SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #43

May 30, 2008

A big week for cyber security news stories. Newsbites editor Ed Skoudis put it in perspective, "Consider this NewsBites in its totality (nation state espionage, power grid vulnerabilities, nuclear facilities, radiation dispersal rumors, congressman discussing threats, and more), and you can see we're in the midst of a sea change in the willingness to discuss the threats we now face. It's not just petty cyber crime any more. Increasingly, there are national security implications and massive safety issues associated with information security vulnerabilities in our critical infrastructure. Lives are at stake."

Speaking of Ed (he's the top penetration testing expert in the US), he and Eric Cole and Mike Poor had a wonderful (argumentative) webcast yesterday on the most critical new developments and trends in security. Listening to it is like being a fly on the wall at a SANS speaker lunch. It's free: https://www.sans.org/webcasts/show.php?webcastid=91898
Alan

---

TOP OF THE NEWS

Growing Evidence Suggests China Poses Significant Cyber Threat
Q&A With US Rep. Jim Langevin on Power Grid Security Concerns
Commerce Dept. Laptop May Have Been Breached During Dec. Trip to China
Societe Generale Releases Breach Investigation Findings

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Man Arrested and Charged in Online Brokerage Account Fraud Scheme
French Authorities Detain 22 in Website Attacks
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Attackers Take Down Nuclear Plant Websites to Coincide with Rumors
Israeli AG Says Employer May Not Read Employee eMail Without Consent
SPYWARE, SPAM & PHISHING
ICANN Directs Registrars to Take Steps to Authenticate WHOIS Data
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Adobe Flash Vulnerability
Apple Releases OS X Updates
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Comcast Domain Hijacked For Several Hours
BPO Owner Allegedly Stole and Sold Former Customer's Data
Conn. Atty. General Pushing BNY Mellon for More Specific Breach Information
LIST OF UPCOMING FREE SANS WEBCASTS

---

********************** Sponsored By Symantec ****************************

Where Is Your Confidential Data and How Do You Protect It? A Real Life Customer Success Join Rich Mogull, founder of Securosis L.L.C. and former Gartner analyst, and Starla Rivers, Technical Security Architect at Sharp, as they address how to easily deploy DLP and quickly realize the solution benefits.
http://www.sans.org/info/29309

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products: http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21) and Brussels (6/16-6/21) http://www.sans.org/secureeurope08
- - Denver (6/7-6/13) http://www.sans.org/rockymnt2008/
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Growing Evidence Suggests China Poses Significant Cyber Threat (May 31, 2008)

US government officials and cyber security experts say there is mounting evidence that China may have gained access to both government and private sector computer networks, and that Chinese hackers may have been responsible for two major US power blackouts in the last few years. Although there has never been a direct accusation that China was behind the attacks, neither has the government explicitly said that China was not involved. There is also growing evidence that Chinese hackers are gaining access to US computer systems to gather proprietary information. In one case, a businessman traveling to China discovered once he got there that the people he was meeting with already knew the bottom line of every negotiating point.
-http://www.nationaljournal.com/njmagazine/print_friendly.php?ID=cs_20080531_6948
[Editor's Note (Veltsos): The scenario described is eerily similar to one described in the book "The Spy's Guide: Office Espionage" by Melton, Piligian, & Swierczynski (ISBN-13: 978-1931686600). ]

Q&A With US Rep. Jim Langevin on Power Grid Security Concerns (May 27, 2008)

US Representative Jim Langevin (D-RI), who chairs the House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, is "bothered by the fact that the
[Aurora ]
vulnerability is still not fully mitigated." In March 2007, the US Department of Homeland Security (DHS) conducted the "Aurora Generator Test," which demonstrated that attackers could destroy generators by gaining remote access to power plants' control systems. Langevin discussed possible action that could help improve security, including giving the Federal Energy Regulatory Commission (FERC) the "legal authority to require the industry to comply with closing vulnerabilities," and "regulation on systems used by the electric grid and other entities" to encourage control systems vendors to create more secure products.
-http://www.investors.com/Tech/TechExecQA.asp?artid=296765228592148
[Editor's Note (Schutz): If FERC is not given more power and authority, power/utilities companies will continue to leave vulnerabilities in critical power plant systems unpatched. ]

Commerce Dept. Laptop May Have Been Breached During Dec. Trip to China (May 29, 2008)

Anonymous sources say that an investigation is underway into whether the contents of a government laptop were copied during Commerce Secretary Carlos M. Gutierrez's December trip to China. The information may have been used to gain access to Commerce computers; following Gutierrez's return, US CERT was called to the Department of Commerce three times to manage serious intrusion attempts.
-http://www.themonitor.com/articles/department_12470___article.html/china_commerc
e.html
[Editor's Note (Veltsos): When traveling overseas, corporate and government officials must ensure that the data entrusted to them is appropriately protected from unauthorized access, disclosure, or modification. Full-disk encryption and two-factor authentication mechanisms should be present on laptops containing sensitive data. Some security professionals further recommend that travel laptops should be devoid of sensitive data; instead the data should be accessed once on-site by retrieving it from a secure, online, source. ]

Societe Generale Releases Breach Investigation Findings (May 28, 2008)

Societe Generale has released the findings of an investigation it conducted along with PricewaterhouseCoopers regarding the US $7 billion loss incurred as a result of surreptitious transactions conducted by trader Jerome Kerviel. According to the report, Kerviel's skill at evading "the system of checks and balances ... designed to prevent such overtrading" combined with his supervisor's lack of understanding of the system allowed the situation to go on for as long as it did.
-http://www.darkreading.com/document.asp?doc_id=155024&f_src=darkreading_info
rmationweek
[Editor's Note (Honan): I recommend that you read the report,
-http://www.efinancialnews.com/downloadfiles/2008/05/2350755836.pdf.
It highlights how a combination of insufficient technical, procedural and personnel controls can combine to create opportunities for exploitation. ]

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Man Arrested and Charged in Online Brokerage Account Fraud Scheme (May 29, 2008)

Michael Largent has been indicted on charges of computer fraud, wire fraud and mail fraud for allegedly exploiting a common practice at online brokerages of sending tiny deposits to new accounts to verify their authenticity. Largent allegedly collected nearly US $50,000 by setting up thousands of online brokerage accounts under phony names as well as his own, one of a series of missteps that led authorities to discover his identity. Largent also allegedly used a small range of IP addresses through which he created the phony accounts, another clue that helped point to his identity.
-http://www.heise-online.co.uk/security/Cunning-micro-deposit-fraudster-not-quite
-smart-enough--/news/110817
[Editor's Note (Skoudis): Thank goodness for dumb mistakes by the bad guys! That's how we often get them. Look for their errors. Even the skilled ones sometimes get complacent or cocky, and then we've got a chance to detect them. ]

French Authorities Detain 22 in Website Attacks (May 29, 2008)

Police in France have detained 22 people between the ages of 14 and 25 who are believed to have been involved with attacks on websites based in France, Russia and Iceland. If those apprehended are convicted, they could face up to two years in prison and a fine of 30,000 euro (US $46,502). The penalties could be more stringent if they are found guilty of more serious crimes. French authorities point out that small businesses need to pay closer attention to computer security.
-http://www.channelregister.co.uk/2008/05/29/dijon_police_arrest_22_alleged_hacke
r_youths/print.html
[Editor's Note (Schultz): Not too many years ago a number of small businesses succumbed to an variety of attacks that severely disrupted their business operations. At that time security experts pointed out that businesses of this size can be disproportionally affected by security-related incidents, thus dictating the need for strong risk management efforts. As has happened so much in the information security arena, however, the warnings went unheeded, and now new warnings of the same nature have been issued after small businesses have once again been adversely affected by another rash of attacks. ]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Attackers Take Down Nuclear Plant Websites to Coincide with Rumors (May 23, 2008)

Websites that allow users to check real-time radiation levels for Russian nuclear power plants were attacked and rendered unavailable for a time after false rumors appeared on a number of Internet forums about a nuclear accident in the northwestern part of the country. The phony reports said there were radioactive emissions from a plant near St. Petersburg. The Automatic Radiation Environment Control System (ASKRO) is designed to allow users to have access to radiation security information; the system has been restored.
-http://en.rian.ru/russia/20080523/108202288.html

Israeli AG Says Employer May Not Read Employee eMail Without Consent (May 29, 2008)

The Israeli Attorney General has ruled that employers may not read their employees' email without their free and informed consent. Attorney general Menachem Mazuz submitted the opinion to the National Labor Court which was hearing an appeal filed by an employee whose employer had been granted access to email from her personal computer.
-http://www.globes.co.il/serveen/globes/docview.asp?did=1000347043&fid=942

SPYWARE, SPAM & PHISHING

ICANN Directs Registrars to Take Steps to Authenticate WHOIS Data (May 27, 2008)

The Internet Corporation for Assigned Names and Numbers (ICANN) has sent enforcement notices to domain registrars that are believed to have registered the majority of websites that benefit from spam traffic. One study showed that just 20 of the 800 ICANN accredited registrars are responsible for 90 percent of the questionable sites. The enforcement notices ask the registrars to provide information about what steps they have taken to identify and address inaccuracies in the WHOIS data associated with the domains. If the registrars do not address the information problems within a specified amount of time, they could lose their ICANN accreditation.
-http://www.gcn.com/online/vol1_no1/46351-1.html?topic=security&CMP=OTC-RSS
-http://www.metimes.com/Security/2008/05/29/analysis_crackdown_on_domain_name_cro
oks/7755/

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Adobe Flash Vulnerability (May 27 & 28, 2008)

A new round of SQL injection attacks is targeting Adobe Flash. Stand-alone versions of the current versions of Flash are apparently vulnerable to the attacks, but updated browser plug-ins are not. At this time, the goal of these attacks appears to be to steal online gamers' login credentials; however, more serious attacks using this same vector are likely.
-http://www.theregister.co.uk/2008/05/27/new_adobe_flash_vuln/print.html
-http://www.darkreading.com/document.asp?doc_id=155020&WT.svl=news1_2

Apple Releases OS X Updates (May 28, 2008)

Apple has released Mac OS X 10.5.3 and security update 2008-003. The updates comprise dozens of fixes, including one for a remote code execution flaw in the Flash Player Plug-in and another for a flaw in iCal that could be exploited to execute arbitrary code or cause unexpected application termination. Two other flaws in iCal remain unaddressed.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9090738&source=rss_topic17
-http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=208
400745
-http://www.scmagazineuk.com/Apple-releases-latest-Leopard-OS-update/article/1106
43/
-http://www.eweek.com/c/a/Security/Apple-Cures-iCal-Ills/
-http://support.apple.com/kb/HT1897

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Comcast Domain Hijacked For Several Hours (May 29, 2008)

Comcast Internet subscribers were unable to access their email, news, and technical support for several hours late Wednesday, May 28 and into the following day. Attackers hijacked the Comcast domain name for about five hours, but there is no evidence that email or other private data were accessed. Law enforcement authorities have been informed of the incident.
-http://www.nytimes.com/aponline/business/AP-TEC-Comcast-Web-Hack.html?_r=1&p
artner=rssnyt&emc=rss&oref=slogin
-http://www.theregister.co.uk/2008/05/29/comcast_domain_hijacked/

BPO Owner Allegedly Stole and Sold Former Customer's Data (May 29, 2008)

The owner of a business processing outsourcing (BPO) company in Ahmedabad, India is accused of stealing data from a Florida company and selling the information to that company's rivals within the US. The data are valued at Rs 1 crore (US $233,809). Noble Ventures Inc, the Florida company, cancelled its contract with Maulik Dave's company more than three months ago. After the contract was cancelled, Dave allegedly broke into Noble Ventures' database, stole 8.5 million records and sold them.
-http://timesofindia.indiatimes.com/Ahmedabad/City_BPO_accused_of_data_theft/arti
cleshow/3081539.cms
[Editor's Note (Honan): Remember the insider threat also applies to those you outsource to. Ensure that your termination process, be that hostile or amicable, of contracts with outsourced providers includes mechanisms to revoke any access to your systems they may have had. ]

Conn. Atty. General Pushing BNY Mellon for More Specific Breach Information (May 28 & 29, 2008)

Connecticut Attorney General Richard Blumenthal says he will keep pressing Bank of New York (BNY) Mellon for a complete accounting of all individuals and organizations affected by its recently disclosed data security breach. In February, backup tapes belonging to BNY Mellon disappeared from the back of a van. "The delay in notification is inexplicable and totally unacceptable," according to Blumenthal. The breach is believed to affect as many as 4.5 million individuals.
-http://media-newswire.com/release_1067289.html
-http://www.wallstreetandtech.com/advancedtrading/showArticle.jhtml?articleID=208
400880&cid=RSSfeed_TechWeb
[Editor's Note (Northcutt): This is quickly turning into a textbook case of how not to handle a data breach. The 90 day delay in notification followed by the fact they cannot demonstrate what is on the tape could really impact them. Blumenthal may be grandstanding a bit, but his efforts to get other states such as New Jersey heavily involved this could be bad for BNY Mellon. One of the things I have been watching for major breaches is the stock price of the company. They went down less than most similar banks on the day of the announcement and are up 1.5% today. It seems that until and unless some of these class action suits really hurt a company, breaches are going to be a yawner issue and companies will not encrypt their backups.]

UPCOMING SANS WEBCAST SCHEDULE

Tool Talk Webcast: Log Management: No Longer Optional How to Choose the Right Tool for the Job
WHEN: Tuesday, June 3, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Andrew Hay
-http://www.sans.org/info/28704
Sponsored By: Q1 Labs
-http://www.q1labs.com/


Both network and security professionals agree - a log management solution is no longer optional. It's now a required tool in their arsenal. Unfortunately, many of their log management projects have failed because the solution they chose was unable to support the size and scope of the deployment and/or effectively deliver useful results. During this webcast Andrew Hay will discuss important considerations when selecting and deploying a log management solution for your organization and how to avoid some of the pitfalls.

SANS Special Webcast: Fourth Annual Log Management Survey
WHEN: Thursday, June 5, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Jerry Shenk and Anton Chuvakin
-http://www.sans.org/info/28709
Sponsored By: LogLogic
-http://www.loglogic.com/


The fourth annual Log Management Survey will compare and contrast how respondents use their log data, their challenges, and what they hope to derive out of their log data in the future.

SANS Special Webcast: Testing; vulnerabilities, defenses and configuration
WHEN: Tuesday, June 10, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Jerry Shenk
-http://www.sans.org/info/28714
Sponsored By: Core Security
-http://www.coresecurity.com/


This webinar will arm you with all the necessary plans for using penetration testing to investigate your organization's vulnerabilities, defenses and configurations - including lab testing your processes - to help you understand what the finished product should look like.

Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, June 11, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
-http://www.sans.org/info/28719


This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/