SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #101

December 29, 2008

The January 2009 OUCH! (the monthly security newsletter for end users) has some great material. If you want to distribute it to your users (as more than 6,000 companies and agencies do every month) just subscribe at http://www.sans.org/newsletters/#ouch . There is no charge and redistribution is allowed within organizations. In 2009 the goal of OUCH! is changing a little. Beginning in February, it will start to help end users know how to look for security breaches of their systems and, when they find something, what to tell the security people at their organizations or their ISPs.
Alan

---

TOP OF THE NEWS

Maryland Seeks Reimbursement From Voting Machine Company for Fixing Security Holes
Report Finds DHS Intelligence Fusion Centers Present Privacy Concerns

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Computer Engineer Will Stand Trial for Allegedly Holding City Network Hostage
Software Company President Sentenced for Hacking and Proprietary Data Theft
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
FEMA Investigating Evacuee Data Exposed on Internet
VULNERABILITIES
Microsoft Warns of SQL Flaw
MALWARE
Samsung Digital Picture Frame Software Disk Infected with Keystroke Logging Malware
DATA THEFT, LOSS & EXPOSURE
RBS WorldPay Data Breach Affects More than 1 Million Customers
Cedars-Sinai Medical Center Notifies Patients of Data Theft
MISCELLANEOUS
CastleCops Raises the Drawbridge
Microsoft Malicious Software Removal Tool Cleaned Phony Security Apps From 400,000 PCs
Bank Info Security's Top 10 Security Breaches

---

********** WHAT'S HAPPENING IN CONTROL SYSTEMS SECURITY? ***************

Last year the CIA chose the SCADA Security Summit to release the explosive data about multi-city power outages caused by remote hackers/extortionists. This year the FBI will be sharing data about what's happening in this arena, the chair of the NY Public Service Commission will focus on the new many-billion dollar smart grid and panelists will discuss security concerns in the smart grid. Chairman Brown will also help security people learn to talk security with public service commissioners. The new CSO at NERC will explain what changes are coming in the CIP standards and you'll also find out which vendors are doing the best job and how the standard procurement specs have changed for buying security baked in. Plus 20 more critical sessions. This is to one conference to attend in 2009 if you work in control systems security. And you can attend free SCADA security courses sponsored by DHS on the same trip. February 2-3 (courses on the 3rd), Orlando: https://www.sans.org/scada09_summit/

*************************************************************************

TRAINING UPDATE

- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Maryland Seeks Reimbursement From Voting Machine Company for Fixing Security Holes (December 25, 2008)

The state of Maryland has filed a claim against Premier Election Systems (formerly known as Diebold) to recover US $8.5 million in costs associated numerous security issues with the company's touch-screen voting machines. The state decided to make changes to the machines based on information from independent sources to ensure smooth elections. Diebold attorneys maintain that the allegations made in the lawsuit are vague, "inaccurate and unfounded." The claim will be considered by the Maryland Board of Contract Appeals. Maryland is not the only state involved in legal disputes with Premier/Diebold over security issues in its voting products; Ohio has a lawsuit pending and the company settled claims made by California several years ago.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/12/24/AR2008122401449_
pf.html
-http://news.slashdot.org/article.pl?sid=08/12/25/135240
[Editor's Note (Northcutt): Maryland has had numerous problems with voting machines, many covered in NewsBites. That leads me to believe they have a good chance of getting some money:
-http://www.bradblog.com/?p=3719
-http://www.johnbonifaz.com/blog/20060914-maryland
-http://en.wikipedia.org/wiki/Premier_Election_Solutions
-http://www.computerworld.com/governmenttopics/government/legislation/story/0,108
01,109436,00.html]

Report Finds DHS Intelligence Fusion Centers Present Privacy Concerns (December 23 & 29, 2008)

According to a Privacy Impact Assessment (PIA) from US Department of Homeland Security (DHS) chief privacy officer Hugo Teufel III, the agency's intelligence fusion centers pose significant privacy concerns. The centers were created to comply with the Implementing Recommendations of the 9/11 Commission Act of 2007. The Act also requires that PIAs be performed. The PIA found several areas of concern, including ambiguous lines of authority rules and oversight; participation of the military and the private sector; and mission creep.
-http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_ia_slrfci.pdf
-http://www.fcw.com/online/news/154752-1.html?type=pf
-http://www.nextgov.com/nextgov/ng_20081229_7913.php

