SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #47

June 13, 2008

TOP OF THE NEWS

Lawmakers Say Attacks on Their Computer Systems Came From China
Second SCADA Vulnerability Disclosed
House Passes Intellectual Property Bill
Web Application Vulnerabilities on the Rise; Journalist Goes To Pen Testing School

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Three-and-a-Half Year Sentence in Newell Rubbermaid Botnet Conviction
Guilty Plea in Botnet DDoS Case
Man Draws 63-Month Sentence for Deleting Health Clinic Patient Data
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
US Intelligence Community Warms Up to Intellipedia
POLICY & LEGISLATION
Experts Tell Senate Committee FTC Act Addresses Spyware Prosecution Concerns
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Virgin Media Teams Up With BPI to Warn Users on Illegal Downloading
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Video Viewing Software Changing Settings To Route Traffic Through Attackers' Servers
Fix Available for OpenOffice Integer Overflow Vulnerability
Microsoft Issues Three Critical Bulletins; Apple Fixes QuickTime Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Users Protest Download Speed Limits by Exposing ISP Customer Account Info
Data Breach Exposed Cotton Traders' Customer Data
LIST OF UPCOMING FREE SANS WEBCASTS

---

*************************************************************************

TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFire 2008) http://www.sans.org/sansfire08
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Lawmakers Say Attacks on Their Computer Systems Came From China (June 12, 2008)

US Representative Frank R. Wolf (R-Va.) says that attacks starting in August 2006 on several computers in his office have been traced to a computer in China. Computers in other offices were attacked as well. Rep. Wolf works extensively on behalf of human rights worldwide. The attackers apparently gained access to information that includes the locations and identities of Chinese dissidents and refugees Rep. Wolf has worked with. Rep. Wolf and Representative Christopher H. Smith (R.-NJ), who is also vocal about China's human rights violations, were likely targeted because of their work. Attackers also targeted computers at the House Foreign Affairs Committee. Rep. Wolf has called for stronger cyber protection for government computers and cell phones. A Chinese embassy spokesperson has denied responsibility for the attacks.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/06/11/AR2008061102790_
pf.html
-http://www.nytimes.com/idg/IDG_852573C40069388048257466000851ED.html?partner=rss
nyt&emc=rss&pagewanted=print
-http://www.latimes.com/news/nationworld/politics/la-na-hackers12-2008jun12,0,662
0466.story
-http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID
=208403581
[Editor's Note (Pescatore): many of the recent claims of outages being caused by Chinese attacks have been debunked. The reality is that if you protect yourself, it doesn't matter who the attacker is. The federal government has allocated millions for laptop encryption and other forms of security protection - Rep. Wolf should be looking into why his computers are not sufficiently protected before he starts worrying about where attacks came from. Would it have been any different if the attack came from a 14 year old in Perth Amboy, NJ?
(Northcutt): One of the keynotes at SANSFIRE (www.sans.org/sansfire08/) is a detailed description by Maarten Van Horenbeck, an Internet Storm Center handler. He has been analyzing these attacks for years and gained unique insights into the origins of these attacks. If you are going to SANSFIRE, this is a "must see" presentation. ]

Second SCADA Vulnerability Disclosed (June 11 & 12, 2008)

