SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #77

September 28, 2007

When the history of cyber security is written, today's first story in NewsBites is likely to lead one of the major chapters. You'll find both the CNN and Associated Press videos by clicking on the picture at the bottom of the story at
http://rawstory.com/news/2007/Study_U.S._power_grid_could_be_0927.html

About 1,800 SANS alumni in the electric power, oil and gas, and other affected industries got a special note this morning about how to get involved in the strategic initiative to fix this problem. Whether or not you are an alumnus, if you work in cyber security, audit, or control systems engineering in any of the affected industries, please let us know your industry, company and role so we can connect you with the right subgroup. Email scada@sans.org.
Alan

---

TOP OF THE NEWS

DHS Video Shows Effects of Remote Cyber Attack On Electric Power Turbine
Canada's Privacy Commissioner Says TJX Breach Was Foreseeable Audit
Departments Not Given Enough IT Security Responsibilities

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Two Indicted for Allegedly Stealing Trade Secrets Former Employee
Pleads Guilty to Hacking Cox Communications Connecticut AG
Investigating Alleged Pfizer Data Compromise
SPYWARE, SPAM & PHISHING
"Verified by Visa" Phishing Scam Targets BofA Customers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Looking Into Problems with WU Stealth Updates Google
Repairs Cross-Site Scripting Vulnerability Directory Traversal Flaw
Exposes Adobe Web Server AIM Flaw Could be Used in Worm Attack
LIST OF UPCOMING FREE SANS WEBCASTS

---

********************** Sponsored By netForensics, Inc. ******************

**FREE** Log Management Trial: Simplified secure event log management for compliance and audit. Log management can be affordable, easy AND effective. Bare-bones solutions lack extended features - and complex solutions are expensive and difficult to deploy.
Download your free trial of nFX Log One today!
http://www.sans.org/info/17101

*************************************************************************

TRAINING UPDATE
Where can you find Hacker Exploits, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?

- - Washington DC (12/13-12/18): http://www.sans.org/cdi07
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - London (11/26 - 12/1): http://www.sans.org/london07/
- - Chicago (11/2-11/7): http://www.sans.org/chicago07/event.php
- - Tokyo (11/5-11/10): http://www.sans.org/sanstokyo2007_autumn/event.php

How good are the courses? Here's what past attendees said:
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)

Looking at Data Leakage or Encryption, hear lessons learned by the pioneers:
***WhatWorks in Stopping Data Leakage and Insider Threat Summit
http://www.sans.org/leakage07_summit/
***WhatWorks in Mobile Encryption Summit
http://www.sans.org/encryption07_summit/

*************************************************************************

---

TOP OF THE NEWS

DHS Video Shows Effects of Remote Cyber Attack on Electric Power Turbine (September 26 & 27, 2007)

CNN and the Associated Press obtained and disclosed a video created for the US Department of Homeland Security (DHS) showing the effects of a simulated cyber attack on the nation's power grid. The film includes an overheating turbine that ultimately is destroyed. The test was conducted in March by the Idaho National Laboratory and involved exploitation of a vulnerability in the Supervisory Control and Data Acquisition (SCADA) control systems. The particular vulnerability exploited in the March demonstration attack has been addressed, but others likely exist as SCADA systems were not developed with security in mind. There has been disagreement about the amount of damage a remote cyber attacker could do.
-http://www.washingtonpost.com/wp-dyn/content/article/2007/09/26/AR2007092602170_
pf.html
-http://www.securityfocus.com/brief/597
-http://blog.wired.com/27bstroke6/2007/09/simulated-cyber.html

Canada's Privacy Commissioner Says TJX Breach Was Foreseeable (September 25 & 26, 2007)

An eight-month investigation conducted by Canadian Privacy Commissioner Jennifer Stoddart with the help of Frank Work, the Information and Privacy Commissioner of Alberta, found that the cyber thieves who stole millions of transaction records from TJX companies computer systems did so by intercepting wireless data transmissions. Investigation findings condemned TJX companies for failing to implement stronger encryption and storing far too much customer data for far too long. A TJX spokesperson says that while the company does not agree with all the report's findings, it has agreed to implement the recommendations it makes. Commissioner Stoddart found that TJX violated Canadian privacy law. She also said that the breach was "foreseeable" given the aforementioned factors.
-http://www.msnbc.msn.com/id/20979359/
-http://news.zdnet.co.uk/security/0,1000000189,39289645,00.htm?r=1
[Editor's Note (Pescatore): My daughter's soccer coach gave the team t-shirts that say "The desire to win is useless without the discipline to practice" The vast majority of attacks are foreseeable; the issue is taking action to prevent the foreseeable. TJX had more problems than just wireless LANs, but wireless point of sale and inventory devices (and the associated access points) are one of the biggest areas of risk in retail IT systems and one of the frequent reasons for failing PCI compliance. Open or just WEP-protected WLANs really are one of those "it is broke, you have to fix it" scenarios.
(Schultz): Too often I have heard individuals claim that risks associated with open wireless networks are overrated. This news item should for once and for all destroy any remaining credibility to this claim.]