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Computer Engineer Will Stand Trial for Allegedly Holding City Network Hostage (December 27 & 28, 2008)

The computer engineer who allegedly hijacked the city of San Francisco's computer network, a network he created and ran, will stand trial on four felony charges. Terry Childs allegedly held the network hostage for several days until the city's mayor convinced him to reveal the codes that would allow system access. He allegedly tampered with the network after he was disciplined for poor performance. Childs's attorney maintains his client was trying to protect the network from incompetent co-workers who had already caused problems on the system.
-http://news.cnet.com/8301-1009_3-10129313-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/12/27/BA1F14VJG3.DTL&t
ype=printable

Software Company President Sentenced for Hacking and Proprietary Data Theft (December 19 & 23, 2008)

The president of a Boulder, Colorado-based software development company has pleaded guilty to stealing protected files from a competitor's website. Jay E. Leonard was sentenced to 12 months of probation and ordered to pay a US $2,500 fine for breaking into the computer system of ZetaWare and stealing proprietary information to gain a competitive advantage. In a separate case, Leonard's company has been accused of violating a US trade embargo for allegedly providing Cuba with oil and gas drilling software technology.
-http://www.dailycamera.com/news/2008/dec/19/executive-boulder-software-firm-sent
enced-probatio/
-http://www.eweek.com/c/a/Mobile-and-Wireless/Software-Exec-Takes-Fall-for-Hackin
g/
-http://www.theregister.co.uk/2008/12/23/software_exec_hacking_charges/
[Editor's Note (Schultz): The probation sentence and the USD 2,500 fine are so tiny that they will send a message to potential computer criminals in the US that they really do not have to fear much as far as court-ordered potential punishment goes. ]

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

FEMA Investigating Evacuee Data Exposed on Internet (December 24, 2008)

The US Federal Emergency Management Agency (FEMA) is investigating how personally identifiable information of some Hurricane Katrina evacuees was exposed on the Internet. The compromised data include names, addresses and Social Security numbers (SSNs). FEMA had provided a state agency with the information but had not authorized its publication on the Internet. The data appeared on two separate sites; FEMA has worked with both to remove the information. The state agency in question is cooperating with the investigation. FEMA is contacting all those affected by the breach.
-http://www.fcw.com/online/news/154757-1.html?type=pf

VULNERABILITIES

Microsoft Warns of SQL Flaw (December 22, 23 & 24, 2008)

Microsoft has issued a warning about a remote code execution flaw in older versions of SQL Server. Exploit code for the flaw has been released. There is currently no patch available to fix the vulnerability, but Microsoft has provided a workaround users can apply until a patch becomes available. An Austrian security consulting firm, SEC Consult, reported the flaw to Microsoft in April. SEC maintains Microsoft has had a fix available since late September; on December 9, the company disclosed the flaw and released proof-of-concept exploit code. Microsoft has acknowledged that it has been working on the SQL problem for eight months, but would not confirm SEC's allegations that a patch has been ready for several months. The vulnerability affects certain configurations of Microsoft SQL Server 2000, Microsoft SQL Server 2005 and Windows Internal Database.
-http://www.microsoft.com/technet/security/advisory/961040.mspx
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9124222
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9124351&intsrc=hm_list
-http://www.theregister.co.uk/2008/12/23/sql_server_0day_latest/

MALWARE

Samsung Digital Picture Frame Software Disk Infected with Keystroke Logging Malware (December 22 & 29, 2008)

Amazon has warned that certain versions of Samsung's SPF-85H 8-inch digital photo frames pose a security threat to users. The frames come with a disk containing software that is necessary to be able to use the frame as a USB monitor on Windows XP machines. The disk is infected with the W32.Sality.AE worm, which installs keystroke logging malware on the machines it infects. Amazon has provided instructions for cleaning systems that have already been infected by the worm.
-http://www.theregister.co.uk/2008/12/29/photo_frame_malware/
-http://www.amazon.com/gp/forum/cd/discussion.html?ie=UTF8&cdForum=Fx20DX5GEB
7TUX8&cdThread=Tx2LOAXBDR3N47W
-http://www.samsung.com/us/support/news/supportNewsAlerts.do?group=&type=&
;subtype=&model_nm=&spp_news_seq=761&page=
[Editor's Note (Skouids): It seems that we have a new ritual that will be repeated annually right around New Year's day. Interspersed with discussions of the Times Square ball dropping, the baby New Year, and noisemakers each year at this time, we'll see articles about the new malware that infected consumer devices people received for Christmas. Happy New Year! ]