A security flaw in CitectSCADA software could be exploited to take remote control of systems using the vulnerable product. The software is used in SCADA (Supervisory Control and Data Acquisition) systems in a variety of industries that are part of national critical infrastructures around the world. The flaw was discovered five months ago, although a fix only recently became available. Theoretically, SCADA systems should not be exposed to the Internet and so should pose only a minor threat; however, in practice, corporate networks need to connect to SCADA systems to collect data, leaving an avenue of attack open. Another SCADA flaw, this one in InTouch SuiteLink monitoring software, was disclosed in May.
-http://www.technewsworld.com/story/Critical-Flaw-Left-Utilities-Vulnerable-to-At
tack-for-5-Months-63364.html?welcome=1213304103
-http://www.theregister.co.uk/2008/06/12/scada_vuln_discovered/print.html
-http://www.kb.cert.org/vuls/id/476345
[Editor's Note (Skoudis): I think the recent SCADA vulnerabilities are just the tip of the iceberg. We spent 15+ years scrubbing bugs out of our TCP/IP stacks on Windows, Unix, and Linux. The Land vulnerability and Ping of Death were discovered 11 and 12 years ago, respectively, and periodically return due to vendor coding errors. In the SCADA realm, I'm expecting to see a lot of flaws like those, but with much more serious consequences given the nature of what SCADA systems are controlling.
(Weatherford): Theoretically a bumblebee can't fly because its body is too big for such small wings. Practically however, bumblebees do fly. Practically, all kinds of SCADA systems are connected to the Internet via the corporate network because managing these systems has evolved from stand-alone environments. Discovering these vulnerabilities help advance the notion that conducting vulnerability assessments against SCADA systems is an absolute requirement...to the consternation of many Luddites.
(Cole): SCADA systems were built under the premise of being protected by complete separation. If you run SCADA systems, either you must redesign your entire system or not let them be connected to any networks that have outside connectivity. Even indirect connections to the Internet pose a high risk to these systems. ]

House Passes Intellectual Property Bill (June 11, 2008)

The US House of Representatives recently passed HR 4279, the Prioritizing Resources and Organization for Intellectual Property Act of 2008 (PRO- IP). The bill establishes a Property Enforcement Division within the DOJ; amends federal copyright law to increase civil damages; amends federal criminal code related to copyright infringement and counterfeit packaging, and; creates ten new intellectual property attaches to work with foreign governments to reduce counterfeiting and piracy. The bill is not without controversy as it strongly favors large content owners (RIAA, MPAA), levies increased domestic penalties, and directs state and local law enforcement agencies to combat intellectual property theft and infringement crimes.
-http://www.washingtonwatch.com/bills/show/110_HR_4279.html
-http://www.govtrack.us/congress/bill.xpd?bill=h110-4279
">
-http://www.govtrack.us/congress/bill.xpd?bill=h110-4279

[Editor's Note (Schultz): This is a frightening development. If signed into law, it will lead to an incredible number of "witch hunts" resulting in seizure of equipment for marginal reasons. (Northcutt): as an author I certainly appreciate protecting intellectual property, however this could get out of hand. Looks like it will become law though, 410 Ayes, 11 Nays:
-http://www.govtrack.us/congress/bill.xpd?bill=h110-4279
">
-http://www.govtrack.us/congress/bill.xpd?bill=h110-4279
]

Web Application Vulnerabilities on the Rise; Journalist Goes To Pen Testing School (June 9, 2008)

More than half of the vulnerabilities that appear in the SANS Security Alert email newsletter are web application vulnerabilities. Earlier this year, GCN Senior editor Joab Jackson attended a SANS class in which Kevin Johnson detailed some of the techniques he employs as a penetration tester and along the way, explained why web applications vulnerabilities are so plentiful. Operating systems have become more secure over recent years, so cyber criminals had to find another vector of attack. Most web applications are written by developers who lack essential training in secure programming. Johnson also stressed the importance of thinking like a hacker, particularly when it comes to gathering information prior to an attack.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn&story.id=4
6418
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn&story.id=4
6420
[Editor's Note (Siles and Paller): The situation is much worse than the public statistics show. All the millions of custom web applications are even more likely to be flawed than commercial applications.
(Paller): Application Pen Testing is one of the three fastest growing career opportunities in security.
(Pescatore): Operating system vulnerabilities aren't really slowing down all that much, but patching and the use of intrusion prevention technologies have made those vulnerabilities harder to exploit. The real reason web vulnerabilities seem to be on the rise is that phishing and malware attacks have found that by compromising legitimate websites and getting users to visit those compromised links is a way to get around URL blocking that has been keeping people away from popup malicious web sites. The web security gateway companies are seeing on the order of half of all web malware downloads coming from compromised but legitimate sites these days. It means web security gateways have to improve their ability to block inbound malware - and not just simple signature based AV, either. ]

---

********************** SPONSORED LINK *********************************

1) Upcoming SANS webcast on June 17 at 1pm EDT. Tool Talk Webcast: A Million Little Pieces: Detecting Fraudulent Transactions, Register Today. http://www.sans.org/info/29699

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Three-and-a-Half Year Sentence in Newell Rubbermaid Botnet Conviction (June 11, 2008)

Robert Matthew Bentley has been sentenced to 41 months in prison for surreptitiously recruiting corporate computers in Europe into a botnet. Bentley will also serve three years of supervised release following completion of his sentence and will pay US $65,000 in restitution. The attack cost one of the victims, Newell Rubbermaid, more than US $150,000. The amount of traffic generated by the malicious software caused the network to stop functioning. Bentley and Gregory King (see following story) were both caught in the FBI's Operation Bot Roast, aimed at stopping the proliferation of botnets.
-http://www.theregister.co.uk/2008/06/11/rubbermaid_botmaster_sentenced/print.htm
l

Guilty Plea in Botnet DDoS Case (June 11, 2008)

Gregory C. King has pleaded guilty to two counts of transmitting code to cause damage to protected computers. King admitted to using a botnet to launch distributed denial-of-service (DDoS) attacks on the CastleCops and KillaNet Technologies websites, causing as much as US $70,000 worth of damage. He faces up to 20 years in prison and a fine of half a million dollars, although his plea agreement could have him spend two years in prison and pay restitution.
-http://www.theregister.co.uk/2008/06/11/botherder_admits_to_ddos_assault/print.h
tml
[Editor's Note (Northcutt): I remember the blog post when he was arrested, scratched my head, you want a long happy life as a botmeister and you attacked CastleCops? What is wrong with this picture:
-http://www.castlecops.com/a6833-Botmasters_Take_Heed_%E2%80%93_You_Are_Being_Put
_On_Notice.html]

Man Draws 63-Month Sentence for Deleting Health Clinic Patient Data (June 9, 2008)

Jon Paul Oson has been sentenced to 63 months in federal prison for intentionally damaging protected computers. Oson was also ordered to pay more than US $400,000 in restitution to the organizations whose computer networks he breached. Oson resigned from his position as a network engineer and technical services manager for the Council of Community Health Clinics (CCC) following a performance review he believed reflected negatively on his work. Oson gained unauthorized access to the CCC network several months after he resigned and performed a number of malicious acts, including deleting patient data for the North County Health Services Clinic.
-http://sandiego.fbi.gov/dojpressrel/pressrel08/sd060908.htm
[Editor's Note (Northcutt): a recent blog post makes the point this could serve as a lightning rod to trigger a HIPAA audit:
-http://blogs.ittoolbox.com/security/connection/archives/more-hipaa-heat-to-come-
19388]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

US Intelligence Community Warms Up to Intellipedia (June 10, 2008)

Although initially averse to the notion of using wikis and blogs, the CIA eventually warmed to the idea. It became evident that the technologies would allow for collaboration and discussion and information sharing in an unprecedented way. Intellipedia uses wiki technology, but was developed specifically for the intelligence community. The technology allows members of the community to debate ideas, and each entry is dated and attributable to whoever added the information, so a clear record can be kept. It also eliminates the concern when sending a file requiring a media player that the recipient has the correct version of the correct player to view the content.
-http://www.washingtontechnology.com/cgi-bin/udt/im.display.printable?client.id=w
ashingtontechnology_daily&story.id=32940
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyId=17&articleId=9095638&intsrc=hm_topic
[Editor's Note (Pescatore): The intelligence community has been through this before. Intelink was an early example of using Intranet web technology to foster information sharing and collaboration outside of the rigid lines of command and control in the Intelligence community. It proved that unless you change the processes, just adding the technology doesn't change much. ]

POLICY & LEGISLATION

Experts Tell Senate Committee FTC Act Addresses Spyware Prosecution Concerns (June 12, 2008)

Experts speaking before the Senate Commerce, Science and Transportation Committee warned legislators working on anti-spyware laws not to define the technology too narrowly because criminals would simply devise new methods that fall outside of the legal definition's purview. The members of the panel were in agreement that the Federal Trade Commission Act's broad definition of unfair and deceptive practices has been effectively used in court to prosecute spyware cases.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&stor
y.id=46447

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Virgin Media teams Up With BPI to Warn Users on Illegal Downloading (June 7 & 10, 2008)

Virgin Media plans to send letters to households where those using its broadband services are believed to be downloading music illegally or making pirated versions of music files available for sharing. The customers will also receive a more strongly worded missive from BPI, but the customers' personal information will not be given to BPI. The move comes as part of a joint effort between Virgin Media and the British Phonographic Industry (BPI). BPI would like to see a three-strike policy implemented. Users would get three warnings for illegal downloading and then have their Internet service cut off. Virgin Media prefers to take a more measured approach, first assuring that its customers are aware of the music piracy problem.
-http://www.independent.co.uk/life-style/gadgets-and-tech/news/virgin-warns-illeg
al-downloaders-stop-or-face-prosecution-842086.html?service=Print
-http://www.heise-online.co.uk/security/Virgin-Media-partners-with-BPI-to-control
-piracy--/news/110893

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Video Viewing Software Changing Settings To Route Traffic Through Attackers' Servers (June 11, 2008)

A new Trojan horse masquerading as a video "codec" required to view content on certain Web sites tries to change key settings on the victim's Internet router so that all of the victim's Web traffic is routed through servers controlled by the attackers. Recent versions of the ubiquitous "Zlob" Trojan will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim's domain name system (DNS) records so that all future traffic passes through the attacker's network first.
-http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirel
e_1.html

Fix Available for OpenOffice Integer Overflow Vulnerability (June 11, 2008)

A fix is available for an integer overflow flaw in a memory allocation function of OpenOffice that could be exploited to inject malicious code. The vulnerability affects versions 2.0 to 2.4 of OpenOffice; users are urged to upgrade to version 2.4.1. There is no workaround available, and there is no evidence that the flaw is being actively exploited.
-http://www.theregister.co.uk/2008/06/11/openoffice_update/print.html
-http://www.openoffice.org/security/cves/CVE-2008-2152.html
[Editor's Note (Cole): Behavioral based HIPS and SIEM solutions will not prevent attacks but will help limit exposure and give insight into potential problem areas across a corporate network.]

Microsoft Issues Three Critical Bulletins; Apple Fixes QuickTime Flaws (June 10, 2008)

On Tuesday, June 10, Microsoft issued seven security bulletins, including three with maximum severity ratings of critical. The first critical bulletin addresses cross-domain and memory corruption flaws in Internet Explorer. Applying this patch is especially important because details of the cross-domain flaw have been available for several months. The second bulletin addresses a flaw in the Windows Bluetooth implementation that could be exploited to execute malicious code. The third of the critical bulletins addresses flaws in DirectX components. Apple also issued a fix this week to address five flaws in QuickTime; fixes are available for Windows and Mac OS X. Neither company released a fix for a recently publicized blended threat that affects Windows users running Apple's Safari web browser.
-http://www.theregister.co.uk/2008/06/10/microsoft_and_apple_security_patches/pri
nt.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9095958&source=rss_topic17
-http://www.gcn.com/online/vol1_no1/46444-1.html?topic=security&CMP=OTC-RSS
-http://www.eweek.com/c/a/Security/QuickTime-Update-Plugs-More-Holes/
-http://www.microsoft.com/technet/security/Bulletin/MS08-jun.mspx
[Editor's Note (Skoudis): I remember reading last month that Apple had completely restructured Quicktime's internal architecture to make it more secure. Looks like they still have a lot of implementation flaws to clean up despite the new architecture. And, the finger pointing between Apple and Microsoft in the Safari on Windows issue is very disheartening. Either side could fix the flaw, but instead chooses to blame the other. Nice.
(Grefer): Users of Mozilla Firefox in combination with the NoScript add- on are not subject to cross-domain scripting, unless they instruct the software to permit it.
-http://www.mozilla.com/firefox/

-https://addons.mozilla.org/en-US/firefox/addon/722

-http://noscript.net/]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Users Protest Download Speed Limits by Exposing ISP Customer Account Info (June 11, 2008)

Belgian Internet customers frustrated with the limit Belgacom placed on download speeds posted account details on about 2,000 of the Belgian ISP's customers to the Internet. Belgacom did not publicize the breach, but says it sent letters to affected customers, recommending that they change their passwords.
-http://www.theregister.co.uk/2008/06/11/security_breach_at_belgacom/print.html

Data Breach Exposed Cotton Traders' Customer Data (June 10, 2008)

UK clothing company Cotton Traders has acknowledged that an attack on its website in January exposed customer information. The compromised data include addresses and encrypted credit card information. The institutions that issued the cards were notified of the breach and the majority of the cards were blocked and replaced with new ones. Police are investigating the incident. The breach is believed to affect as many as 38,000 people.
-http://news.bbc.co.uk/2/hi/technology/7446871.stm

UPCOMING SANS WEBCAST SCHEDULE

Tool Talk Webcast: A Million Little Pieces: Detecting Fraudulent Transactions
WHEN: Tuesday, June 17, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Brian Contos
-http://www.sans.org/info/28729

Sponsored By: ArcSight
-http://www.arcsight.com/


Today's business is digital across the board, relying on digital processes, communications, assets, and commerce. This has spawned a massive increase in fraud. We read about it nearly every week, and in almost every case, the problem seems obvious in hindsight. Societe Generale, with $7 billion in trading fraud, is the current poster child. Too often, fraud could have been detected and stopped if only someone noticed the connection between several activities, each of which was fine in isolation. Taken together, however, they paint a picture of fraud.

SANS Special Webcast Series: Security Insights with Dr. Eric Cole This month's topic: Information Security Priorities for the SMB
WHEN: Wednesday, June 18, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
-http://www.sans.org/info/28734


SMBs need IT security solutions that are easy to adopt and maintain. How are small and medium-size businesses (SMBs) adopting, using, and managing IT security technologies, including security information management (SIM), network security, intrusion prevention, application security, content filtering, and network access control (NAC)? Leading areas of focus for SMB security programs are data security and business continuity, followed by application security and access control to support partners and channels as their business grows. While these issues are not unlike those facing larger enterprises, SMBs must prioritize their security program most carefully to avoid costly pitfalls. Undiscovered security threats that slow down the large enterprise can cause the SMB to close its doors if they are not prepared for risk avoidance.

SANS Special Webcast: Endpoint Security: Point- Solution or Protection Platform
WHEN: Tuesday, June 24, 2008 at 3:00 PM EDT (1900 UTC/GMT)
FEATURING: Stephen Northcutt and Dan Teal
-https://www.sans.org/webcasts/show.php?webcastid=91963

Sponsored By: CoreTrace
-http://www.coretrace.com/


Join SANS President Stephen Northcutt as he reviews the key features in endpoint security that really matter, how to shop for the best products, and why implementing defense in depth on your organization's endpoint is a best practice.

SANS Special Webcast: Top 10 Oracle Security Risks
WHEN: Wednesday, June 25, 2008 at 3:00 PM EDT (1800 UTC/GMT)
FEATURING: Tanya Baccam
-https://www.sans.org/webcasts/show.php?webcastid=91968


This keynote is an introduction to some of the Oracle Database risks that exist, and highlights the "Top 10" critical areas that should be checking when conducting an Oracle database audit.

Ask the Expert: Lessons from the Frontline: Avoiding Costly Breach Investigation Mistakes and Downtime
WHEN: Thursday, June 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Ed Skoudis
-http://www.sans.org/info/28754

Sponsored By: Mu Security
-http://www.mudynamics.com/


This webcast will discuss some of the most egregious mistakes made by enterprises and network operators who have suffered costly and/or embarrassing security breaches.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E- Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/