From: The SANS Institute (NewsBitessans.org)
Date: Fri May 28 2010 - 14:54:25 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Breaking News: US House of Representatives attaches new FISMA rewrite
to Defense Authorization Bill. The press hasn't picked it up yet, but
NextGov.Com will have a story in a few minutes. This puts one more nail
in the coffin of the Federal CISOs and security contractors who think
they can go on ignoring OMB and go on wasting money on out of date
report writing contracts.
                                              Alan
*************************************************************************
SANS NewsBites May 25, 2010 Vol. 12, Num. 42
*************************************************************************
TOP OF THE NEWS
  Facebook Simplifies Privacy Controls
  Einstein May be Used on Private Networks That Support Critical Infrastructure
  Google Facing More Flak Over Wi-Fi Data Collection
  Large US Tech Companies Find Business Continuity a Greater Risk than Data Breaches
  Disaster Recovery Plans Not Receiving Adequate Attention
THE REST OF THE WEEK'S NEWS
  Japanese Police Arrest Two for Alleged Cyber Fraud
  Cisco Warns of Flaws in Network Building Mediator
  Canadian Legislators Mull Proposed Privacy Law Amendments
  Five Indicted in Fraudulent Funds Transfer Case
  Second Man Sentenced for Scientology DDoS Attacks
  New Twist on Phishing Targets Open Browser Tabs
  Apple Has Not Fixed Carpet Bomb Flaw in Safari for OS X

*********************** Sponsored By SANS ******************************

The SANS WhatWorks in Virtualization and Cloud Computing Summit brings
together industry leaders to help enterprises realize the enormous
benefits of virtualization while addressing the new security challenges
that it creates. You'll discuss the latest processes and tools for
securing your virtualized systems in open forums designed to bring you
together with both industry experts and your peers facing the same
day-to-day challenges.

http://www.sans.org/info/59858
*************************************************************************
TRAINING UPDATE
 -- SANSFIRE 2010, Baltimore, June 6-14, 2010
36 courses. Bonus evening presentations include Software Security
Street Fighting Style and The Verizon Data Breach Investigations
Report
http://www.sans.org/sansfire-2010/
 -- SANS Rocky Mountain 2010, Denver, July 12-17, 2010
8 courses. Bonus evening presentations include Hiding in Plain Sight:
Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/
 -- SANS Boston 2010, August 2-8, 2010
11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/
 -- SANS Virginia Beach 2010, August 29-September 3, 2010
9 courses
http://www.sans.org/virginia-beach-2010/
 -- SANS Network Security 2010, Las Vegas, September 19-27, 2010
40 courses. Bonus evening presentations include The Return of Command
Line Kung Fu and Cyberwar or Business as Usual? The State of US
Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Brisbane, Amsterdam, Kuala Lumpur, Canberra and Taipei all in the
next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Facebook Simplifies Privacy Controls
(May 26 & 27, 2010)
Facebook says it has simplified its privacy controls. The new controls
will allow users to choose to share content with friends only, with
friends and friends of friends only, or with everyone. Users who want
to implement more granular control will still have the opportunity to
do so, and all those controls will be on a single page. The Electronic
Frontier Foundations (EFF) says that while the changes are a "great
first step," there are still privacy issued that need to be addressed.
In particular, the EFF says that "no information should be required to
be publicly available." Others have pointed out that social networks
are designed for sharing information. The features will be rolled out
over the next few weeks.
http://www.scmagazineuk.com/facebook-rolls-out-simpler-privacy-settings-with-a-single-control-for-content-controls-for-basic-information-and-a-control-to-turn-off-all-applications/article/171102/
http://news.bbc.co.uk/2/hi/technology/10171575.stm
http://www.theregister.co.uk/2010/05/26/facebook_privacy_revamp/
http://www.pcworld.com/article/197321/facebooks_privacy_changes_are_you_satisfied.html
[Editor's Note (Ranum): If you don't want to make something public don't
blog, facebook, tweet, or otherwise publicly announce it! Three people
can keep a secret if two of them are dead and nobody has published it
on the Internet for all their 'friends' to see.]

 --Einstein May be Used on Private Networks That Support Critical Infrastructure
(May 26 & 27, 2010)
Speaking at the Strategic Command Cyber Symposium in Nebraska on May 26,
deputy defense secretary William J. Lynn III said that the Einstein
computer security system used to detect and prevent attacks on
government systems may be expanded to help protect private sector
systems that support critical infrastructure, including utilities and
communications. Participation would be voluntary. Lynn suggested that
companies that choose not to take advantage of the offer would be
braving a lawless cyber frontier. The proposed arrangement poses
information sharing issues. It is unclear if the private companies would
share the information they collect with the government. The government
may be unable to share some information with the companies because it
is classified, and companies may be reluctant to share information with
one another.
http://www.msnbc.msn.com/id/37366519/ns/technology_and_science-security/
http://www.wired.com/threatlevel/2010/05/einstein-on-private-networks/
http://www.govinfosecurity.com/articles.php?art_id=2581&rf=2010-05-27-eg
[Editor's Note (Pescatore): The Einstein technology deployed to date
doesn't prevent anything, it has been detection and reporting. In
general, the government lags behind private industry in deploying active
prevention technologies.]

 --Google Facing More Flak Over Wi-Fi Data Collection
(May 25, 26 & 27, 2010)
US lawmakers have sent a letter to Google chief executive Eric Schmidt
seeking answers to a dozen questions about the company's Wi-Fi data
collection. Google has acknowledged that for three years, it
inadvertently gathered wireless network payload data while gathering
images for its Street View feature. Google is facing a criminal
investigation in Germany over the issue. The company is shying away
from handing over the data to German regulators, suggesting that the
country's privacy laws prevent it from surrendering the information. A
Massachusetts Internet service provider (ISP) has filed a class action
lawsuit against Google. Galaxy Internet Services is also requesting
that Google be barred from destroying the information it has collected.
Another class action lawsuit was filed in Oregon last week. A third
lawsuit has been filed in California.
http://www.computerworld.com/s/article/9177348/ISP_sues_Google_over_Wi_Fi_sniffing?source=rss_news
http://latimesblogs.latimes.com/technology/2010/05/legislators-grill-google-eric-schmidt-on-spyfi-privacy-issue.html
http://www.wired.com/threatlevel/2010/05/google-sued/
http://www.nytimes.com/2010/05/28/technology/28google.html?ref=technology
[Editor's Note (Schultz): Google's current woes show that with the
benefits of the information age also come legal and other risks related
to obtaining information about which there has been little forethought
concerning the need for protection.]

 --Large US Tech Companies Find Business Continuity a Greater Risk than
    Data Breaches
(May 24, 2010)
According to research from BDO, business continuity ranks as a higher
risk factor than data breaches for the 100 largest US technical
companies. The data were compiled from the companies' 2009 10-K SEC
filings that require the companies to list risk factors that could
affect their bottom lines.
http://www.computerworld.com/s/article/9177262/Business_continuity_not_data_breaches_among_top_concerns_for_tech_firms?source=rss_news
[Editor's Note (Pescatore): This illustrates the big difference between
business/market risks and IT risks. What BDO did is look at the "Market
Risk" section of financial filings, which came from SEC rules back in
1997 when there were derivative shenanigans way back then. That section
in financial filings over time just turned into a dumping ground for
listing any possible future event that could potentially lead to a
significant event, as a way of warding off lawsuits when a stock tanked:
"Well, in Section 7a we did warn you that the stock could drop in any
month where the majority of days ended with the letter Y..." From that
perspective, business disruption is a much larger cost than a data
disclosure event.
(Ranum): Business continuity is also a more important problem for most
businesses. Security sometimes should take second place to survival.
(Schultz): Hurricanes Katrina and Wilma were far most costly to many
organizations than the worst of all data security breaches.]

 --Disaster Recovery Plans Not Receiving Adequate Attention
According to Symantec's 2010 State of the Data Center Report, at least
one-third of mid-sized organizations have not evaluated their Disaster
Recovery plan in the last year. The study compiled responses from
1,780 data center managers in 26 countries. The lack of disaster
recovery plans has been blamed on complex data center expansions, and
ever-growing server and storage needs. Furthermore, about one-third of
enterprises disaster recovery plans are undocumented.
http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=sdcreport2010
Learn more about how to implement a hassle free Disaster Recovery
solution where information is available during or following a disaster.
I call this, One Touch Disaster Recovery [DR] solution for Continuity
of Operations [COOP].
http://www.sans.org/reading_room/whitepapers/recovery/touch-disaster-recovery-solution-continuity-operations_33373

*************************** Sponsored Link: ***************************
1) Measuring network performance, security and stability under hostile
conditions - Take our SANS Network Security Survey and be entered into
a drawing to win a $250 American Express Gift Certificate.
http://www.sans.org/info/59863
*************************************************************************

THE REST OF THE WEEK'S NEWS
 --Japanese Police Arrest Two for Alleged Cyber Fraud
(May 27, 2010)
Japanese police have arrested two men who are suspected of using malware
named Kenzo to commit fraud. The pair allegedly hid malware in a
computer game; users' computers became infected when they downloaded the
game with filesharing software. The malware stole personal information
and leaked it onto the Internet. The pair then allegedly offered to
delete the leaked data for a payment of 5,800 yen (US $64). The malware
is believed to have infected 5,000 computers.
http://news.asiaone.com/News/AsiaOne%2BNews/Crime/Story/A1Story20100527-218771.html

 --Cisco Warns of Flaws in Network Building Mediator
(May 26 & 27, 2010)
Cisco is urging users of its Network Building Mediator (NBM) software
to install a patch for six vulnerabilities that could be exploited to
take control of devices running the software. NBM can be used to
remotely monitor buildings' security, ventilation and energy systems.
All users with network access can connect to NBM with administrative
privileges. The flaws also affect Richards-Zeta Mediator 2500. The
flaws also affect Richards-Zeta Mediator legacy products; Cisco acquired
Richards-Zeta in January 2009. The problems are especially problematic
because the software can interact with power grids.
http://www.thetechherald.com/article.php/201021/5662/Cisco-urges-patch-deployment-for-Network-Building-Mediator
http://www.theregister.co.uk/2010/05/26/cisco_building_control_bugs/
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b2c518.shtml
[Editor's Note (Pescatore): Most of the software running these Building
Automation Systems was written by developers who never considered that
their systems might be exposed on open networks. It is good to see Cisco
fixing vulnerabilities, but enterprises need to very careful in rushing
to put BAS system on converged networks - they really should be on
standalone networks. If not, treat them like unpatched servers.]

 --Canadian Legislators Mull Proposed Privacy Law Amendments
(May 25 & 26, 2010)
Canadian legislators are considering amendments to the country's
Personal Information Protection and Electronic Documents Act (PIPEDA).
Proposed changes include requiring organizations to notify Canada's
Privacy Commissioner of material data breaches and to notify individuals
if a breach poses the risk of harm; the assessment of the risk of harm
would be determined by each organization. Another proposed amendment
would expand the authority of law enforcement and national security
agencies to demand customer information without a warrant. Canada's
lawmakers are also considering anti-spam legislation. The Fighting
Internet and Wireless Spam Act (FISA) was originally introduced in April
2009, but has been amended and was reintroduced on May 25, 2010. The
proposed legislation would allow the Canadian Radio-Television and
Telecommunications Commission (CRTC) to impose fines of up to CAD $1
million (US $953,000) per violation for individuals and CAD $10 million
(US $9.53 million) for businesses. Subsequent penalties would be even
higher.
http://www.earthtimes.org/articles/show/government-of-canada-moves-to,1316147.shtml
http://www.ottawacitizen.com/news/National+firms+keep+data+theft+secret/3070920/story.html
http://blog.privacylawyer.ca/2010/05/pipeda-amendments-will-expand-private.html
http://outbound-call-center.tmcnet.com/topics/outbound-call-center/articles/86444-canadian-government-re-intros-anti-spam-legislation-intros.htm

