Your Ad Here

Tuesday, February 24, 2009

SANS NewsBites Vol. 11 Num. 15

Cool new gift to the security community from the folks at the Internet
Storm Center: a daily summary of information security events as a 5-10
minute "stormcast". See: isc.sans.org/podcast.html , or search iTunes
for "Stormcast". Each Stormcast is made available between 0 and 3am GMT
so it is ready for many readers for a morning commute)

The sleeper story of the year is the first one. The CAG will
revolutionize first federal and defense industrial base cyber security,
then security product procurement, and then (very quickly) banking
security and critical infrastructure security. If you work in any place
with data that really matters, test your current controls against what
is published in the CAG (don't check whether you have policies, rather
use the measures of effectiveness in the CAG to test the quality of your
controls.) For consultants, the biggest new business opportunities will
go to the large consulting companies who are first to make the
transition from FISMA reporting or ISO auditing to CAG implementation
and testing.

Alan
*************************************************************************
SANS NewsBites February 24, 2009 Vol. 11, Num. 15
*************************************************************************
TOP OF THE NEWS
US Consortium Releases Consensus Security Audit Guidelines
Nevada Bill Will Be Amended to Avoid Criminalizing RFID Research
Proposed Legislation Would Require Retention of Internet Use Data for Two Years
Another Payment Processor Security Breach
THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
Starbucks Facing Lawsuit Over Laptop Theft
POLICY AND LEGISLATION
Pending NZ Copyright Law Put On Hold
VULNERABILITIES
US-CERT Warns of Proxy Server Flaw
DATA BREACHES, LOSS & EXPOSURE
Three Breaches at Univ. of Florida Gainesville in as Many Months
ATTACKS & ACTIVE EXPLOITS
Targeted Attacks Exploit Unpatched Adobe Flaw
Unauthorized Patch Posted for Adobe Flaw
STUDIES AND STATISTICS
More Than Half of Former Employees Took Company Data

************************* Sponsored By Q1 Labs **************************

Leverage Log Management to Boost Your Enterprise IT Security: Collect
and manage event logs from your entire IT infrastructure; Effectively
reduce and prioritize millions of network and security events; Quickly
and easily search and report on events in real time and over an extended
period of time. A COMPLIMENTARY WHITE PAPER FOR SANS READERS:
http://www.sans.org/info/38964
*************************************************************************
TRAINING UPDATE
- - SANS 2009 in Orlando in early March - the largest security training
conference and expo in the world. lots of evening sessions:
http://www.sans.org/

- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************

TOP OF THE NEWS
--US Consortium Releases Consensus Security Audit Guidelines
(February 23, 2009)
A consortium of security experts from government and industry has
released the Consensus Audit Guidelines (CAG), a list of 20 controls
that government and private industry organizations must implement to
protect against and mitigate the effects of cyber attacks. For each
control, the CAG details attacks that it stops or mitigates, how to
implement and automate the control, and how to determine whether the
control is implemented effectively. The CAG consortium includes the
organizations that know how actual attacks are being executed (NSA Red
and Blue teams,US-CERT, DC3, DoE Nuclear labs, and more.) The CAG is
available for public comment through March 23, 2009. The full guidelines
may be found at: http://www.sans.org/cag/
http://www.theregister.co.uk/2009/02/23/cybersecurity_gold_standard/ http://news.cnet.com/8301-1009_3-10169583-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://fcw.com/Articles/2009/02/23/cyber-controls.aspx
http://federaltimes.com/index.php?S=3957648
http://www.informationweek.com/news/security/government/showArticle.jhtml?articleID=214502467&subSection=News
[Editor's Note (Northcutt): I hope you will take a few minutes out of
your busy day and take a look at these. You are going to see some
initials to the left of the controls. QW stands for Quick Win. The big
suggestion I have is to look over the quick wins and see if you can get
a few of those in place. Great job on these and I hope we start to see
thought leaders take advantage of this.]

