From: The SANS Institute (NewsBitessans.org)
Date: Tue Sep 30 2008 - 14:19:23 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you have wondered when colleges would start taking responsibility for
ensuring their graduates know how to write secure code, you'll like the
final story (under MISCELLANEOUS). It includes a path you can use to
help make sure the schools from which you hire programmers are part of
the solution.
                                       Alan

*************************************************************************
SANS NewsBites September 26, 2008 Vol. 10, Num. 76
*************************************************************************
TOP OF THE NEWS
  FISMA 2008: A Better Solution
  Microsoft and Washington State AG File Charges Against Scareware
     Vendors
  BT Will Run New Phorm Test on Opt-In Basis
THE REST OF THE WEEK'S NEWS
  ARRESTS, CHARGES & CONVICTIONS
    Carleton University Student Hacker Quits School Over Penalty
       Disagreement
    Tenenbaum Free on Bail
  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
    Stolen Hard Drives Hold Sensitive Data of 50,000 UK Ministry of
       Defence Staff
    Los Alamos Needs to Implement Stronger Security, Says GAO
  VULNERABILITIES
    Secondhand VPN Router Connects to Previous Owners' Network
  UPDATES AND PATCHES
    Mozilla Fixes Firefox Password Manager Flaw
  DATA LOSS
    Whittington Hospital NHS Trust's Missing Disks Returned
  ATTACKS
    Cyber Thieves Use Purloined Yahoo Japan Auction Accounts
  MISCELLANEOUS
    Ten Most Mysterious Cyber Crimes
    Security Certifications Pay
    Four Colleges Selected For Grants For Secure Coding Education Innovation

*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington 30 courses; big security tools expo; lots of
evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --FISMA 2008: A Better Solution
(September 29, 2008)
Certain provisions in the proposed Federal Information Security
Management Act (FISMA) of 2008 would make major strides toward ensuring
that federal computer systems are protected from attacks. Federal
agencies spend a lot of time on the paperwork part of compliance with
FISMA 2003, which ultimately has little to do with the actual security
of their computer networks. If enacted, FISMA 2008 would require that
agencies purchase products with security built in from the start instead
of adding it later; it would require attack-based metrics to demonstrate
that their systems are protected from known vectors of attack; and it
would require a government-wide consensus on those metrics.
http://www.fcw.com/print/22_32/comment/153909-1.html?topic=security

 --Microsoft and Washington State AG File Charges Against Scareware Vendors
(September 26 & 29, 2008)
On Monday, September 29, Microsoft and the state of Washington plan to
file lawsuits against individuals and organizations for allegedly
inundating users' computers with spurious warnings about vulnerabilities
detected on their machines and attempting to sell them software to
address those flaws. The Washington AG's office is bringing charges
under the state's Computer Spyware Act against Branch Software and Alpha
Red and their owner, James Reed McCreary IV. Microsoft is filing several
John Doe lawsuits to learn the identities of individuals suspected of
marketing other scareware products.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115720&source=rss_topic17
http://www.vnunet.com/vnunet/news/2227086/microsoft-launch-spyware-spam
http://voices.washingtonpost.com/securityfix/2008/09/microsoft_washington_state_tar.html?nav=rss_blog
http://news.cnet.com/8301-1009_3-10053565-83.html

 --BT Will Run New Phorm Test on Opt-In Basis
(September 25 & 29, 2008)
Just days after London police said they would not proceed with an
investigation into BT's secret trials of targeted advertising system
Phorm, the British telecommunications company has announced that it is
starting new trials of the controversial technology on September 30.
This time, however, customers will have opted in to the trial; in the
earlier trial, the technology was used without user consent. The new
trial will run for at least four weeks; BT hopes to get 10,000 users to
sign up to participate. If BT decides to continue using Phorm, it could
be rolled out to all its broadband customers. The company has not
specified whether the program will still be opt-in at that point.
http://news.bbc.co.uk/2/hi/technology/7634210.stm
http://news.bbc.co.uk/2/hi/technology/7641754.stm
[Editor's Note (Pescatore): The opt-in part should be on the collection
of the data, not on displaying targeted advertising. The former is the
risk; the latter is actually a benefit.
(Guest Editor and Internet Storm Center handler, Steve Hall): I think
the way this is being handled by BT is atrocious. If you check how BT
are 'selling' this service to their customers, then it's being sold far
less as a method of targeting advertising, and more as online
protection. http://www2.bt.com/static/i/btretail/webwise/ I do wonder
how many of the 10,000 randomly chosen people will read ONLINE
PROTECTION, rather than 3RD PARTY MONITORING ALL YOUR SURFING when they
read the interstitial page.]