DATA THEFT, LOSS & EXPOSURE

RBS WorldPay Data Breach Affects More than 1 Million Customers (December 23, 24 & 29, 2008)

Attackers broke into the computer system at RBS WorldPay, a payment processing services provider, compromising personally identifiable information of more than one million customers. The compromised data include financial account information and Social Security numbers (SSNs). The intrusion, which has been described as "highly sophisticated," was detected on November 10, 2008. There are reports that approximately 100 pre-paid payroll cards, one of RBS WorldPay's products, have been used in fraudulent transactions. RBS WorldPay has begun notifying individuals affected by the breach and has brought in specialists to help improve the system's security. The company is also resetting the PINs associated with pre-paid payroll cards.
-http://www.internetnews.com/security/article.php/3793386
-http://www.theregister.co.uk/2008/12/29/rbs_worldpay_breach/
-http://www.digitaltransactions.net/newsstory.cfm?newsid=2025
-http://www.rbsworldpay.us/RBS_WorldPay_Press_Release_Dec_23.pdf

Cedars-Sinai Medical Center Notifies Patients of Data Theft (December 23, 2008)

More than 1,000 patients of Cedars-Sinai Medical Center have received letters informing them that their personal data were stolen by a former hospital billing department employee. The information was used to make fraudulent insurance claims. James Allen Wilson was arrested on November 6, 2008; he was employed at Cedars-Sinai from January 2003 through March 2007. At that time, he was authorized to access patient information. He did not have authorization to bring the data to his home, which is where they were found. Investigators believe Wilson earned more than US $69,000 through his fraud scheme.
-http://www.latimes.com/business/careers/work/la-me-cedars-sinai23-2008dec23,0,55
08589.story

MISCELLANEOUS

CastleCops Raises the Drawbridge (December 29, 2008)

CastleCops, the volunteer cyber security organization, has shut down operations. CastleCops investigated malware and phishing schemes, provided training programs and helped computer users clean their computers of malware. The CastleCops website weathered numerous denial-of-service attacks and other attempts to harm its reputation. The organization was started in 2002, when it was known as ComputerCops.
-http://www.theregister.co.uk/2008/12/29/castlecops_closes/
-http://news.softpedia.com/news/Security-Board-CastleCops-Closes-Operations-10098
1.shtml
-http://www.castlecops.com/

Microsoft Malicious Software Removal Tool Cleaned Phony Security Apps From 400,000 PCs (December 24, 2008)

Microsoft says that the December version of its Malicious Software Removal Tool (MSRT) has removed the "Antivirus 2009" phony security application from nearly 400,000 PCs. The revised MSRT was released on December 9; the statistics gathered represent the tool's activity during the first nine days of its release. Cyber criminals are reportedly making significant amounts of money by installing their programs on PCs, then inundating the machines with pop-ups warnings of infections until users pay to purchase their clean-up applications, which are usually priced around US $40 to US $50 and are generally useless.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9124346&intsrc=hm_list
[Editor's Note (Skoudis): I see these pop-ups rather often myself, and it is a little goofy to see a pop-up purposely designed to look like a Windows XP warning message on my Mac. Still, this is a very insidious threat for the average user, and we need to educate our co-workers, friends, and family about it so that they don't fall victim. Work this one into conversations with your loved ones over the holidays. ]

Bank Info Security's Top 10 Security Breaches (December 22, 2008)

A top 10 list of the year's security breaches compiled by Bank Info Security (bankinfosecurity.com) includes the start of the resolution of the TJX breach, as well as breaches at Bank of New York Mellon, Hannaford, Countrywide, and the New York City Citibank ATM breach. Each listing includes a "Lesson Learned" section.
-http://www.bankinfosecurity.com/articles.php?art_id=1120&opg=1

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/