Disabling JavaScript
Flash Fixed in Chrome
Twitter Offers Automatic Secure Connection Option
Judge Mulling How Much to Charge ACS Law for Questionable Lawsuits
Home WiFi Users Lack Understanding of Security
GAO Finds Unresolved Data Security Issues at IRS
How Can You Tell The Difference Between Amateur And Effective Penetration Testers

---

*****************************************************************
TRAINING UPDATE
- -- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- SANS 2011, Orlando, FL, March 26-April 4, 2011 40 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

- -- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
http://www.sans.org/cyber-security-innovations-2011/

- -- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

- -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

- -- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
https://www.sans.org/cyber-security-innovations-2011/

- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

- -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses.
http://www.sans.org/cyber-guardian-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Barcelona, Amsterdam, Brisbane and London all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
********************* Sponsored by Tripwire, Inc. ***********************
New SANS Analyst Program Webcast: Debunking Continuous Monitoring Myths May 17, 1PM EDT Learn what holds organizations back from implementing continuous monitoring and where to get started. Featuring Eugene E. Schultz and Steve Johnston

http://www.sans.org/info/73027
****************************************************************************

---

TOP OF THE NEWS

RSA Deeply Penetrated; Says SecurID Information Stolen (March 17 & 18, 2011)

An "extremely sophisticated cyber attack against RSA" may have compromised the security of RSA SecurID two-factor authentication products. In an attack preliminarily identified as an Advanced Persistent Threat, digital information relating to SecurID tokens was stolen from RSA systems. The company is contacting customers to let them know of the breach and to offer suggestions for "strengthen
[ing ]
their SecurID implementations." Forty million SecurID tokens have been deployed; they are often used to conduct financial transactions and at government agencies.
-http://news.cnet.com/8301-27080_3-20044455-245.html
-http://www.wired.com/threatlevel/2011/03/rsa-hacked/
-http://www.bbc.co.uk/news/technology-12784491
-http://blogs.computerworld.com/17995/rsa_securid_hacked_2fa_fob_and_software_com
promise
-http://www.nytimes.com/2011/03/18/technology/18secure.html?src=busln
-http://www.rsa.com/node.aspx?id=3872
">
-http://www.rsa.com/node.aspx?id=3872

The letter to customers from RSA is at
-http://www.rsa.com/node.aspx?id=3872
">
-http://www.rsa.com/node.aspx?id=3872


[Editor's Note (Paller): APT attacks use three primary infection vectors and each has a corresponding "most-effective" defense. This RSA attack used the least common of the three according to insiders who are doing the investigation. Sadly, it appears that RSA users are not protected by any of the three defenses.
(Skoudis): This story has major importance because organizations are increasingly depending on two-factor authentication. I imagine some very hard questions are going to be asked (and perhaps answered only behind closed doors) about RSA's security practices. Also, if there is a significant weakness in the implementation of SecurID tokens, servers, or other components of their suite, we may be in for a major redeployment. Likewise, if the bad guys stole seeds for deployed customer tokens, we may face a recall of some tokens. ]

Proposed Legislation Would Replace FISMA Paperwork with Real-Time Monitoring (March 17, 2011)

US Representative James Langevin (D-Rhode Island) has introduced a bill that would replace the paper-intensive compliance requirements of the Federal Information Security Management Act (FISMA) with automated, continuous monitoring. The Executive Cyberspace Coordination Act would also create a National Office of Cyberspace in the White House and increase the Department of Homeland Security's (DHS) authority over private networks that are part of the country's critical infrastructure.
-http://www.govinfosecurity.com/articles.php?art_id=3437&opg=1
-http://www.infosecurity-us.com/view/16703/house-bill-would-expand-dhs-authority-
over-private-networks/
[Editor's Note (Pescatore): Continuous monitoring sounds good, but if it is the usual unfunded mandate it will be a disaster. Government agencies are not being given the procurement funds or the staff to improve security, which should be the top priority and done before changing how the lack of security is measured. (Paller): The agencies are FULLY funded to do continuous monitoring. The money that was previously allocated to periodic reporting (3-ring binders every three years) is $300 million per year. With shared procurement, that is enough money to implement continuous monitoring and to make it increasingly effective over the next 12, 24 and 36 months. CIOs who waste this money by allowing their CISOs to continue contracting for the useless 3-year reporting are going to become very visible and very embarrassed in the press and through Congressional oversight. See Senate subcommittee chairman's Carper's statement at:
-http://hsgac.senate.gov/public/index.cfm?FuseAction=Hearings.Hearing&Hearing
_id=8505fb0f-bf9b-4bb4-9e25-e71154391202
and if you want to see Vivek Kundra's testimony talking about the waste from the "culture of compliance" before the House (posted at the Federal CIO Council site):
-http://www.cio.gov/pages.cfm/page/Vivek-Kundra-Testimony-Federal-Information-Sec
urity]

(Pescatore): The other language in the bill has the usual mix of some good ideas (use government procurement to drive more secure products) with the usual vague language about control over critical infrastructure and partnership with private industry that has been used in various bills for over a decade now. ]