Audit Departments Not Given Enough IT Security Responsibilities (September 21, 2007)

Among respondents to a survey of corporate audit departments, 55 percent say they do not "have responsibility for auditing risk around information security and privacy," and half do not have business continuity oversight. Ninety percent believe the amount of IT security oversight their departments are assigned should be increased. Most audit committees said their highest priorities were general risk management, internal controls and accounting judgments. The survey gathered responses from 1,300 audit committee members in 25 countries.
-http://software.silicon.com/security/0,39024655,39168530,00.htm

---

************************* Sponsored Links: ***************************

1) Find out what Seagate knows about secure storage. It could improve your company's security.
http://www.sans.org/info/17106

2) Learn to select and implement the right tools at the Data Leakage and Insider Threat Summit December 3-4. http://www.sans.org/info/17111

3) Come to Orlando and hear the latest on encryption tools - Encryption Summit December 3-4
http://www.sans.org/info/17116

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Two Indicted for Allegedly Stealing Trade Secrets (September 27, 2007)

Two men have been indicted on charges of conspiracy, economic espionage and theft of trade secrets for allegedly stealing microchip designs. Lee Lan and Ge Yuefei allegedly tried to steal proprietary information from NetLogics Microsystems, for whom they both worked at the time. Data found on both men's home computers, as well as the fact that they established a company to develop the stolen technologies, implicates them further. The men also allegedly stole information from Taiwan Semiconductor Manufacturing Corporation.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9039282&source=rss_topic17
-http://news.bbc.co.uk/2/hi/americas/7015916.stm

Former Employee Pleads Guilty to Hacking Cox Communications (September 27, 2007)

A former Cox Communications employee has pleaded guilty to breaking into the company's networks and disrupting telecommunications service for Cox customers in Louisiana, Texas and Utah. William Bryant said he caused the disruption after he was asked to resign. Emergency service was affected for almost two hours. Bryant's sentencing is scheduled for December, when he will face up to 10 years in prison and a fine of up to US $250,000.
-http://www.shreveporttimes.com/apps/pbcs.dll/article?AID=/20070927/BREAKINGNEWS/
70927009

Connecticut AG Investigating Alleged Pfizer Data Compromise (September 26, 2007)

The Connecticut Attorney General has launched an investigation following the revelation that confidential Pfizer data were found on a computer at another company. Pfizer became aware of the situation after the unnamed company sent Pfizer a CD containing the data. The data had apparently been found on a computer at that company which was used by someone who had previously been employed at Pfizer. Pfizer notes that the person in question had legitimate access to those data at the time of employment. The compromised data include credit card and bank account numbers, employee names, Social Security numbers (SSNs) and driver's license information.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202101944

SPYWARE, SPAM & PHISHING

"Verified by Visa" Phishing Scam Targets BofA Customers (September 24 & 26, 2007)

Phishing emails have been detected that pretend to be related to the legitimate Verified by Visa program. Participants in the program enroll their Visa cards so that online transactions will require a password. The link provided in the message takes people to a fraudulently constructed site where they are asked to supply their card information purportedly to activate the authentication program. The message concludes by threatening that if they do not enroll, their card may be temporarily disabled, an indication that the email is not legitimate. The phony messages specifically mention Bank of America (BofA); because so many people have cards from BofA, the likelihood that these messages result in theft of financial information is higher.
-http://www.theregister.co.uk/2007/09/26/verified_by_visa/print.html
-http://www.consumeraffairs.com/news04/2007/09/visa_scam.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft Looking Into Problems with WU Stealth Updates (September 27, 2007)

Microsoft is investigating a report that the stealth updates it made to Windows Update (WU) in July and August cause problems for Windows XP in certain situations. The Windows XP "repair" function allows users to reinstall Windows XP system files while allowing files and other applications to remain as is. The problem is that because of the WU update, as many as 80 recent patches will not be installed on systems where the user has employed the "repair" function.
-http://www.eweek.com/article2/0,1759,2189878,00.asp
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9039258&taxonomyId=17&intsrc=kc_top

