Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 11 Num. 86 : GAO Finds Probable Cause Of Cybersecurity Ineffectiveness
- From: The SANS Institute
- Date: Fri Oct 30 14:43:53 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Only three more days to submit entries in the DoD Cyber Crime Center
Forensics Challenge. If you haven't sent your submission do it soon.
http://www.dc3.mil/2009_challenge/
*************************************************************************
SANS NewsBites October 30, 2009 Vol. 11, Num. 86
*************************************************************************
TOP OF THE NEWS
GAO Report Exposes OMB Mismanagement of FISMA as Important Cause of
US Government Cyber Security Ineffectiveness
Judge Denies Settlement Proposal in TD Ameritrade Case
Three-Quarters of Small and Mid-Sized Companies Froze or Cut Security
Spending
THE REST OF THE WEEK'S NEWS
CalOptima Locates Disks Containing Patient Data
UK's Proposed Anti Piracy Policy Draws Criticism
Federal Breach Notification Law Would Help Authorities
Malware Spreading Through Phony FDIC eMails
US-CERT Warns of Blackberry Spyware
Research Project Aims to Spoil Malware's Picnic
Two Attacks Target Facebook Users
European Commission to Consider Additional Data Privacy Rules Next Year
Energy Regulators Seek Authority to Enforce Security Standards
Throughout Power Grid
Firefox Update Fixes 11 Critical Flaws
********************* Sponsored By Palo Alto Networks *******************
Gartner's Perspective on Next-Generation Firewalls. Read this report
for Gartner's definition, requirements, and recommendations about
next-generation firewalls in the enterprise. If you are in a refresh
cycle for your firewall or IPS, this research note is a must-read.
Download a free copy now.
http://www.sans.org/info/50148
*************************************************************************
TRAINING UPDATE
-- SANS Middle East, October 31-November 11,
http://www.sans.org/middleeast09/
-- SANS San Francisco, November 9-14,
http://www.sans.org/sanfrancisco09
-- SANS Sydney, November 9-14
http://sans.org/sydney09/
-- SANS Hong Kong, November 9-14
http://www.sans.org/hong-kong-forensics-2009/
-- SANS Vancouver, November 14-19
http://www.sans.org/vancouver09/
-- SANS London, UK, November 28-December 9,
http://sans.org/london09/
-- SANS CDI, Washington DC, December 11-18,
http://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010
19 courses, bonus evening presentations
http://www.sans.org/security-east-2010/
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Oslo, New Delhi, Geneva and Qatar all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
--GAO Report Exposes OMB Mismanagement of FISMA As Important Cause Of
US Government Cyber Security Ineffectiveness
(October 29, 2009)
A GAO report published on Thursday faults OMB for reliance on
"inadequate performance measures." OMB relies too heavily on NIST's
procedural guidance that agencies use to report "measures that do not
demonstrate the effectiveness of control activities or the impact of
information security programs." Senator Tom Carper noted that more than
$5 billion has been wasted over the past five years on "ineffective and
useless" certification and accreditation, producing reports that cost
more than $1,400 per page and are out of date when delivered and sit in
store-rooms. GAO identified five characteristics of metrics OMB should
be demanding. The characteristics reinforce the need for agencies to
move away from NIST procedural controls and toward controls that are
performance oriented, continuous, reliable, and that are prioritized to
ensure they actually reduce risk.
Senator Carper's Statement:
http://hsgac.senate.gov/public/index.cfm?FuseAction=Files.View&&FileStore_id=7824c6fa-c5f6-4506-a5a1-1e77de39f082
The GAO Testimony:
http://hsgac.senate.gov/public/index.cfm?FuseAction=Files.View&FileStore_id=9cffe896-5747-43c8-9bd7-22e21d72d799
Additional testimony from the October 29 hearing on "More Security, Less
Waste":
http://hsgac.senate.gov/public/index.cfm?FuseAction=Hearings.Hearing&Hearing_ID=8505fb0f-bf9b-4bb4-9e25-e71154391202
(Editor's Note (Paller): GAO's findings and Senator Carper's conclusions
square with concerns voiced by IT auditors in Inspectors General's
offices who have complained forceful that they are required to rely on
OMB-mandated NIST guidance. Then OMB demands that they publish
conclusions about security when all they can measure is paperwork that
does not show the effectiveness of key security controls. The GAO
findings also reflect the conclusion of the majority of CIOs and CISOs,
most of whom have complained loudly (albeit privately) that forced
spending on consultants for FISMA reporting has so drained their budgets
that they don't have enough money left to invest in the key automation
that would enable rapid improvement in security.
