SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #10

February 06, 2009

Jobs are still plentiful in security. The 2008 SANS Salary and Certification Survey shows lots of interesting things. Highlights:
1. Jobs in security are still plentiful; through the end of November 79% of respondents predicted no reduction in staff and more organizations were increasing security staff levels than reducing levels. The demand is shifting sharply from soft security skills (policy, report writing, security awareness, compliance) to more hands-on security skills (penetration testing, intrusion detection, system hardening, technical audits).
2. Security skills are highly valued: Over 38% of computer security professionals now earn more than $100,000 per year. Salaries on the West Coast are highest and for the first time, security salaries in Washington top those in New York.
3. Security certifications are becoming far more important. 81% of respondents with hiring authority consider certification a factor in hiring decisions. ISC2's CISSP certification is still the top rated certification, but the ISACA CISA certification has dropped in importance as the more technical, hands-on certifications from GIAC and Cisco gain in importance.
Download the Salary Survey from http://www.sans.org/resources/salary_survey_2008.pdf
Alan

---

TOP OF THE NEWS

Massive ATM Fraud Linked to WorldPay Breach
Amplified DDoS Attack Hits Small ISP

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Info Commissioner's Office Takes Enforcement Action Against NHS Trust
Government Security Contractor Suffers Data Breach
VULNERABILITIES
Multiple Flaws in Areva's e-terrahabitat SCADA Software
Privilege Escalation Flaw in Windows 7 Beta
OpenOffice Update Includes Flawed Java
UPDATES AND PATCHES
Microsoft Will Address SQL Server Flaw in February Security Bulletins
Firefox Update Fixes Six Flaws
ATTACKS & ACTIVE EXPLOITS
Parking Tickets as Cyber Attack Social Engineering Vector
phpBB Offline After Database Security Breach
STUDIES AND STATISTICS
Most Applications Vulnerabilities Reported Last Year Were Not Patched

---

****************** Sponsored By Palo Alto Networks **********************

Reduce Cost and Complexity of PCI Compliance with Network Segmentation. Join Forrester Research for a live webinar that will show you how organizations are using network segmentation with strict user and application control policies to significantly reduce the cost and complexity of PCI compliance, and protect customer data. Don't miss this. Register now to attend. https://www.sans.org/info/38433

*************************************************************************

TRAINING UPDATE

- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Massive ATM Fraud Linked to WorldPay Breach (February 3, 2009)

The FBI is reportedly investigating an international ATM (automatic teller machine) scam in which thieves stole millions of dollars from cash machines in 49 cities in a very brief period of time. The scam is believed to be linked to a data security breach at RBS WorldPay, which offers a service allowing employers to pay employees directly to a payment card that works much like a debit card. The attackers managed to gain access to the system and find a way to clone the cards. The attack was startlingly well-coordinated. In less than one hour on November 8, 2008, 130 ATMs in 49 cities around the world were accessed using the fraudulent cards. The attackers also managed to do away with the limits on cash withdrawals, so the people retrieving the money from the machines were able to use their cards again and again. All told, just 100 cards were used to steal US $9 million. The people withdrawing the cash are believed to be recruited accomplices who were likely paid small fees.
-http://www.myfoxny.com/dpp/news/090202_FBI_Investigates_9_Million_ATM_Scam
-http://blog.wired.com/27bstroke6/2009/02/atm.html
[Guest Editor Rob Lee, SANS Institute Forensics/IR Faculty Fellow: Class action lawsuits are encouraging silence among victims due to the high cost of voluntary disclosure. With victims not sharing details, the criminals are becoming more brazen in their crimes as the risk of arrest is low and the payout is extremely high. We have to stop the criminals, not keep blaming the victims. ]

Amplified DDoS Attack Hits Small ISP (February 4 & 5, 2009)

A new twist in DDoS (distributed denial of service) attacks has come to light after the operator of a pornographic web site used it last month to try to take down an ISP that hosts a competitor's site. The attack is being called DNS Amplification and allows a relatively small number of PCs to generate a significant amount of network traffic. The spoofed query causes the DNS servers to generate unusually large replies, hence the name DNS Amplification. Botnet operators are reportedly updating their networks, adding tools designed to launch this sort of attack.
-http://www.networkworld.com/news/2009/020509-porn-site-feud-spawns-new.html
-http://www.scmagazineus.com/New-style-of-DNS-amplification-can-yield-powerful-DD
oS-attacks/article/126839/
-http://isc.sans.org/diary.html?storyid=5773
[Editor's Note (Ullrich): The attack is not new, and has been used for a couple years now. However these recent attacks have been on a larger scale. We just finally got rid of smurf amplifiers and now we need to figure out how to ensure best practices are used to configure DNS servers so they are not abused as reflectors as in this attack.
(Donald Smith): This type of attack was actually used before the "large text record" dns reflective attacks. Preventing spoof source addresses from entering or leaving your network is the only long term solution to this class of attacks.
(Honan): More details on how this attack works are available from a paper written by Gadi Evron and Randal Vaughn at
-http://www.isotf.org/news/DNS-Amplification-Attacks.pdf]

---

******************** SPONSORED LINKS **********************************

1) Learn about using/implementing automated log management technologies at the Log Management Summit April 6-7. http://www.sans.org/info/38438
2) Visit the SANS Vendor Demo resource page to see the latest INFOSEC products & solutions in action! http://www.sans.org/info/38443/

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Info Commissioner's Office Takes Enforcement Action Against NHS Trust (February 5, 2009)

The UK Information Commissioner's Office (ICO) has taken enforcement action against an NHS Trust for violating data protection laws. Two laptop computers were stolen from the Brent Teaching Primary Care Trust; they contained sensitive, personally identifiable information of nearly 400 patients. The laptops were left out on a desk, a violation of the trust's security procedures, and the information on the machines was not encrypted. The trust is required now to sign a formal undertaking agreement, saying it will encrypt all data and take steps to ensure that its practices comply with the Data Protection Act. Two other trusts have faced similar ICO action in the last few weeks.
-http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?new
sid=13199

Government Security Contractor Suffers Data Breach (February 3 & 4, 2009)

US government contractor SRA has notified its employees and customers that their personal information was compromised after the company found evidence of malware on one of its servers. The affected data include names, addresses, dates of birth, health information and Social Security numbers (SSNs). SRA provides computer security and privacy services. SRA informed the Maryland Attorney General's office of the incident on January 20.
-http://www.theregister.co.uk/2009/02/04/sra_virus_infection/
-http://fcw.com/Articles/2009/02/04/SRA-faces-possible-data-breach.aspx
-http://www.scmagazineus.com/Intruders-put-virus-on-government-security-contracto
r-network/article/126889/
-http://www.networkworld.com/news/2009/020309-federal-workers-notified-after-sra.
html
-http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU-164577.pdf

VULNERABILITIES

Multiple Flaws in Areva's e-terrahabitat SCADA Software (February 5, 2009)

French software company Areva is urging its customers to apply updates to address vulnerabilities in its SCADA (supervisory control and data acquisition) software that could allow intruders unauthorized access to or crash the system. The buffer overflow and denial-of-service flaw affect versions 5.5, 5.6 and 5.7 of Areva's e-terrahabitat software. The US Computer Emergency Readiness Team (US-CERT) has also issued a warning about the vulnerabilities.
-http://www.theregister.co.uk/2009/02/05/areva_scada_security_bugs/print.html
-http://www.kb.cert.org/vuls/id/337569

Privilege Escalation Flaw in Windows 7 Beta (February 4 & 5, 2009)

Proof-of-concept code has been released for a vulnerability in Microsoft's Windows 7 beta. The flaw lies in the changes Microsoft has made to the UAC (user access control) and could be exploited to gain full administrative privileges. This version of the operating system apparently allows some applications to make changes to the OS without getting users' permission. Users of Windows Vista have complained about the volume of popup warnings regarding changes being made to the operating system. Windows 7 allows users more control over how often they are notified of changes and in its default configuration, and shows users fewer messages than Vista. Microsoft has defended its decision to change the default notification settings in Windows 7. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=5767
-http://www.theregister.co.uk/2009/02/04/windows_uac_flaw/
-http://news.zdnet.co.uk/security/0,1000000189,39611440,00.htm
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9127458&source=rss_topic17
[Editor's Note (Ullrich): Windows 7 attempts to make UAC more user friendly. It distinguishes between changes made by the user using applications like the control panel and changes made by other unauthorized software. The PoC exploit uses a script to simulate user keystrokes and makes the changes via control panel, bypassing UAC. The overall approach Microsoft took is a step forward when it comes to usability. However the battle that will never be won is gaining security by asking the user to make an intelligent decision about what is safe or not. Users will enter their admin password if asked nicely by software.
(Hoelzer): How long will we continue to put band-aids over these problems? Wouldn't it be better to fix the consistency issues in UAC and then take the approach of something like 'sudo' and cache approval for a thread or process for a certain period of time rather than pull UAC's teeth?
(Honan): I have sympathy for Microsoft in this situation. They get beaten up for UAC being too intrusive in Vista, yet when they address that issue in Windows 7 people complain the OS is not secure.]

OpenOffice Update Includes Flawed Java (February 4, 2009)

The latest update for OpenOffice includes an old, unsecure version of Java. OpenOffice 3.0.1 comes with Java 6 Update 7; the most current version of Java is Update 12. Attackers could target vulnerabilities that have been patched in subsequent updates; they could also exploit a flaw that allows websites to invoke older versions of Java functionality that has been addressed starting with Update 11.
-http://voices.washingtonpost.com/securityfix/2009/02/openoffice_installs_insecur
e_j.html?wprss=securityfix
[Editor's Note (Hoelzre): I often hear complaints about Microsoft about this type of behavior. This shows that they are not alone! ]

UPDATES AND PATCHES

Microsoft Will Address SQL Server Flaw in February Security Bulletins (February 5, 2009)

According to Microsoft's advance notification website, the company will issue four security bulletins on Tuesday, February 10. Among the issues the bulletins will address is a vulnerability in SQL Server that the company has known about for nearly a year. Two bulletins with maximum severity ratings of critical will provide fixes for flaws in Internet Explorer 7 (IE 7) and Exchange Server software. The other two bulletins have been given maximum severity ratings of important and will address the SQL Server flaw and a vulnerability in the Visio application, which is part of Microsoft Office. Microsoft acknowledged the SQL Server flaw in December 2008, after exploit code for the flaw was released. The company admitted that it had been alerted to the flaw eight months earlier.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9127438&source=rss_topic17
-http://www.microsoft.com/technet/security/bulletin/ms09-feb.mspx
[Editor's Note (Schultz): After having worked for a software company for nearly three and a half years, I am much more sympathetic to software vendors who do not immediately create patches for every reported bug and vulnerability (even critical ones). Customers constantly report these problems, and determining not only how severe each one is, but also when and how to fix (and then also test) each is anything trivial. Making things worse, regression testing sometimes shows that some fixes cause other parts of the code to break, I'm not making excuses for Microsoft's taking as long as they have in fixing the bugs discussed in this news item; I'm only saying that the problem a software giant like Microsoft must face in dealing with a myriad of problems in extremely complex code is not trivial. ]

Firefox Update Fixes Six Flaws (February 4, 2009)

Mozilla has released an updated version of Firefox that addresses six vulnerabilities in the browser. The most serious of the batch is a critical JavaScript flaw affecting Firefox's layout engine; it could be exploited to crash the browser and possibly run malicious code. The vulnerability also affects the Thunderbird email client and SeaMonkey Internet Suite. Other vulnerabilities include cross-site scripting and a problem with tab restoration that could be exploited to steal local files.
Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=5800
-http://www.securityfocus.com/brief/901
-http://www.heise-online.co.uk/security/Firefox-3-0-6-fixes-vulnerabilities--/new
s/112555
-http://news.zdnet.co.uk/security/0,1000000189,39610692,00.htm
-http://www.mozilla.org/security/announce/2009/mfsa2009-01.html
-http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.
6

ATTACKS & ACTIVE EXPLOITS

Parking Tickets as Cyber Attack Social Engineering Vector (February 4 & 5, 2009)

Cyber criminals in Grand Forks, North Dakota planted phony parking violation notices on cars. The notices direct the users to a website for more information, which leads the users through a set of links that downloads malware onto their computers. That malware then urges users to download an anti-virus scanner that is worthless. Another scam first uncovered by Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=5797
-http://www.techweb.com/article/showArticle?articleID=213200005§ion=News
-http://news.bbc.co.uk/2/hi/technology/7872299.stm
[Editor's Note (Ullrich): Fake anti virus software has been an issue in the past, but seems to be gaining some steam lately. The only lucky break we get is that most of these packages are indeed totally fake and do nothing. Of course, once in a while you do hit one that will not clean out a real virus, but it will install its own malicious software.
(Ranum): I've been wondering how long it'd take scammers to figure that out. There are several real-world-based vectors for stealing personal account information offline. I could easily see an underground economy for such a thing. Imagine if kids got an offer of cash payments via paypal to bicycle around and collect financial statements from unsecure mailboxes, scan them, and email the scans to an onion-routed address. Ultimately, the scammers are going to force financial institutions to rethink how they perform authentication. ]

phpBB Offline After Database Security Breach (February 4 & 5, 2009)

The phpBB online bulletin board was taken down after an intruder managed to gain access to a database that holds names, email addresses and hashed passwords for all of its users. The attack was made through a vulnerability in PHPlist, an open source email application. The intruder was able to access the database for more than two weeks before being discovered. A blogger claiming to be behind the attack says that account details of more than 400,000 users were compromised, and that more than 28,000 of the hashed passwords were broken. The flaw was initially disclosed in mid-January; PHPlist has since been updated to close the vulnerability that the attacker exploited.
Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=5794
-http://www.theregister.co.uk/2009/02/04/phpbb_breach/
-http://www.heise-online.co.uk/news/phpBB-hacked-400-000-account-details-intercep
ted--/112567
-http://www.securityfocus.com/brief/902

STUDIES AND STATISTICS

Most Applications Vulnerabilities Reported Last Year Were Not Patched (February 2, 2009)

According to IBM's 2008 X-Force Trend and Risk report, the majority (55 percent) of computer security flaws disclosed last year were web application vulnerabilities; of those, nearly three-quarters have no available fix. The report observes that the growing number of compromised websites erodes customer confidence.
-http://www.techweb.com/article/printArticle?articleID=213000162&printArticle
=true
[Editor's Note (Ullrich): Statistics alert! How many of the bugs reported last year where actually "real"? In a quick unscientific survey last year, we found that many web application bug reports assume the existence of a sequence of odd configuration choices. I agree that web application attacks are a problem, but it is hard to get good numbers on the size of the problem.
(Honan): Do take the time to read the report which provides some interesting insights into security trends.
-http://www-935.ibm.com/services/us/iss/xforce/trendreports/]

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/