--Nevada Bill Will Be Amended to Avoid Criminalizing RFID Research
(February 20, 2009)
A bill currently before the Nevada state legislature would effectively
criminalize the activity of people researching radio frequency
identification (RFID) security threats. The bill's sponsor plans to
introduce amendments to ensure it will not affect people conducting
legitimate research. Currently, the bill makes it a felony to "possess,
read or capture another person's personal identifying information
through radio frequency identification." Nevada hosts two well-known
conferences, Defcon and Black Hat, at which demonstrations of RFID
weaknesses are likely events.
http://www.theregister.co.uk/2009/02/20/nevada_rfid_skimming_bill/
http://news.cnet.com/8301-1009_3-10168749-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.leg.state.nv.us/75th2009/Bills/SB/SB125.pdf

--Proposed Legislation Would Require Retention of Internet Use
Data for Two Years
(February 20, 2009)
US legislators have introduced a bill that would require extensive
logging of Internet use. The proposed legislation aims to help police
with investigations. All ISPs and wireless access point operators would
be required to retain logs of users' activity for a minimum of two
years. The law would apply not only to large ISPs, but also to private
homes that have wireless access points or wired routers that use the
Dynamic Host Configuration Protocol as well as small businesses,
libraries, schools and government agencies.
http://www.cnn.com/2009/TECH/02/20/internet.records.bill/index.html?eref=rss_tech
[Editor's Note (Northcutt): That is really nifty, an economic stimulus
package for disk drive manufacturers! Seriously, this is a dumb idea,
fraught with problems, how are we going to collect that volume of
information, then how do we protect it and what do we do when it is
misused.
(Ranum): Absurd. Basically, they are proposing to require extensive
logging of usage patterns for every single internet access point in the
US. It amounts to an enormous unfunded mandate to home users,
cybercafes, airport wireless terminals, hotels, etc. The malefactors
targeted by this law - presumably child porn traders and terrorists and
whatnot - would be able to easily hide their actions anyway.
(Ullrich): At the ISC, this issue has been the focus of our reader
comments this week. I would like to quote one of them, provided by Jerry
Rose: "This is like the difference between policies and procedures. The
law needs to be like policies. It must be worded to stand the test of
time - independent of changing technologies. Procedures must change
often in order to keep up with technological changes. This would be
represented by the method of prosecution of a defendant.]

--Another Payment Processor Security Breach
(February 23, 2009)
Advisories on the websites of several financial institutions suggest
that a cyber security breach has occurred at an as yet unnamed card
payment processor; this incident is separate from the Heartland Payment
Systems breach. The Tuscaloosa Federal Credit Union issued a statement
saying that "while it has been confirmed that malicious software was
placed on the processor's platform, there is no evidence that accounts
were viewed or taken by the hackers." The compromised data in this
breach include account numbers and expiration dates of payment cards
used in card-not-present transactions over the course of the last 12
months. Visa and MasterCard have started notifying banks affected by
the breach.
http://www.securityfocus.com/brief/913
http://www.databreaches.net/?p=1686
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128429&source=rss_topic17
http://www.alabamacu.com/moreServices/idTheft.html
http://www.tvacu.com/tvacu/News.asp?111

********************* SPONSORED LINKS *********************************
1) What are the ten technical tips most penetration tester don't know
but should. Penetration Testing and Ethical Hacking Summit June 1-2.
http://www.sans.org/info/38969

2) Read Stephen Northcutt's interview with John Pirc of IBM on the topic
of Securing the Intelligent Network.
http://www.sans.org/info/38974
*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
--Starbucks Facing Lawsuit Over Laptop Theft
(February 23, 2009)
A Starbucks employee has filed a class action lawsuit against the
company in response to a data security breach that occurred on October
2008. A laptop containing the names, addresses and Social Security
numbers (SSNs) of approximately 97,000 Starbucks employees was stolen
last fall; the suit alleges fraud and negligence, and seeks an extension
of the one year of credit monitoring the company offered as well as
unspecified damages and assurances that Starbucks will be required to
undergo regular third party security audits.
http://www.networkworld.com/news/2009/022309-starbucks-sued-after-laptop-data.html

POLICY AND LEGISLATION
--Pending NZ Copyright Law Put On Hold
(February 20 & 23, 2009)
New Zealand Prime Minister John Key has delayed the effective date of
an impending copyright law by one month due to physical and digital
protests that the proposed legislation goes too far. The law would
require Internet service providers (ISPs) to sever the connections of
individuals suspected of repeat copyright infringement. Prime Minister
Key is hopeful that by March 27 a "voluntary code of practice' can be
worked out; if not, Section 92A, as the amendment to the Copyright Act
is known, will be suspended.
http://news.cnet.com/8301-1023_3-10169519-93.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128330&source=rss_topic17