 --Five Indicted in Fraudulent Funds Transfer Case
(May 26, 2010)
Five people have been indicted in connection with the theft of nearly
US $450,000 from the city of Carson's (California) bank accounts. The
thieves used spyware to steal city employee login credentials, and then
made two fund transfers from city accounts to other, previously
established accounts outside the state. About US $300,000 of the money
was recovered, and the city received an additional $100,000 from its
insurance company. Carson city treasurer Karen Avila says the bank,
City National Bank, should have been aware that something suspicious was
going on. Three of those indicted appear to be orchestrating the
scheme, while two were indicted for allowing their bank accounts to be
used to receive the stolen funds.
http://www.computerworld.com/s/article/9177409/Five_indicted_in_cybertheft_of_city_s_bank_accounts?taxonomyId=17
[Editor's Note (Schultz): This is not the first major security breach
for the city of Carson, California. City officials apparently did not
learn much from the city's widely publicized breach several years ago.]

 --Second Man Sentenced for Scientology DDoS Attacks
(May 25, 2010)
Brian Thomas Mettenbrink has been sentenced to one year in jail and
ordered to pay US $20,000 in compensation to the Church of Scientology
for his role in a series of distributed denial-of-service (DDoS) attacks
against that organization's websites. Another man, Dmitriy Guzner, was
sentenced to one year in jail for his role in the attacks late last
year. The January 2008 attacks appear to have been prompted by the
Church of Scientology's demands to take down videos of Tom Cruise, a
prominent member of the organization.
http://www.theregister.co.uk/2010/05/25/second_scientology_ddoser_jailed/

 --New Twist on Phishing Targets Open Browser Tabs
(May 24, 25 & 26, 2010)
A Firefox developer is warning of a new kind of phishing attack that
preys on users' inattention to which tabs they have open in their
browsers. The attack is perpetrated by JavaScript code in a
specially-crafted page. When users have several tabs open and are not
viewing the site with the malicious code, the code surreptitiously
changes the destination page after several minutes of inactivity; the
favicon and title of the page are changed as well. The attack can be
made more personal by perusing users' browsing histories and making the
page appear to be one that the user frequents, such as Facebook or a
banking login page. When the user goes back to the tab, there is a
sign-on screen asking for login credentials. The vulnerability affects
all major browsers that run on Mac OS X and Windows.
http://krebsonsecurity.com/2010/05/devious-new-phishing-tactic-targets-tabs/
http://www.theregister.co.uk/2010/05/25/tabnapping_phishing_attack/
http://www.h-online.com/security/news/item/New-phishing-attack-exploits-tabbed-browsing-1006386.html
http://www.computerworld.com/s/article/9177326/Sneaky_browser_tabnapping_phishing_tactic_surfaces?source=CTWNLE_nlt_pm_2010-05-25
http://www.computerworld.com/s/article/9177398/How_to_foil_Web_browser_tabnapping_?taxonomyId=85

 --Apple Has Not Fixed Carpet Bomb Flaw in Safari for OS X
(May 24, 2010)
Two years after learning of a vulnerability in its Safari web browser,
Apple has yet to fix the problem. The flaw, which has been called a
"carpet bomb" attack, allows maliciously crafted web pages to download
files to users' computer without requiring users' consent. When first
alerted to the problem, Apple deemed it "more of an annoyance than
anything else," said security researcher Nitesh Dhanjani. Shortly after
the disclosure, however, another researcher demonstrated how the carpet
bombing vulnerability combined with a Windows flaw could be exploited
to run unauthorized software on users' computers. At that time, Apple
issued a fix for the Windows version of Safari, but Safari for OS X
remains unpatched. Both Firefox and Chrome have received fixes to
protect users from this sort of attack.
http://www.computerworld.com/s/article/9177278/Two_years_later_Apple_still_won_t_fix_Safari_hole?taxonomyId=85
http://www.theregister.co.uk/2010/05/24/safari_carpet_bombing_bug/

**********************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of
the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkwAEOUACgkQ+LUG5KFpTkao7wCdFEV+qF0WJYg0bS9Z2M8cwX+q
InEAn2hGjXvmmVzVwFITAfr0NcPKh3eB
=WxEo
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]