SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #72

September 09, 2011

Flash Notice: Microsoft just announced its September patches 4 days
early. You might well assume that this action reflects an
extraordinarily important set of patches. I won't give you a url - just
use your standard updating process.

An important, free online briefing on Friday the 16th tells you about
the new versions of the two most important security prioritization
guides: the 20 Critical Controls and the Australian 35 Mitigations and
"Sweet Spot." These are being adopted broadly across the US, Australia
and now Canada as the smart and cost-effective way to make investments
in security that mitigate known attacks. Unless your organization has
an unlimited security budget, you already know how important it is that
your spending focuses on what matters most; and these two guides are the
only authoritative answers to "what needs to be done and how much is
enough?" You may surprised at how few (just 4) controls are needed to
have a HUGE impact on radically lessening the spread of targeted attacks
(APT).

Register at
https://www.sans.org/webcasts/20-critical-controls-australian-top-4-effective-ut
ilization-improve-security-94704
Alan

---

TOP OF THE NEWS

Mozilla Demands Certificate Authorities Ensure Security
Microsoft Joins Mozilla and Google in Blocking DigiNotar Certificates
White House Wants Harsher Cyber Crime Penalties
Senators Want to be Sure Cyber Crime Bill Focuses on Serious Cyber Crime

THE REST OF THE WEEK'S NEWS

Security Breach Exposes Stanford University Hospital ER Patient Data
Microsoft and Adobe to Issue Security Updates Next Week
MediaNews Severs Business Relationship with Righthaven
Appeals Court Upholds Lower Court Order for DOJ to Hand Over Warrantless Cell Phone Tracking Info
Belgian Certificate Authority Investigating Attack Claims
Google to Address User-Generated Misinformation

---

************************ Sponsored By Symantec ***************************

Industry Report: Endpoint Protection Performance Benchmarks Check out how Symantec Endpoint Protection performs against competing solutions. PassMark Software conducted objective performance testing on five, publically available enterprise endpoint protection security software products. Get advanced threat prevention and protection against even the most sophisticated attacks that evade traditional security measures.
http://www4.symantec.com/Vrt/wl?tu_id=VIRS1314810960550458226 **************************************************************************

TRAINING UPDATE

-- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
http://www.sans.org/network-security-2011/

-- The National Security Architecture Workshop, DC, Sept. 29-30,2011 2-day workshop discussing techniques to ensure security is considered in every step of the development life cycle,
http://www.sans.org/baking-security-applications-networks-2011/

-- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011 3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile Security training
http://www.sans.org/ncic-2011/

--SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

--SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

--SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

--EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

--SANS San Antonio 2011, San Antonia, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Delhi, London, Baltimore and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

Mozilla Demands Certificate Authorities Ensure Security (September 8, 2011)

Mozilla has given certificate authorities eight days to take steps to ensure that their systems are secure from attacks like the one that affected DigiNotar. The note from Kathleen Wilson, who oversees certificate authorities for Mozilla's Firefox browser and Thunderbird email client, requires the companies that participate in Mozilla's root program to take five steps to ensure the security of their certificates, including auditing their systems to check for evidence of breaches and "send
[ing ]
a complete list of CA certificates from other roots in
[Mozilla's ]
program that
[the companies' ]
roots have cross-signed."
-http://www.pcmag.com/article2/0,2817,2392674,00.asp
-http://www.theregister.co.uk/2011/09/08/mozilla_certificate_authority_audit/
-https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread
/bf2deb09824418fb?pli=1
[Editor's Note (Pescatore): The CA/Browser Forum members should all be investing to drive higher levels of security in both the issuance and use of SSL. Browser to server SSL long ago lost any meaningful security gain for identification of either party at either end, with lax CA practices it is losing any real benefit for transport security, too.
(Ranum): Security was the entire premise of certificates to begin with. Of course, certificates were instead treated as a tax on internet commerce and everyone forgot that they had anything to do with security.
(Murray): (this comment also applies to next story): Better late than never. I doubt that MS or Mozilla contemplated 600+ root CAs (certificate authorities) when they undertook their programs. Given 600+ CAS, fraudulent certificates are inevitable. This is a method of dealing with fraudulent certificates that will not scale. It is time to implement CRLs. This will scale and it is cheaper and easier than we made the decision that they were too expensive to be efficient. Certificate Revocation Lists (CRLs) are a method for ensuring the currency of a certificate. (See also Online Certificate Status Protocol (OCSP). Before relying upon a certificate, a user may check a black list of certificates. Historically most using applications have opted not to use such a service, usually for performance or availability reasons. Until recently, that decision has not caused a problem. For more information see
-http://en.wikipedia.org/wiki/OCSP
Enterprises that are part of the security infrastructure cannot survive shoddy security. You can expect to hear about the liquidation of DigiNotar; its brand is damaged beyond repair. Anyone believe that DigiNotar is the only CA with no security?]

Microsoft Joins Mozilla and Google in Blocking DigiNotar Certificates (September 6, 7 & 8, 2011)

Microsoft released an out-of-cycle update for Windows to block all digital certificates issued by DigiNotar. The Dutch certificate authority has acknowledged a July security breach that has resulted in attackers coming into possession of more than 500 SSL certificates. The update has been delayed for a week in the Netherlands to allow the government there to replace affected certificates. Google and Mozilla updated their browsers last week to block DigiNotar certificates. Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=11515
-http://www.computerworld.com/s/article/9219746/Microsoft_flips_kill_switch_on_al
l_DigiNotar_certificates?taxonomyId=85
-http://www.h-online.com/security/news/item/Browser-makers-update-their-DigiNotar
-disaster-updates-1338144.html
-http://www.itwire.com/business-it-news/security/49637-microsoft-out-of-cycle-pat
ch-to-fix-diginotar-bogus-certificates

White House Wants Harsher Cyber Crime Penalties (September 7, 2011)

The Obama administration is seeking to update the Computer Fraud and Abuse Act (CFFA) to allow for more stringent penalties for people found guilty of cyber crimes. The legislative proposal would have CFFA offenses subject to penalties established under the Racketeering Influenced and Corrupt Organizations Act. Associate Deputy Attorney General James Baker and Secret Service Deputy Special Agent in Charge Pablo Martinez appeared before the Senate Judiciary Committee to argue the administration's position; they are particularly concerned with "complex and sophisticated electronic crimes
[that operate ]
in networks, often with defined roles for participants
[and that are ]
dedicated to stealing commercial data and selling it for profit."
-http://thehill.com/blogs/hillicon-valley/technology/179897
[Editor's Comment (Schultz): This Obama initiative is necessary and long overdue. Computer crime has lamentably evolved to the point that it presents such a high level of risk that much harsher measures are now needed to combat it.
(Northcutt): I have to agree, when a criminal can put a company out of business, or cause many individuals to suffer the pain of identity theft, and serve only two years behind bars, there is no effective deterrence. We need to make the punishment fit the crime. That said, the related article to this one is spot on, we need to make sure we are harshly punishing financial crimes, not the kids that change their grades in the school system network. (See the following story) ]

Senators Want to be Sure Cyber Crime Bill Focuses on Serious Cyber Crime (September 7, 2011)

Some Senate Judiciary Committee members have expressed concern about the White Houses' proposed changes to the CFFA. While they agree that the law must be amended to keep pace with current cyber threats, they wonder if the proposed changes to the law could be used to impose harsh penalties mismatch. Senators Patrick Leahy (D-Vermont) and Al Franken (D-Minnesota) would like to see the definition of illegal computer access defined more precisely so that DOJ can "concentrate on real cyber crimes, and not the minor things."
-http://gcn.com/articles/2011/09/07/cyber-crime-senate-hearing-cffa.aspx
-http://www.computerworld.com/s/article/9219799/Senators_push_for_changes_in_cybe
rcrime_law?taxonomyId=82

---

*************************** SPONSORED LINKS ******************************

1) Be entered in a drawing to WIN a $100 American Express gift card. Please take five minutes to help us improve the type and quality of Vendor Programs at SANS Conferences http://www.surveymonkey.com/s/5KKDLBF

2) SANS Analyst Webcast September 29, 1 PM EST: Integrating Security into Development Cycles, No Pain Required, featuring Senior SANS Analyst Dave Shackleford and IBM Rational's Karl Snyder. https://www.sans.org/webcasts/integrating-security-development-pain-required-946
49

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Security Breach Exposes Stanford University Hospital ER Patient Data (September 8, 2011)