Private Sector Needs to Do a Better Job on Cyber Security (March 16, 2011)

James Lewis, senior fellow at the Center for Strategic & International Studies, told the House Homeland Security Committee that the private sector is not doing a good enough job of defending US cyber space. Eighty-five percent of the country's critical infrastructure is privately owned, but those companies have not made the necessary investments to protect those systems because it doesn't provide a quantifiable return on investment. Lewis provided a list of major cyber security events that have occurred since January 2010. While acknowledging that "regulation is unpleasant," Lewis told lawmakers that "in some cases, the alternative is worse. Cyber security is one such case."
-http://www.nextgov.com/nextgov/ng_20110316_8174.php?oref=topnews
-http://www.govinfosecurity.com/articles.php?art_id=3440
-http://www.msnbc.msn.com/id/42119311/ns/technology_and_science-security/
[Editor's Note (Schultz): I agree with Lewis. Whatever strategy is currently in place to secure the US critical infrastructure clearly is not working. No one likes regulation, but regulation presently looks like the lesser of two evils.
(Pescatore): There is no lack of existing regulation around cyber security but, other than the FTC, there is a major lack of examples of existing regulatory agencies *using* existing regulations to actually drive improvements in security. I'd like to see the focus start on asking "How can the FTC model be copied by other existing government regulatory agencies." ]

---

*************************** Sponsored Links: *****************************
1) DoD 8570 and/or GIAC approved certification exam coming? Immerse yourself at SANS Northern Virginia 2011. http://www.sans.org/info/69743
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Judge OK's Sony's Request to Subpoena Hotz's PayPal Records (March 16 & 17, 2011)

A US District Court Judge in California has granted Sony's request to subpoena the PayPal records of George Hotz, who has gained notoriety for posting jailbreak code for Sony's PlayStation 3 (PS3) gaming console. Sony wants to view the records to see if some of the money he received came from Northern California so that they can bring their lawsuit in California instead of New Jersey, where Hotz lives. US Magistrate Judge Joseph C. Spero said Sony would be granted limited access to the information. Earlier this month, Sony was granted subpoenas for the web hosting company Hotz used to obtain the IP addresses of everyone who visited Hotz's website over the last 26 months. Sony also obtained permission to subpoena Hotz's records from Twitter, Google and YouTube.
-http://news.cnet.com/8301-13506_3-20044275-17.html
-http://www.theregister.co.uk/2011/03/16/geohot_paypal_records_subpoena/
-http://www.wired.com/threatlevel/2011/03/playstation-hacker-paypal/

Rustock Botnet Offline (March 16 & 17, 2011)

The Rustock botnet, which at one point was responsible for as much as 48 percent of all spam worldwide, appears to be offline. Last year, Rustock sent out more than 44 billion spam messages a day. Rustock stopped sending out spam on March 16, and researchers are not clear what is responsible for its silence. The sudden and severe drop in traffic from Rustock suggests that it may be the target of a coordinated takedown effort, although no one has taken credit.
-http://www.csoonline.com/article/677342/rustock-botnet-goes-quiet-reason-for-tak
edown-unclear
-http://content.usatoday.com/communities/technologylive/post/2011/03/good-guys-ta
ke-down-notorious-rustock-spamming-botnet/1
-http://krebsonsecurity.com/2011/03/rustock-botnet-flatlined-spam-volumes-plummet
/
-http://www.pcmag.com/article2/0,2817,2382167,00.asp
[Editor's Note (Honan): It appears the takedown was a coordinated effort involving Microsoft and US Law Enforcement. A big kudos to all involved in what is a very effective, yet difficult to execute, exercise.
-http://online.wsj.com/article/SB10001424052748703328404576207173861008758.html]

RIM Suggests Disabling JavaScript (March 15 & 16, 2011)

BlackBerry parent company research in Motion (RIM) is urging users to disable JavaScript in the devices' browser to protect them from attacks that exploit a flaw disclosed at a recent hacking contest. The flaw affects the WebKit browser engine in BlackBerry Device Software version 6.0 and later and could be exploited to allow remote code execution. The flaw is not in JavaScript, but JavaScript is necessary to exploit the flaw.
-http://www.h-online.com/security/news/item/BlackBerry-hole-RIM-recommends-workar
ound-1209109.html
-http://www.zdnet.com/blog/security/rim-disable-javascript-in-blackberry-browser/
8445?tag=content;search-results-rivers
[Editor's Note (Honan): Here is the link to RIM's security advisory which outlines how to disable JavaScript on their devices
-http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&extern
alId=KB26132]

Flash Fixed in Chrome (March 16 & 17, 2011)

Google has updated its Chrome browser to fix a vulnerability in Flash Player. Other browsers have to wait until the week of March 21, when Adobe releases an out-of-band update for Flash. The vulnerability is being actively exploited through maliciously crafted Excel documents that arrive as email attachments. Chrome pushes out its fixes automatically.
-http://www.eweek.com/c/a/Security/Google-Chrome-Upgraded-to-Fix-Adobe-Flash-Flaw
-583730/
-http://www.computerworld.com/s/article/9214689/Google_first_to_patch_Flash_bug_w
ith_Chrome_update?taxonomyId=17

Twitter Offers Automatic Secure Connection Option (March 16, 2011)

Twitter now offers users the option of always connecting to Twitter.com with HTTPS, which encrypts communication between the users' computers and Twitter's servers and helps prevent attackers from stealing sensitive data. Before the change, users who wanted to connect to Twitter securely had to enter HTTPS manually in the browser bar, but now they can configure their accounts so they are automatically connected with HTTPS. It is an especially good idea for people who access their twitter accounts over unsecured wireless connections. Twitter's mobile website still requires users to manually enter HTTPS. Twitter hopes eventually to make HTTPS the default setting.
-http://www.computerworld.com/s/article/9214680/Twitter_adds_option_to_always_use
_HTTPS_connection?taxonomyId=17
-http://www.theregister.co.uk/2011/03/16/twitter_adds_https_opt_in_tick_box/
-http://www.bbc.co.uk/news/technology-12759922
-http://www.h-online.com/security/news/item/Twitter-adds-Always-use-HTTPS-option-
1209032.html
-http://www.washingtonpost.com/blogs/faster-forward/post/twitter-enables-always-o
n-ssl-encryption/2011/03/15/ABYLjcZ_blog.html
[Editor's Comment (Northcutt): This is a step in the right direction. Now our awareness programs need to also persuade our people to not accept invalid certificates and we are on our way to progress!
-http://www.securityfocus.com/brief/910]

Judge Mulling How Much to Charge ACS Law for Questionable Lawsuits (March 16 & 17, 2011)

Lawsuits brought against alleged illegal filesharers in the UK by ACS Law have been officially closed at the request of an attorney for the defendants. Senior Patent Court Judge Colin Birss will consider whether ACS Law should be responsible for paying the defendants' costs. A law firm representing five of those alleged filesharers is seeking GBP 90,000 (US $145,000). Andrew Crossley, founder of ACS Law, allegedly engaged in "speculative invoicing," a practice in which people were sent letters threatening legal action if they did not pay a fine of GBP 500 (US $800). An estimated 10,000 people received letters from ACS Law. It appeared that ACS Law never intended to bring any of the cases to court. Crossley did eventually bring 27 cases to court, but then sought to have the cases dropped. Judge Birss refused to let the cases drop and turned his focus to the law firm's practices.
-http://www.guardian.co.uk/technology/2011/mar/17/acs-law-file-sharing
-http://www.theregister.co.uk/2011/03/17/acs_law_cases_closed_judge_considers_cos
ts/
-http://www.bbc.co.uk/news/technology-12767714

Home WiFi Users Lack Understanding of Security (March 16 & 17, 2011)

According to a survey from the UK Information Commissioner's Office (ICO), nearly half of home computer users who have WiFi networks do not understand WiFi security settings. Most Internet service providers (ISPs) now set up and install customers' WiFi security settings, but 40 percent of WiFi users do not understand those settings and 16 percent are either using an unsecured network or do not know if their network is secured. ICO head of policy Steve Wood pointed to Google's Street View data collection vehicles gathering information from unprotected networks as evidence that users need to be aware of their network settings.
-http://www.infosecurity-magazine.com/view/16701/ico-says-40-of-wireless-home-int
ernet-users-have-no-knowledge-of-wifi-security/
-http://www.scmagazineuk.com/wifi-security-settings-confuse-home-users/article/19
8474/
[Editor's Note (Honan): The UK's Information Commissioner's Office has also published a guideline for home users on how to secure their wireless networks
-http://www.ico.gov.uk/for_the_public/topic_specific_guides/wifi_security.aspx]

GAO Finds Unresolved Data Security Issues at IRS (March 16, 2011)

While the US Internal Revenue Service (IRS) has made some progress in improving the security of taxpayer information, the agency still needs to work on preventing unauthorized access to systems. A two-year audit conducted by the Government Accountability Office (GAO) found a number of problems, including failure to restrict users' access to only the information necessary to do their jobs. Seventy-four percent of previously identified security issues at the IRS have still not been resolved. The GAO identified 37 new security issues in the audit.
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=229301206
-http://fcw.com/articles/2011/03/16/gao-irs-audit-information-security.aspx
-http://www.gao.gov/new.items/d11308.pdf

How Can You Tell The Difference Between Amateur And Effective Penetration Testers (March 15, 2011)

In an interview, security architect Stephen Sims discusses what skills help make a good penetration tester and describes how to manage the ethical challenges the job presents. Sims says that some good prerequisites for a penetration tester include exposure to a variety of technology; knowledge of a scripting language; experience with reverse engineering; communication, and creativity. He also talks about the value of ethical hacking certifications, explaining that some are better than others, and acknowledging that "professionals who take the time to study and take certifications demonstrate a strong work ethic." Sims also addresses the tools that professionals use to address the ethical questions that arise in this line of work: rules of engagement, statement of work and scoping processes.
-http://www.net-security.org/article.php?id=1573

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/