--Judge Denies Settlement Proposal in TD Ameritrade Case
(October 27 & 28, 2009)
A federal judge has denied a proposed settlement in the TD Ameritrade
data security breach case. In 2007, the personal information of more
than 6 million Ameritrade customers was compromised and was later used
to send spam. The judge said that the proposed settlement was not
"fair, reasonable or adequate," and that it benefits Ameritrade more
than it benefits the plaintiffs. In addition, the judge said that the
additional security measures the company proposed to put in place as
part of the settlement are measures any company should be implementing
as a matter of course.
http://www.computerworld.com/s/article/9139988/Judge_says_TD_Ameritrade_s_proposed_security_fixes_aren_t_enough?taxonomyId=1&pageNumber=1
http://www.storefrontbacktalk.com/supply-chain/are-judges-cracking-down-on-data-breach-corporate-victims/
--Three-Quarters of Small and Mid-Sized Companies Froze or Cut Security Spending
(October 28 & 29, 2009)
A McAfee survey of 100 small to medium-sized companies in each of nine
countries around the world found that while 71 percent believe a data
security breach could put them out of business, three-quarters of the
companies either froze or reduced their information security spending
in 2009. Two-thirds of the companies responding said they spend less
than three hours a week on security. Twenty percent of the companies
surveyed said they had experienced a data security breach within the
past year; mitigating the damage from the breaches cost an average of
US $41,000.
http://www.securityfocus.com/brief/1029
http://news.cnet.com/8301-1009_3-10384916-83.html
http://www.mcafee.com/us/research/security_paradox/index.html
[Editor's Note (Northcutt): Small businesses face an increasing
unsolvable problem. Attack vectors are vast. Security vendors want to
deliver point solutions focusing on small fractions of possible attacks.
I am running one of the four major endpoint whitelist security products
and yes, it detects all change, but I have no way to know if it is a
good change or a bad change. Securia PSI has been a bright light, but I
am not sure where they are taking their product mix. A small business
cannot possibly know if it is running a safe configuration. More and
more, I think we need some sort of reference operating system that we
can download and overwrite what we have on our endpoints. From the small
to medium business owner standpoint, if you can't solve the problem, why
spend money on it?
(Ullrich): I don't think the report's assumption that more spending
would have improved security is necessarily true. It is easy to spend
money on junk when it comes to security products.]
************************ Sponsored Links: ****************************
1) Incident detection in the large-scale enterprise. -What works?
Incident Detection Summit December 9-10.
http://www.sans.org/info/50153
2) UPCOMING WEBCAST: Making Database Security an IT Security Priority
Wednesday, November 4, 2009 at 1:00 PM EST
http://www.sans.org/info/50158
Sponsored by Oracle. Sign up to participate in this webcast and you will
be the first to read a new, comprehensive whitepaper on this subject.
***********************************************************************
THE REST OF THE WEEK'S NEWS
--CalOptima Locates Disks Containing Patient Data
(October 29, 2009)
Several disks that disappeared when they were sent through the mail two
weeks ago have been located at a US Postal Service facility in Atlanta,
GA. The disks had been sent via certified US mail to California managed
health care provider CalOptima from a vendor, but when the package
arrived, the smaller package inside was missing. The unencrypted disks
contain patient names, addresses, dates of birth, medical procedure and
diagnosis codes and in some cases, social security numbers (SSNs). Now
that the disks have been recovered, CalOptima no longer plans to notify
the 68,000 affected individuals.
http://www.computerworld.com/s/article/9140122/CalOptima_recovers_discs_with_personal_data_on_68_000_members?taxonomyId=17
[Editor's Note (Ullrich): Unencrypted disks and patient data. I would
be concerned even if they don't go missing. How would you ever know that
someone didn't make a copy? (and can we just get over it, and make all
of our social security numbers public?)]