************************* SPONSORED LINK *******************************
1) 2-Day Training Class Hosted by the FISMA Center FISMA 101:
Certification & Accreditation Concepts November 13-14, 2008 Columbia,
Maryland
http://www.sans.org/info/33674
*************************************************************************

THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
 --Carleton University Student Hacker Quits School Over Penalty Disagreement
(September 26 & 29, 2008)
The Carleton University student accused of breaking into the school's
computer network has refused to agree to one of the punishments for his
actions and has dropped out of the school. In August, Mansour Moufid
sent a 16-page report to school administrators and some students
describing the vulnerabilities he exploited to gain access to 32 student
accounts on the network. In the report, Moufid says he took the actions
to demonstrate the need for improved security on the university's
network. Among the penalties the school imposed on Moufid was to
require him to write a letter of apology in which he would say that he
lied when he said earlier that he had alerted university officials to
the issue before sharing the report. Although he would have been
willing to submit to the remainder of the punishments outlined by
University officials, Moufid said that to make such a statement in the
letter would be a lie. Moufid could also face charges of mischief to
data and unauthorized use of a computer under Canada's Criminal Code,
which each carry maximum sentences of 10 years in prison.
http://www.canada.com/ottawacitizen/news/story.html?id=ce863a37-9fb9-46d6-b90b-40be380084e6
http://www.securityfocus.com/brief/829

 --Tenenbaum Free on Bail
(September 26, 2008)
Ehud Tenenbaum, who is the alleged mastermind of a scheme in which CAD
1.8 million (USD 1.7 million) was stolen from Direct Cash Management in
Calgary, Alberta, Canada, has been released on bail. The alleged scheme
involved obtaining pre-paid debit cards from Direct Cash, breaking into
the company's computer system and increasing the cards' values. The
judge has allowed Tenenbaum to return to Montreal, where he must report
to police twice a week. He has also been barred from using any device
that is capable of accessing the Internet and from talking with another
suspect in the case. He is scheduled to appear in court again on
October 29. As a teenager, Tenenbaum broke into US Defense Department
computers. His initial sentence of six months of supervised release was
eventually increased to 18 months in jail.
http://www.canada.com/calgaryherald/news/city/story.html?id=7833966a-5188-4e84-862c-0ed65aa7d047

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
 --Stolen Hard Drives Hold Sensitive Data of 50,000 UK Ministry
of Defence Staff
(September 26 & 29, 2008)
Personally identifiable information of as many as 50,000 UK military
staff has been compromised due to the theft of three portable hard
drives from the RAF Innsworth base in Gloucestershire. The unencrypted
data include addresses, bank account numbers and medical records. The
theft is under investigation by Ministry of Defence (MoD) police and
Gloucestershire police. The MoD plans to notify all individuals affected
by the data security breach.
http://www.computerworlduk.com/management/government-law/public-sector/news/index.cfm?newsid=11244
http://www.mirror.co.uk/news/top-stories/2008/09/26/safety-fears-for-50-000-raf-staff-after-personal-files-are-stolen-115875-20754809/
http://www.theregister.co.uk/2008/09/29/raf_usb_drives_stolen/
[Editor's Note (Honan): The stolen hard drives were apparently not
encrypted as they were located in a secure facility. I guess the RAF
has learnt a lesson in defense in depth and that you need to ensure you
include layers of defense in the physical, logical and personnel
domains.]

 --Los Alamos Needs to Implement Stronger Security, Says GAO
(September 25, 26 & 29, 2008)
According to a report from the US Government Accountability Office
(GAO), cyber security vulnerabilities at the Los Alamos National
Laboratory (LANL) could expose sensitive data. Although LANL has begun
implementing previously recommended measures to improve data security,
there are still holes in its unclassified network, which holds
information about export control and sensitive employee data. The
network itself has strong authentication measures in place, but once
access is granted, users can find their way around the other security
measures to access the sensitive data. The report also found weaknesses
in physical security at LANL. The GAO made several recommendations for
improving LANL's cyber security posture, including "requir[ing] the
Director of LANL to ... ensure that the risk assessment for the
unclassified network evaluates all known vulnerabilities and is revised
periodically and strengthen policies with a view toward ... reducing ...
foreign nationals' access to the unclassified network."
http://www.theregister.co.uk/2008/09/29/los_alamos_cyber_insecurity/
http://www.fcw.com/online/news/153921-1.html
http://www.nextgov.com/nextgov/ng_20080929_5288.php
http://www.gao.gov/new.items/d081180t.pdf
[Editor's Note (Schultz): The condition of information security at LANL
sounds typical of many laboratories within the nuclear weapons complex.
There is often such an emphasis upon protecting classified data, systems
and networks that protecting the unclassified side of computing, while
not at all neglected, becomes overshadowed.
(Weatherford): This is another example of how bureaucracy impedes
security and if it doesn't make you want to scream you haven't been
paying attention because "Over the last decade, LANL has experienced a
series of high-profile security incidents in which sensitive assets and
classified information were compromised." How long does it take to
finally get the problem fixed? The GAO report says that "A key reason
for these information security weaknesses is that the laboratory has not
fully implemented an information security program to ensure that
controls are effectively established and maintained" and also "Although
LANL cyber security officials told us that funding has been inadequate
to address some of their security concerns, NNSA officials raised
questions about the basis for LANL's funding request for cyber security.
NNSA's Chief Information Officer told us that LANL has not adequately
justified requests for additional funds to address the laboratory's
stated shortfalls."]

VULNERABILITIES
 --Secondhand VPN Router Connects to Previous Owners' Network
(September 29, 2008)
In a new twist on the dangers of selling used equipment, a man who
bought a virtual private network (VPN) server through eBay found that
when it was switched on, it automatically connected to an internal
network that belongs to the local government of West Yorkshire, England.
The man, who works for a security company, purchased the secondhand
Cisco device for 99p (US $1.78). A Cisco spokesperson said that the
devices come with instructions for resetting them to the factory
default.
http://news.bbc.co.uk/2/hi/technology/7635622.stm
[Editor's Note (Pescatore): The same thing is happening with print
servers and all kinds of other equipment that has "hidden" storage.
Essentially, if you are surplusing any kind of IT you need to make sure
it is either sanitized or destroyed.]

UPDATES AND PATCHES
 --Mozilla Fixes Firefox Password Manager Flaw
(September 29, 2008)
Mozilla patched a vulnerability in the Firefox Password Manager feature
last week, just days after it released Firefox 3.0.2 to address 11
security flaws. Firefox 3.0.3 was slated to be released this week, but
the fix was pushed out late in the day on Friday, September 26. Mozilla
became aware of the password problem when, after installing Firefox
3.0.2, some users reported they were unable to retrieve saved passwords
or save new site passwords.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115783&intsrc=hm_list
http://www.theregister.co.uk/2008/09/29/firefox_update_fixes_password_saving_bug/

DATA LOSS
 --Whittington Hospital NHS Trust's Missing Disks Returned
(September 26, 2008)
Four disks reported missing from the Whittington Hospital NHS Trust in
London have been recovered. After a memo was sent to all employees
notifying them of the situation, the disks were turned in the trust's
finance department. The disks, which were password-protected, contain
personally identifiable information of 18,000 trust staff members. The
trust is reviewing its data handling procedures.
http://news.zdnet.co.uk/security/0,1000000189,39494153,00.htm
[Editor's Note (Veltsos): Memo to all security staff - please stop
calling things "password protected" unless you're referring to the kind
of weak and built-in password protection that comes in most
off-the-shelf software.]