A data security breach discovered last month resulted in the exposure of the personal information of 20,000 patients seen at the emergency room of the Stanford University hospital over a six-month period in 2009. The compromised information included names and diagnosis codes. The data are contained in a spreadsheet created by a vendor as part of a billing and payment analysis. The hospital has severed business ties with the vendor and demanded that all hospital data the vendor held be returned or destroyed. A patient discovered the data breach and alerted the hospital on August 22. The hospital sent notification letters to affected patients four days later. The information was available on a public website for more than a year. Once the hospital learned of the breach, the data were quickly removed from the site.
-http://www.msnbc.msn.com/id/44443413/ns/technology_and_science-the_new_york_time
s/#.TmlDP-zQp8E
[Editor's Note (Murray): We are risking public trust and confidence in electronic health records just as they are starting get traction. No one should have sufficient privilege to copy more than a couple of records at a time. Contractors should not have unsupervised access. ]

Microsoft and Adobe to Issue Security Updates Next Week (September 8, 2011)

Microsoft and Adobe will both release security updates on Tuesday, September 13. Microsoft plans to issue five security bulletins to address a total of 15 vulnerabilities in Windows and Office that could be exploited to gain elevated privileges or execute code remotely. All five bulletins have maximum severity ratings of important. Adobe plans to issue critical updates for the Windows and Mac versions of Reader and Acrobat.
-http://www.scmagazineus.com/microsoft-adobe-announce-forthcoming-patches/article
/211504/
-http://www.eweek.com/c/a/Security/Microsoft-Plans-Patches-for-15-Bugs-in-Septemb
er-Patch-Tuesday-529745/
-http://technet.microsoft.com/en-us/security/bulletin/ms11-sep
-http://www.adobe.com/support/security/bulletins/apsb11-24.html

MediaNews Severs Business Relationship with Righthaven (September 7 & 8, 2011)

MediaNews Group is terminating its business relationship with Righthaven, the organization that has made headlines for suing bloggers and website owners for alleged copyright infringement for posting online content originally published in print publications. Righthaven was founded expressly "to monetize print news content through copyright infringement lawsuits." While some of the lawsuits it has filed have resulted in out-of-court settlements, judges have repeatedly told Righthaven that it does not have the legal standing to file the lawsuits in the first place.
-http://www.wired.com/threatlevel/2011/09/medianews-righthaven-dumb-idea/
-http://www.wired.com/threatlevel/2011/09/righthaven-on-life-support/

Appeals Court Upholds Lower Court Order for DOJ to Hand Over Warrantless Cell Phone Tracking Info (September 6 & 7, 2011)

The American Civil Liberties Union (ACLU) has called a recent ruling from the US Court of Appeals for the DC Circuit "a significant victory in the fight against warrantless tracking of Americans by their government." The court ordered the US Justice Department to surrender names and case docket numbers of cases in which it "accessed cell phone location data without a warrant." The court's order upholds a lower court ruling.
-http://news.cnet.com/8301-1009_3-20102518-83/justice-dept-loses-round-in-warrant
less-phone-tracking/?tag=mncol;title
-http://www.pcmag.com/article2/0,2817,2392591,00.asp
-http://www.aclu.org/blog/free-speech/aclu-wins-round-battle-against-warrantless-
cell-phone-location-tracking

Belgian Certificate Authority Investigating Attack Claims (September 7, 2011)

A Belgian certificate authority has stopped issuing certificates following an online post in which individual claimed to have accessed the company's servers. GlobalSign has temporarily halted issuing certificates while it investigates the claims. The individual claims to be the one who infiltrated DigiNotar's systems.
-http://www.bbc.co.uk/news/technology-14819257
-http://news.cnet.com/8301-1009_3-20102818-83/second-firm-stops-issuing-digital-c
ertificates/?tag=mncol;txt
[Editor's Note (Schultz): At one point digital certificates were almost viewed as a panacea. Recent events (including the theft of Comodo certificates not all that long ago) are forcing information security professionals to rethink this view. Additionally, the fact that certificate providers do not provide stronger protection for certificates that they issue is extremely troubling. ]

Google to Address User-Generated Misinformation (September 6, 2011)

Some companies have been complaining that their businesses are being erroneously listed as "permanently closed" on Google Maps and Google Places and that their attempts to remedy the situation do not last. Google has been allowing users to mark businesses as closed without vetting the changes. There is a "Not True" button, but it appears that those determined to undermine another business are persistent in their efforts to make it appear as though it has shut its doors. Google says it plans to implement precautions to prevent abuse of the system.
-http://www.informationweek.com/news/security/vulnerabilities/231600838

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/