--UK's Proposed Anti Piracy Policy Draws Criticism
(October 28 & 29, 2009)
UK Internet service provider (ISP) TalkTalk has threatened to initiate
legal action if a plan to cut Internet service to illegal filesharers
is approved. TalkTalk objects to the plan's implication that users
would be "guilty until proven innocent." The plan, introduced by
Britain's business secretary Lord Mandelson, would first impose download
caps or bandwidth restrictions on illegal filesharers; those who
persisted in the illegal activity could have their access cut. Lord
Mandelson said that just one in every 20 music tracks downloaded in the
UK is legal.
http://www.scmagazineuk.com/ISP-may-take-legal-action-if-Mandelson-ruling-on-cutting-off-users-is-approved/article/156416/
http://news.bbc.co.uk/2/hi/technology/8328820.stm
http://www.siliconrepublic.com/news/article/14256/new-media/uk-to-block-illegal-file-sharers-mandelson
--Federal Breach Notification Law Would Help Authorities
(October 28, 2009)
FBI Criminal Cyber Section chief Jeffrey Troy said that a federal law
requiring entities to report data security breaches to federal
authorities "would help us tremendously." If information about cyber
attacks were pooled, the FBI could draw connections between events and
help warn others and encourage them to take steps to protect themselves.
About 90 percent of US states have data notification bills, but federal
legislation has yet to be enacted. Federal agencies are already
required to report data security breaches to US-CERT.
http://www.computerworld.com/s/article/9140064/FBI_National_data_breach_law_would_help_fight_cybercrime?source=rss_security
http://www.nextgov.com/nextgov/ng_20091028_3572.php?oref=topnews
[Editor's Note (Pescatore): The vast majority of data breach disclosures
do not provide attack information, because the vast majority of data
disclosures are due to mistakes, not attacks. Breach disclosure is a
good thing just the way the newspapers publishing which restaurants were
closed down by the health department is a good thing - more information
for consumers about who has sloppy practices.]
--Malware Spreading Through Phony FDIC eMails
(October 27 & 28, 2009)
There are reports of phony FDIC notification emails that attempt to
infect users' computers with the ZBot Trojan horse program. The emails
tell the recipients that their banks have filed for bankruptcy and that
the banks' asserts are now under the control of the FDIC. The links
offered in the message lead to a page that offers users a chance to see
their "personal FDIC insurance file[s]," but which actually installs the
Zeus or ZBot Trojan on their PCs.
http://voices.washingtonpost.com/securityfix/2009/10/nastygram_spoofed_fdic_bank_fa.html
http://www.darkreading.com/vulnerability_management/security/antivirus/showArticle.jhtml?articleID=221100094&subSection=Antivirus
http://www.cio.com/article/506142/New_Spam_Your_Bank_has_Failed_Download_This_Trojan
--US-CERT Warns of Blackberry Spyware
(October 27, 28 & 29, 2009)
The US-CERT has issued a warning about a free spyware program called
PhoneSnoop that can be used to bug BlackBerry phones. If the program
is installed, one call from a designated number can turn the phones into
listening devices, capable of eavesdropping on everything that happens
nearby. The person who created the program said it was done as a
proof-of-concept to demonstrate the vulnerabilities inherent in being
careless with the phones. Users could be tricked into downloading
PhoneSnoop onto their phones, or it could be installed by someone else
with access to the device. US-CERT recommends that BlackBerry users use
passwords to prevent other people from accessing the phones and to allow
downloads only from trusted sources.
http://www.h-online.com/security/news/item/BlackBerry-spyware-alert-843992.html
http://news.cnet.com/8301-27080_3-10384179-245.html
http://www.securecomputing.net.au/News/159209,us-cert-warns-of-malware-attack-against-blackberry.aspx
http://www.us-cert.gov/current/index.html#blackberry_phonesnoop_application_used_to
[Editor's Note (Schultz): Smart phones and other mobile devices are
increasingly becoming the target of malware writers. Several excellent
talks on this subject were presented at the recent Black Hat
Conference.]
--Research Project Aims to Spoil Malware's Picnic
(October 28, 2009)
Researchers at Wake Forest University and the Pacific Northwest National
Laboratory have developed an army of digital ants designed to help sniff
out malware. Each of the ants is designed to detect basic processes,
like connection rates or CPU utilization, and leave a digital pheromone
encouraging other ants to take a look if it senses an anomaly.
Suspicious activity is reported to a digital sentinel. If the sentinel
determines that something suspicious is really going on, it reports to
a digital sergeant which in turn alerts a human being. There are
different sorts of ants at the lowest levels; those that do not find
valuable information eventually die off, but those that do discover
important information are rewarded. If a certain type of ant proves
especially adept at detecting anomalies, then more ants of that type are
created. Researchers have so far created four of the 64 types of ants
they intend to develop.
http://dsc.discovery.com/news/2009/10/28/digital-ants-computer.html
[Editor's Note (Schultz): This sounds like a giant breakthrough in the
war against malware. Regardless of whether or not it works as well as
these researchers believe, it shows that a distributed approach to
detecting and eradicating malware is the most promising one. Over the
years simply running anti-malware software on each host has not proven
very effective.]
--Two Attacks Target Facebook Users
(October 28 & 29, 2009)
Phishers have been targeting Facebook users with an attack designed to
steal account usernames, passwords and other sensitive information.
Victims receive massages indicating their passwords have been reset as
a security precaution; an accompanying attachment purports to contain
the new password, but actually contains a Trojan downloader program
known as Bredolab. Infected computers could potentially become part
of a botnet. A second Facebook attack arrives as an invitation to use
a new login procedure; the spoofed login page appears with the
username already filled in and asks for the password. Users are then
prompted to download the update, which is actually a variant of the
Zbot Trojan.
http://www.computerworld.com/s/article/9140058/Massive_bot_attack_spoofs_Facebook_password_messages?source=rss_security
http://news.cnet.com/8301-17939_109-10384028-2.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.darkreading.com/security/attacks/showArticle.jhtml;jsessionid=GRQ315JU2HN51QE1GHPSKH4ATMY32JVN?articleID=221100157&subSection=Attacks/breaches
http://www.scmagazineuk.com/Second-Facebook-spam-email-campaign-detected-this-week/article/156415/
http://blogs.usatoday.com/technologylive/2009/10/facebook-users-under-cyberattack.html
http://news.cnet.com/8301-27080_3-10385498-245.html
--European Commission to Consider Additional Data Privacy Rules Next Year
(October 29, 2009)
In 2010, the European Commission plans to review privacy and data
protection rules in the European Union. While the Commission has a
telecommunications package that addresses data breach response, it will
also consider new rules that would require organizations to publicly
acknowledge data loss incidents. The entities would be required to
notify authorities and those affected by the breaches.
http://www.theregister.co.uk/2009/10/28/data_breach_law/
http://www.euractiv.com/en/infosociety/brussels-tighten-data-protection-rules/article-186779
--Energy Regulators Seek Authority to Enforce Security Standards
Throughout Power Grid
(October 27 & 28, 2009)
The Federal Energy Regulatory Commission (FERC), the North American
Electric Reliability Corp. (NERC), and the US Department of Energy say
that pending legislation in the US House of representatives could help
protect the country's power grid from cyber attacks. Presently, FERC
does not have authority "to address cyber or other national security
threats to the reliability of our transmission and power system." FERC
regulates the bulk power system, which comprises power generation and
high voltage systems, but does not include distribution substations and
lower voltage power distribution networks.
http://gcn.com/Articles/2009/10/28/Smrt-Grid-security-hearing-102809.aspx?Page=1
http://www.nextgov.com/nextgov/ng_20091027_3165.php
--Firefox Update Fixes 11 Critical Flaws
(October 27, 2009)
Mozilla has updated its Firefox 3.5 web browser to address 16 security
flaws. Firefox 3.5.4 includes fixes for 11 critical flaws, some of
which could possibly be exploited to execute arbitrary code. Mozilla
also released Firefox 3.0.15, which contains nine fixes, four designated
critical. Mozilla plans to discontinue support for Firefox 3.0 in
January 2010.
http://www.computerworld.com/s/article/9140008/Mozilla_fixes_16_flaws_with_Firefox_3.5.4?taxonomyId=17
http://www.h-online.com/security/news/item/Mozilla-fixes-critical-bugs-with-Firefox-3-5-4-and-3-0-15-843475.html
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkrrJTIACgkQ+LUG5KFpTkaRFACglU73bpfU62HsWWxBnr2UlD/U
9UgAnA0t8BwEvY+owzwl+7NF+fTiUkPk
=12NH
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