Google Repairs Cross-Site Scripting Vulnerability (September 27, 2007)

Google has fixed a cross-site scripting flaw that could be exploited to steal Gmail contacts and incoming mail. The exploit would require the targeted individual to be logged in to Gmail and to click on a maliciously crafted link. At that point, the attacker would have control of Gmail session cookies. To protect their systems from attacks, users could access Gmail through Firefox with JavaScript disabled.
-http://www.news.com/2102-1002_3-6210353.html?tag=st.util.print
-http://www.itweek.co.uk/vnunet/news/2199803/gmail-flaw-puts-inbox-risk

Directory Traversal Flaw Exposes Adobe Web Server (September 26 & 27, 2007)

A directory traversal flaw in an Adobe webserver CGI script potentially exposes internal webserver files. There are indications that "the private key Adobe uses to authenticate itself during Secure Socket Layer (SSL) sessions was exposed." Possession of the key could give attackers what they need to spoof trusted areas of the site. The hole could be exploited to "read any file on
[Adobe's ]
server that the web application has permission to read."
-http://www.theregister.co.uk/2007/09/27/adobe_website_leak/print.html
-http://www.heise-security.co.uk/news/96605
[Editor's Note (Skoudis): Good, old-fashioned directory traversal flaws rear their ugly head again. Don't fall into the trap of thinking this kind of issue is old or unimportant. We still see it all the time, in custom-created web apps and even commercial products. And, using it to steal an SSL private key from a website is particularly damaging. If you do penetration tests, make sure you check for these kinds of things, especially with the myriad of encoding schemes available. In this Adobe case, no encoding whatsoever was required; a simple ../.. would suffice. ]

AIM Flaw Could be Used in Worm Attack (September 26, 2007)

A flaw in AOL Instant Messaging (AIM) could allow remote execution of arbitrary commands, remote exploitation of IE bugs and code injection; the hole could be exploited to launch a worm attack. "The flaw has to do with the way the AIM software uses Internet Explorer's (IE) software to render HTML messages." The exploit would not require user interaction to spread. AOL is filtering AIM traffic for suspicious activity, but the vulnerability in the client software has not yet been patched. The flaw affects AIM versions 6.1, 6.2 beta, Aim Pro and Aim Lite. AOL says it expects to have a patch available for the flaw by the middle of October.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9038962&taxonomyId=17&intsrc=kc_top
-http://blogs.zdnet.com/security/?p=542
-http://www.scmagazineus.com/Core-Security-discloses-AIM-vulnerability/article/35
840/
-http://www.securityfocus.com/brief/596

LIST OF UPCOMING FREE SANS WEBCASTS

Ask the Expert: Payment Card Data Law: The Changing Landscape
WHEN: Wednesday, October 3, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Ben Wright and Tracey Mustacchio
-http://www.sans.org/info/16841
Sponsored By: TraceSecurity

2007 is shaping up to be a landmark in the law on merchant liability for loss of credit and debit card data. A flurry of lawsuits are pending against TJX for the break-in it announced in January. Minnesota enated pioneering legislation imposing new liability on merchants, and as of mid-September California was on the verge of doing something similar.

Ask the Expert: Late-Breaking Computer Attack Vectors by Mike Poor
WHEN: Tuesday, October 16, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Mike Poor
-http://www.sans.org/info/16856
Sponsored By: Core Security

This lively session will discuss recent and anticipated computer and network attack vectors, showing the most powerful tools in the bad guys' arsenal today and predicting where they are headed in the future. Specific topics to be discussed include client-side exploitation and the rise of privilege escalation attacks against Windows Vista and other operating systems.

Ask the Expert: The Evolution of Access Management
WHEN: Wednesday, October 17, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Howard Ting
-http://www.sans.org/info/16861
Sponsored By: Securent

In this webcast, learn how access control technologies have evolved over the years, the types of access management solutions organizations are evaluating today, and the challenges they face in design and implementation.

Tool Talk Webcast: Guidelines for Implementing Role-Based Security Policies in Unix/Linux Environments
WHEN: Wednesday, October 31, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATRUED SPEAKER: Alan Dobbs
-http://www.sans.org/info/16876
Sponsored By: FoxT

In this webinar, you will discover how FoxT's IT Controls solution suite is helping organizations, including five of the top ten banks, resolve access control challenges and achieve unprecedented speed in adopting role-based security policies across multi-vendor Unix/Linux infrastructures.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/