Cyber Security Act of 2009

Published: 2009-04-03
Last Updated: 2009-04-06 18:33:01 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

You may have heard in the news about the "Cyber Security Act of 2009", or the "Rockefeller-Snowe legislation". The news actually relates to two proposed laws, which are currently in their draft stage. A lot can and will change until they are passed, if they are ever passed. But I believe as infosec profesionals, we do have a duty to stay in the loop on these laws and chime in if we see something that doesn't quite sound right. So here comes a quick review from someone who has little insight on politics.

The first law establishes a position of "National Cybersecurity Advisor". This person would advice the president directly about cyber security. Similar to a national security advisor he would report directly to the president. Of course, the president may just decide not to listen. But the bill also requires that this advisor controls the cyber security budget. So there is some real "bite" added to the "bark". Many have asked for a position like this. Until now, cyber security has been "hidden" deep inside the department of homeland security and the position had notorious issues attracting candidates. It was vacant for a long time in part because there was little budget control associated with it.

The real interesting part is the second proposed bill, the actual "Cyber Security Act of 2009". I think it starts out with a good concept. The president will appoint a "Cybersecurity Advisory Panel" which will be composed of representative from industry, government, non-profits and other stakeholders. The idea is to find people with clue to propose and review solutions. The panel will also issue reports on how we are doing with respect to cyber security and what could be done better.

Next in line is a rather practical proposal: A cyber security dashboard. Kind of like every CISO would like to have, but this time for the federal networks. The Department of Commerce  (DoC) would be in charge of this panel. One thing I noticed is that the Department of Commerce is put in charge of a lot of things here. Homeland Security almost never shows up. This is interesting. Traditionally, the DoC was very involved in the creation and management of the Internet (we will get to that later in more detail). And I actually like a lot of the security related standards DoC came up with over the years. Homeland security currently runs US-CERT, but overall has played a more reactive roll and never had much success in setting standards. Probably in part due to the personnel situation.

The next part asks the federal government to establish local and state cybersecurity centers. The federal government would provide assistance and funding to such centers. The bill contains a lot of details about these centers. In short: They would get the word out. These centers would help businesses with the implementation of security standards. They would even offer loan to purchase software and equipment. This sounds a bit like the Small Business Administration that assists small businesses around the country. One problem I can see is that this may overlap and conflict with other efforts put forward by local and state governments. I just hope they will work all together. The bill provides for such a collaboration.

And finally the DoC shows up again with NIST. The National Institute for Standards and Technology. I almost ended up working for them out of college on a project to establish a new method to define the kilogram. Well, times change. NIST is not only working on meters and kilograms. Cybersecurity is another important field to set standards and NIST is tasked to set them. The list of standards is long and includes software security as well as a standard vulnerability specification language. The bill suggests to consider international standards.

Section 7 is the one that caught a lot of attention: The bill requires that within only one year, a licensing program should be established, and 3 years later, everybody involved in cyber security for the federal government or in "critical infrastructure networks" has to be certified. That is a very short time! Not much details here. But DoC is in charge again.

Section 8 gets to the meat of why DoC is in charge: DoC still owns the root zone! This is not widely known. But ICANN operates the root zone (and with is IANA) under a contract with DoC. This section states that all changes to the contract between DoC and ICANN have to consider cyber security. At the time the contract is up for renewal, DoC could add certain cybersecurity requirements.

The bill continues with the domain name system. The next section requires the implementation of a secure domain name addressing scheme. The plan for it has to be ready within 3 years. This sounds like mandating DNSSEC, but DNSSEC is not mentioned by name so DoC could come up with something new and better.

Section 10 requires DoC to establish a national cyber awareness campaign. Certainly not a bad idea. Have to see what they come up with. I see cybersecurity posters and TV ads in the future.

The National Science Foundation (NSF) will be in charge of a large cybersecurity research program. Again a lot of details here and even $ amounts. I have no idea if these amounts are reasonable. The money would be dispersed as research grants. NSF has  a lot of experience with this and is certainly the right place to manage a project like this. It is interesting to note that software security is again prominently mentioned.

NSF will also be in charge of a "Scholarship for Service" program. There exists already a similar program. The federal government will pay for your tuition and expenses and in return you will have to work for the government for a while. From what I see, the program would provide 1,000 scholarships (tuition + stipend) and in return for each year you receive the scholarship you have to work one year for the federal government. The money can be used for undergraduate and graduate degrees.

Section 13 is somewhat research related. NIST will create cyber security challenges with prize money.  These challenges in particular include schools and universities. Nice idea!

Section 14 talks about information sharing. This section seems to essentially identify what US-CERT is supposed to be doing now (US-CERT is run by DHS). We will see where this goes, but there is certainly some room for turf wars in this section.

Section 15, 16 and 17 do mandate a set of reports, essentially reporting on how the program is doing. Section 17 is a bit different as it talks about a possible identity management program. Some comments have suggested that this is heading towards some form of national ID, which is in itself a heavily debated topic.

Section18 has received quite a bit of coverage already. It essentially puts the president "in charge" of the internet and allows him to shut it down if needed ("federal and critical infrastructure systems" only again). This is similar to shutting down air traffic after 9/11 and would certainly be a step of last resort. Lesser measures may include the disconnect of certain federal networks, canceling of contracts or withholding of pay.

Section 19 and 20 talk about various reports again. In particular a review after 4 years and the inclusion of cyber threats in the national intelligence report.

Section 21 makes clear that standards and other measures should be coordinated internationally.

Section 22 is very interesting again. The law requires a secure services and acquisition board to be created, which will review any "high value purchase". New purchases of software have to comply with the NIST standards. This has been a very valuable approach in the past, and it has been one way how the federal government influenced product security. If the federal government mandates a particular configuration standard, vendors tend to gravitate to it and offer the same configuration for other users as well. After all it wouldn't make sense to maintain multiple configurations and the federal government tends to be a large enough buyer to demand the necessary changes.

Well, if you are interested, you can find the two bills here:



Links to The full text is not available as of the last time I checked.|TOM:/bss/111search.html||TOM:/bss/111search.html|






Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: iana icann law legal
0 comment(s)

DNS Providers Under Attack

Published: 2009-04-03
Last Updated: 2009-04-04 02:53:13 UTC
by Lenny Zeltser (Version: 2)
3 comment(s)

We've been keeping an eye on the issues affecting the domain servers of Several readers have written to us with concerns ofer the lack of availability of's servers, which seem to have been under a DDoS attack. There are also reports that  DNS provider NeuStar (UltraDNS) may be under DDoS, too.

We don't have any information at the moment about these incidents, beyond what is reported in the following articles: issues are causing lots of issues across the web. One reader told us, "We are struggling to keep our websites available. DNS is the problem. We are being told by that the April 1 issues are affecting them. It sounds like they are being DOS'd and are filtering certain ISPs from querying them." Another reader said, "'s DNS servers have gone offline for the second time in 24 hours. They were down yesterday from about 15:45 - 18:45 and just went down again today at about 14:30 (all times EST)."

Update: Alan shared with us the email his company, a customer of, received from today (see below). Alan also told us "Although we had no reports of issues with access to our sites, we are not certain of any impact yet."


Earlier today we communicated to you we were experiencing intermittent service disruptions as a result of a distributed denial of service (DDoS) attack – an intentionally malicious flooding of our systems from various points across the internet.

We want to update you on where things stand.

Services have been restored for most of our customers including hosting and email. However for some of our customers, services are not fully restored.  We know this is unacceptable.

We are using all available means to restore services to every one of our customers and halt this criminal attack on our business and our customers’ business. We are working round the clock to make that happen.

We are committed to updating you in as timely manner as possible, please check your inbox or our website for additional updates.

Thank you for your patience.

Larry Kutscher
Chief Executive Officer


If you have any additional details regarding these attacks, please let us know.

-- Lenny
Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You're welcome to follow him on Twitter. You can track new Internet Storm Center diaries by following ISC on Twitter.


3 comment(s)

Three Laws of Behavior Dynamics for Information Security

Published: 2009-04-03
Last Updated: 2009-04-04 01:05:04 UTC
by Lenny Zeltser (Version: 3)
0 comment(s)

Successful security initiatives are not only grounded in business objectives, but also account for behavioral factors that influence decisions. When creating a security design, consider my Three Laws of Behavior Dynamics:

  1. Individuals will maintain their routines, letting status quo prevail unless a major imbalance occurs.
  2. Individuals will gravitate towards what's personally gratifying and convenient when making decisions.
  3. An attempt to introduce change will be met with resistance at least equal in force and determination.
Law 1 (status quo) recognizes that we're creatures of habit. People will attempt to stick to old processes even after being directed to proceed differently. Maybe you introduced new change management practices, or attempted to lock down the use of USB keys, or created new password reset procedures... Expect the affected individuals to look for ways to maintain their previous routines, regardless of new official guidelines. How will you detect such non-compliance practices? Also, consider how you will respond: will you be aggressive or gentle when changing the behavior in the desired direction?
Law 2 (personal gratification) emphasizes that many individuals are influenced by self-interest. As a security professional, you often rely on support of colleagues in other departments to enforce policies, identify incidents, or implement defenses. When asking for help, consider how the other groups will benefit from your initiative, and highlight those benefits in your discussions. One example: If advocating the need for centralized logging, discuss the speed with which operations will be able to investigate even non-security events and the improved accountability that auditing and governance teams will obtain.
Law 3 (aversion to change) may be a corollary to Law 1, as it discusses the need to anticipate resistance to unfamiliar processes, goals or tools. For instance, if preparing a security budget or a proposal for a security project, consider whose work or lives might be most affected by it. Then think about the objections those individuals may pose, and prepare responses that account for possible benefits to those people, per Law 2.
What do you think? Is this a bunch of baloney, or does it resonnate with your experiences? Do you have any examples of situations where these laws exibited themselves? We'll be glad to hear from you.
Update 1: Zac B shared his perspective on these Laws with us, "It has always amazed me that people will spend twice as much effort in resisting something as would be taken to implement an improvement." He also emphacized that the rule of inertia is reinforced by the mentality that "if it worked for my predecessor so it'll work for me."
Update 2: Sam Bowne outlined his thoughts on the topic, "I think the three laws describe thoughtless, unconscious behavior, like scratching an insect bite.  That is probably accurate for most workers, to whom security procedures are seen as irrelevant irritations.  But there are also interested parties who focus on security procedures and search for opportunities in them, for good or ill.  And often they matter more than the unmotivated majority."
-- Lenny
Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You're welcome to follow him on Twitter. You can track new Internet Storm Center diaries by following ISC on Twitter.


0 comment(s)

PowerPoint zero-day vulnerability (969136)

Published: 2009-04-03
Last Updated: 2009-04-03 21:03:28 UTC
by Lenny Zeltser (Version: 3)
0 comment(s)

Several ISC readers shared with us a link to Microsoft's advisory 969136, which describes a zero-day vulnerability in PowerPoint.

You can also find the description of the exploit observed in the wild on the Microsoft Malware Protection Center blog, and additional technical details on the Microsoft Security Research & Defense blog. Kudos to Microsoft for being so transparent about the incidents! (Thanks for the links, Juha-Matti.) 

The CVE placeholder for this vulnerability is CVE-2009-0556 (not live as of this writing).

If you have observed the exploit in the wild and can share the details with us, please let us know.

Update 1: Sergio de los Santos shared with us the SHA-1 hashes VirusTotal received of the known malicious PPT files that exploit this vulnerability: 


Update2: An ISC reader highlighted the effectiveness of the latest version of the Microsoft Office Isolated Conversion Environment (MOICE) to converting "legacy" binary formats of Office documents to XML-based formats. XML versions of Office documents are less likely to carry exploits. Microsoft recommends using MOICE prior to opening Office documents that arrive in binary formats from unfamiliar parties. I'm skeptical about the practicality of rolling out and supporting MOICE on a large scale, but it sounds like a good approach for some situations. The ISC reader pointed out that the initial release of MOICE "was flawed," so if using it, make sure you have the latest version (which came out around May 2007). He also mentioned that "MOICE uses the system TEMP/TMP folder for scratch space during file conversions, and scratch data is not automatically wiped or deleted." 

-- Lenny
Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You're welcome to follow him on Twitter. You can track new Internet Storm Center diaries by following ISC on Twitter.


0 comment(s)

Free security awareness training on-line from InfraGard

Published: 2009-04-03
Last Updated: 2009-04-03 18:09:17 UTC
by Lenny Zeltser (Version: 2)
0 comment(s)

InfraGard announced the availability of free-online security awareness training at  The course is free; there is a fee of $24.95 for those who wish to take a certification exam.

It's great to see such a training resource available at no cost, since many employees can benefit from security awareness training, yet some companies have a hard time justifying paying it.

Going through some of the sessions, I found the delivery format clean, though not very exciting. That's perhaps my biggest concern about this course--individuals not motivated to learn its contents may have a hard time paying attention. (I wrote about the need to make awareness training exciting in an earlier diary.)

Yet, many of the lessons in the course contain information personally-relevant to the individuals taking the course, which is great to see. The Flash-based course consists of 13 lessons, covering topics such as:

  • Who commits cybercrime
  • Social engineering
  • Email use
  • Safe web use
  • Peventing identity theft

Congrats to the InfraGard team on having made this available, and thanks.

Update: Chris pointed us to OnGuard Online, which has excellent (and entertaining) games and videos that promote on-line security practices. Nicely done!

-- Lenny

Lenny Zeltser - Security Consulting

Lenny teaches malware analysis at SANS Institute. You're welcome to follow him on Twitter. You can track new Internet Storm Center diaries by following ISC on Twitter.



0 comment(s)


Diary Archives