ATTACKS
 --Cyber Thieves Use Purloined Yahoo Japan Auction Accounts
(September 27, 2008)
Cyber criminals used stolen login information to access accounts on
Yahoo Japan's auction website more than 1.5 million times since May. The
thieves used the purloined accounts to sell phony luxury items.
Initially, the true account holders were being charged fees for the
fraudulent transactions, but Yahoo Japan has identified an IP address
associated with the activity and is now processing customers' claims to
have the bogus charges removed.
http://www.yomiuri.co.jp/dy/national/20080927TDY02308.htm

MISCELLANEOUS
 --Ten Most Mysterious Cyber Crimes
(September 26, 2008)
While cyber crime cases that result in arrests and prison sentences are
making the news more and more often, there are still major cases that
have remained unsolved for years. This list of "The 10 Most Mysterious
Cyber Crimes" includes both old - the hacking of a UK Ministry of
Defense satellite in early 1999 - and new - the Hannaford/Sweetbay
supermarket chain credit card data breach that was acknowledged earlier
this year.
http://www.pcmag.com/print_article2/0,1217,a%253D232455,00.asp

 --Security Certifications Pay
(September 23, 2008)
Of 165 IT certifications monitored over the past year, 17 increased in
value. Seven of the 17 certifications that increased in value were from
the security sector, with those who had earned the GIAC Security Expert
(GSE) certification posting a whopping 36.4% average salary increase
during the last 12 months: the largest salary growth of any certified
professional. Overall, pay for security certifications was up 0.4%
during the last six months and 2% during the last year (through July 1,
2008), compared with the downward trend of all IT certifications, which
lost 2.5% during the last six months and 3.5% during the past year.
seven of the 17 certifications that increased in value were from the
security sector, with those who had earned the GIAC Security Expert
(GSE) certification posting a whopping 36.4% average salary increase
during the last 12 months: the largest salary growth of any certified
professional. Overall, pay for security certifications was up 0.4%
during the last six months and 2% during the last year (through July 1,
2008), compared with the downward trend of all IT certifications, which
lost 2.5% during the last six months and 3.5% during the past year.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1331613,00.html

 -- Four Colleges Selected For Grants For Secure Coding Education Innovation
(September 27, 2008)
Cornell, the University of North Carolina at Charlotte, Virginia Tech,
and the University of California at Davis were selected as the first
recipients of funding for deployment of the National Secure Coding
Clinics (NSCC) initiative. UC Davis Professor Matt Bishop demonstrated
that computer science students can master secure coding without asking
college faculty to learn it or teach it. The innovation employs graduate
student and corporate clinicians to review student code for each
assignment and point out secure coding errors and how to fix them. In
Bishop's test, students not only radically reduced their secure coding
errors but also become "converts" with new, strong commitments to
writing and ensuring others wrote secure code. The program has strong
support from multiple federal agencies as well as the SANS Institute and
large IT companies engaged in the SAFECode initiative.

We are including this note in NewsBites to invite employers who hire
college graduates to join in the NSCC Partnership to encourage and
support schools where you hire programmers to participate in the program
and improving the secure coding skills of their graduates. If you are
interested, send us a note with the name of the school from which you
have hired at least a dozen programmers over the past five years and
we'll let you know where that school stands on the NSCC and help you
help them make progress in ensuring the graduates know how to write
secure code. Email apallersans.org with subject NSCC.

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkjiaxEACgkQ+LUG5KFpTkZLtQCfRoGdioTy/GPpitnNUK5eaOkA
cSMAni6bhyCkqKK1XaXQUMpEtVgTEaV+
=xTmi
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]