VULNERABILITIES
--US-CERT Warns of Proxy Server Flaw
(February 23, 2009)
The US Computer Emergency Readiness Team (US-CERT) has issued a warning
about an architectural flaw in some proxy servers that could be
exploited by attackers to connect "to any website or resource the proxy
can connect to," including Intranets that should be off limits. Several
dozen products have been updated; administrators should ensure they have
installed the most recent versions to secure their networks.
http://www.kb.cert.org/vuls/id/435052
http://www.theregister.co.uk/2009/02/23/serious_proxy_server_flaw/

DATA BREACHES, LOSS & EXPOSURE
--Three Breaches at Univ. of Florida Gainesville in as Many Months
(February 22, 2009)
The University of Florida in Gainesville has reportedly experienced
three data security breaches in a three month period. The most recent
incident involved a server that allowed faculty to host online course
material and exposed personally identifiable information of 97,200
faculty, staff and students who were active at the university between
1996 and 2009. A breach in January of this year involved an LDAP
Directory Server configuration error and exposed personally identifiable
information of about 100 people. Finally, in November 2008, an
intrusion compromised personally identifiable information of more than
330,000 current and former College of Dentistry patients who had been
seen at the school since 1990.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=knowledge_center&articleId=9128398&taxonomyId=1&intsrc=kc_top

ATTACKS & ACTIVE EXPLOITS
--Targeted Attacks Exploit Unpatched Adobe Flaw
(February 19 & 20, 2009)
Targeted attacks exploiting an unpatched critical vulnerability in Adobe
Reader have been detected. The flaw is known to affect Adobe Reader
versions 8.1.3 and 9.0.0 running on Windows XP SP3; other versions of
Windows are likely to be vulnerable as well. Adobe reader running on
OS X and Linux machines was not tested. Adobe has issued an advisory
warning of a critical buffer overflow vulnerability in both Reader and
Acrobat. Adobe plans to have patches ready for version 9 of the
programs by March 11, with patches for versions 8 and 7 to follow
shortly thereafter.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128278&source=rss_topic17
http://www.theregister.co.uk/2009/02/20/adobe_reader_exploit/
http://gcn.com/Articles/2009/02/20/PDF-zero-day-exploit.aspx
http://news.cnet.com/8301-1009_3-10168266-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.adobe.com/support/security/advisories/apsa09-01.html
http://www.us-cert.gov/cas/techalerts/TA09-051A.html

--Unauthorized Patch Posted for Adobe Flaw
(February 23, 2009)
A vulnerability researcher has posted an unauthorized patch for a
critical buffer overflow flaw in Adobe Reader that is being actively
exploited. Adobe acknowledged the vulnerability last week and said it
would have a fix prepared by March 11. The homemade patch, a
replacement .dll, addresses only the Windows version of Adobe 9.0 and
offers no guarantees. The flaw affects versions 7, 8 and 9 of both
Adobe Reader and Adobe Acrobat. Users can also protect themselves from
attacks by disabling JavaScript.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128428&source=NLT_PM
[Editor's Note (Ullrich): Aside from the patch, a number of sources
posted scripts to disable javascript processing in PDFs. These scripts
may be a safer method to mitigate this exploit and some can be
implemented via group policy.
(Northcutt): This could be a very good time to try Firefox and NoScript:
http://noscript.net/ ]

STUDIES AND STATISTICS
--More Than Half of Former Employees Took Company Data
(February 23, 2009)
The Ponemon Institute interviewed 945 US adults who had been laid-off,
fired, or changed jobs within the last year and found that more than
half took company information with them when they left their former
positions. The rationales for taking the data included help getting
another job, help starting their own business, or simple revenge. All
of the participants in the survey had access to proprietary information,
including customer data, employee information, financial reports,
software tools and confidential business documents. The survey also
found that just 15 percent of the companies examined the paper and/or
electronic documents their former employees took with them when they
left.
http://news.bbc.co.uk/2/hi/technology/7902989.stm
http://www.theregister.co.uk/2009/02/23/insider_threat_survey/
http://news.cnet.com/8301-1009_3-10170006-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
[Editor's Note (Schultz): What the Ponemon Institute's study did not
show is just how bad ex-employee activity can get after a company folds.
I have heard numerous accounts about computer crimes (including brazen
thefts of servers) by ex-employees that ostensibly occurred after High
Tower Software collapsed. Sadly, despite all the reported illegal
activity, no complaints have been filed with law enforcement, nor has
anyone been charged with any crime. ]

**********************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at
the FBI and is the incoming President of the InfraGard National Members
Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

No comments: