SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #101

December 29, 2009

Just in: The hottest skills employers are seeking for 2010:

1. Red Teaming/ Penetration testing systems/networks and applications)
2. Forensics
3. Reverse engineering malware
4. Auditing networks and systems (hands-on testing)
5. Intrusion detection
6. Security management and leadership
7. Securing virtual systems
Plus: Effective presentation skills for security professionals

Alan

---

TOP OF THE NEWS

Phony Anti-Terror Technology Responsible for Elevated Security Levels in 2003
Proposed Legislation in NJ Would Beef Up Penalties for Unsolicited Text Messages
GSM Algorithm Broken

THE REST OF THE WEEK'S NEWS

Microsoft Says IIS Vulnerability is Low Risk
DDoS Against DNS Provider Causes Problems for Some Online Retailers
GAO Report Points Fingers in Nuclear Site Document Leak
Preliminary Approval for Countrywide Breach Settlement
Prison Attacker Gets Prison Sentence
Government Faces Shortage of Skilled Cyber Security Specialists
Kindle DRM Broken
MBNA Customer Credit Card Data on Stolen Laptop
Former Assistant DA Draws Probation for Unauthorized Access to Information
Citibank Says There Was No Cyber Attack

---

*************************************************************************

TRAINING UPDATE

-- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses. Bonus evening presentations include Top 7 Trends in Incident Response and Computer Forensics, Advanced Forensic Techniques and more
https://www.sans.org/security-east-2010/
-- SANS AppSec 2010, San Francisco, January 29-February 5, 2010 Bonus evening presentations include Social Zombies and Cross-Site AJAX Security
https://www.sans.org/appsec-2010/
- - -- SANS Phoenix, February 14 - 20, 2010 Bonus evening presentations include Advanced Forensic Techniques: Catching Hackers on the Wire
https://www.sans.org/phoenix-2010/
-- SANS 2010, Orlando, March 6 - 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style
https://www.sans.org/sans-2010/
-- SANS Northern Virginia Bootcamp 2010, April 6-13
https://www.sans.org/reston-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand
Plus Tokyo, Bangalore, Dublin and Oslo all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Phony Anti-Terror Technology Responsible for Elevated Security Levels in 2003 (December 24 & 28, 2009)

A self-proclaimed software programmer who convinced the CIA that he had developed software capable of deciphering hidden messages in Al Jazeera broadcasts appears to have been responsible for an elevation in the national security level in late 2003, causing the grounding of international flights and the evacuation of the Metropolitan Museum of Art. Dennis Montgomery managed to convince a CIA Directorate of Science and Technology employee that his technology and the information it generated were credible. The information was passed to top government officials. Only later did it become evident that Montgomery had not shared his algorithms with anybody in the Government, nor was anyone in the government clear about how the information was obtained. Montgomery also reportedly received a no-bid US $30 million contract for "compression" and "automatic target recognition" technology that he claimed could analyze surveillance video from drones and identify weapons in people's hands. A man who used to work with Montgomery says he helped fake about 40 demonstrations of the software.
-http://www.wired.com/threatlevel/2009/12/montgomery-2
-http://www.theregister.co.uk/2009/12/24/cia_montgomery/
[Editor's Note (Schultz): Pathetic though it may be, this kind of thing is not at all unprecedented. During the "Star Wars" years a US national laboratory pulled off what has amounted to the same kind of stunt--instilling the belief that technology that was not anywhere near "prime time" was the end-all solution to US national defense problems.

(Ranum): When you've outsourced almost all of your technically skilled staff, you're an easy mark for con-men because you no longer have people who can look at stuff like this and tell it's obviously unworkable. Additionally the government procurement system is set up the way it is specifically to prevent this kind of thing - it's a shame that it was bypassed using "no bid" tricks.

(Northcutt): I do not know anything about the CIA, but I did visit their Spy Museum once, and there were enough things in there that puncture, slice and dice you that I would think twice about scamming them. But it does reinforce the importance of being careful about buying Demoware. If you are going to purchase a product, get a test system and run it in your environment for at least 30 days. And never, ever, pass information to top management that comes from a system you are not very experienced with. ]

Proposed Legislation in NJ Would Beef Up Penalties for Unsolicited Text Messages (December 28, 2009)

Two New Jersey state legislators are sponsoring a bill that would impose hefty fines on people and/or organizations that send unsolicited text messages. Of particular concern to Sens. Joseph Vitale and Sean Kean are messages sent to the elderly and disabled and messages that cause people to exceed their monthly text message allotment, incurring additional costs from their providers. An unsolicited ad is defined as one that is sent without prior consent of the recipient that urges the recipient to rent or purchase services or merchandise. First time offenders would be fined up to US $10,000 and repeat offenders fined up to US $20,000. If the violator knew or should have known that the recipient was an elderly or disabled person, the maximum fine increases to US $30,000.
-http://www.msnbc.msn.com/id/34611083/ns/technology_and_science-tech_and_gadgets/
[Editor's Note (Northcutt): Does this story remind anyone of the DVD encryption story? Or WEP? Of course people make claims all the time and it will be a few months before the full story is clear, but we need to hold these industry groups accountable. The question is not whether Nohl's actions were illegal, we are supposed to test and attack cryptographic algorithms, it is whether the GSM Association needs to get ready to write a very large check in response to a number of class action law suits if people start getting hurt. In the mean time, I would treat my cell phone as if it were a radio. ]

GSM Algorithm Broken (December 28, 2009)

An encryption expert giving a presentation at a conference in Berlin, Germany says he has broken the GSM algorithm used to protect the privacy of cell phone calls. Karsten Nohl said he undertook the project to demonstrate that the algorithm provided insufficient security. The industry group that developed GSM said Nohl's actions were illegal. The encryption technology in question makes mobile phones and base stations change radio frequencies quickly over 80 channels. The algorithm is used to encrypt about 80 percent of the world mobile phone calls.
-http://www.nytimes.com/2009/12/29/technology/29hack.html?_r=1&ref=technology
-http://www.theregister.co.uk/2009/12/28/gsm_eavesdropping_breakthrough/
-http://news.cnet.com/8301-1009_3-10422340-83.html?part=rss&subj=news&
;amp;tag=2547-1_3-0-20
[Editor's Note (Hoelzer): Creating strong cryptographic algorithms is difficult enough; history tells us that continuing to use "secret sauce" algorithms will always lead to failure. A5/1 started out secret, but as it has been discovered significant vulnerabilities have been discovered. Unfortunately, it will probably be years before any significant progress is made in implementing something new because of industry inertia and head-in-the-sand strategies. ]

---

THE REST OF THE WEEK'S NEWS

Microsoft Says IIS Vulnerability is Low Risk (December 25 & 28, 2009)

Microsoft is downplaying reports of a flaw in its Internet Information Services (IIS), saying that as long as users adhere to secure configuration best practices, the vulnerability presents a low risk. The person who found and disclosed it says it could allow attackers to upload and execute ASP code. The problem lies in the way IIS parses filenames that contain semicolons; if attackers append ";.jpg" or another trusted file extension, the malicious file can bypass security measures.
-http://www.scmagazineus.com/new-iis-flaw-deemed-low-risk-in-proper-configuration
s/article/160283/
-http://www.h-online.com/security/news/item/Security-flaw-in-Microsoft-IIS-892881
.html
-http://www.theregister.co.uk/2009/12/25/microsoft_iis_semicolon_bug/
-http://isc.sans.org/diary.html?storyid=7819
-http://isc.sans.org/diary.html?storyid=7816
[Editor's Note (Ullrich): If you run IIS, please implement the work around suggested by Microsoft. In particular, making the upload directory non-executable should be common sense in most cases. ]

DDoS Against DNS Provider Causes Problems for Some Online Retailers (December 24 & 28, 2009)

A distributed denial-of-service (DDoS) attack against the DNS provider for Amazon, Wal-Mart, the Gap and other shopping websites made those sites temporarily unavailable. The attack that was launched against Neustar on December 23 affected users in Northern California. Although the attack kept the sites unavailable for about an hour, last-minute holiday shoppers experienced frustrating delays. An UltraDNS spokesperson said that "queries may have taken some time to resolve and some may not have been completed, but there never was an outage."
-http://www.theregister.co.uk/2009/12/24/ddos_attack_ultradns_december_09/
-http://www.computerworld.com/s/article/9142681/DDoS_attack_on_DNS_hits_Amazon_an
d_others_briefly?source=rss_security
-http://www.cnn.com/2009/TECH/12/24/cnet.ddos.attack/index.html
-http://www.informationweek.com/news/storage/security/showArticle.jhtml?articleID
=222100146

GAO Report Points Fingers in Nuclear Site Document Leak (December 24, 2009)

A report from the Government Accountability Office (GAO) faults five government agencies, two congressional offices and the National Security Council for the leak of information about hundreds of US civilian nuclear facilities. The document was published on the Government Printing Office website in June and remained visible for about one day. The document was intended for the International Atomic Energy Agency (IAEA). Some of the confusion stemmed from the document's classification with an IAEA term that is not recognized in the US. NSC did not provide specific instructions for handling the document once delivered to the White House clerk's office.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/12/23/AR2009122302970_
pf.html

Preliminary Approval for Countrywide Breach Settlement (December 24, 2009)

A US federal judge has granted preliminary approval to a proposed settlement that would have Countrywide Financial Corp. provide free credit monitoring to as many as 17 million people whose personal information was compromised. The settlement also provides up to US $50,000 in reimbursement for each instance of identity fraud that can be traced to the breach and for which the victims were not reimbursed otherwise and in which they lost something of value. The suit has its origins in data theft committed by former Countrywide analyst Rene Rebollo Jr., who downloaded thousands of customers' information every week for two years and sold it to Wahid Siddiqi. Siddiqi pleaded guilty to fraud earlier this month; Rebollo's trial is scheduled to begin in January.
-http://abcnews.go.com/Business/wireStory?id=9418695

Prison Attacker Gets Prison Sentence (December 22 & 24, 2009)

Francis G. Janosko has been sentenced to 18 months in prison for breaking into the Plymouth (Massachusetts) County Correctional Facility's computer network, accessing information about more than 1,100 prison employees and making that information available to other inmates. Janosko pleaded guilty to damaging a protected computer in September. Janosko, who was an inmate at the time on unrelated charges, was using a machine that was supposed to be configured to allow access only to a legal research program, but he managed to exploit a vulnerability that allowed him access to the Internet and to the prison network.
-http://www.theregister.co.uk/2009/12/24/inmate_prison_hack/
-http://www.computerworld.com/s/article/9142628/Inmate_gets_18_months_for_hacking
_prison_computer

Government Faces Shortage of Skilled Cyber Security Specialists (December 23, 2009)

The US federal government is facing difficulty finding enough skilled cyber security employees to help protect networks from increasingly sophisticated and frequent attacks. Especially difficult to find are people with the necessary skills and the necessary security clearances. Those who possess both are demanding high salaries, driven even higher by private industry, which has the funds to hire them away from the government.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/12/22/AR2009122203789_
pf.html

Kindle DRM Broken (December 23, 2009)

Two different people claim to have broken the digital rights management (DRM) technology on Amazon's Kindle ebook reader so that the files stored in the application can be used on other devices as well. One method allows the ebooks to be transferred as PDF files. Another method of cracking the DRM targets the recently-released Kindle for PC application that allows people to read books on PCs.
-http://www.computerworld.com/s/article/9142651/Hackers_claim_victory_in_cracking
_Amazon_Kindle_DRM?source=rss_security
-http://www.theregister.co.uk/2009/12/23/amazon_kindle_hacked/
-http://news.bbc.co.uk/2/hi/technology/8428126.stm
-http://www.h-online.com/security/news/item/Users-bypass-Kindle-restrictions-8926
32.html
-http://news.cnet.com/8301-17938_105-10421296-1.html

MBNA Customer Credit Card Data on Stolen Laptop (December 22 & 23, 2009)

MBNA is notifying thousands of customers that a laptop stolen from NCO Europe offices contains their credit card information. NCO Europe is a third-party contractor. Although the files do contain personal information, no PINs are believed to be included. While no fraudulent activity has been detected on the compromised accounts, MBNA is offering affected customers one year of credit monitoring service and is monitoring all compromised accounts.
-http://www.scmagazineuk.com/mbna-confirms-data-loss-after-laptop-containing-pers
onal-details-of-thousands-of-customers-was-stolen-from-vendor/article/160217/
-http://www.net-security.org/secworld.php?id=8656
-http://www.lep.co.uk/news/Customer-credit-card-details-stolen.5929370.jp

Former Assistant DA Draws Probation for Unauthorized Access to Information (December 22, 2009)

A Louisiana man has been sentenced to two years of probation and ordered to pay a US $3,000 fine for unauthorized access to information by use of a computer. Perry Booth was employed as an Assistant District Attorney for Jefferson Parish, Louisiana when he noted the license plate of an individual involved in a near miss traffic incident. Booth asked an investigator in the DA's office to access a confidential law enforcement database to find out the person's identity. He then sent that person a threatening letter referring to the traffic incident.
-http://neworleans.fbi.gov/dojpressrel/pressrel09/no122209.htm

Citibank Says There Was No Cyber Attack (December 22 & 23, 2009)

While the FBI says it is investigating losses totaling tens of millions of dollars from Citibank accounts, Citibank parent company Citigroup denies reports that it has fallen prey to a cyber attack or that an investigation is underway. Citigroup did acknowledge that their systems have been probed but persisted in denying that an attack occurred and that money was stolen from customer accounts. The cyber thieves allegedly used the Black Energy botnet in their attacks. Sources have suggested that the Russian Business Network, a notorious cybercrime network, is behind the cyber heists. There is a report of one man being blocked from accessing his company's Citibank account; although he alerted the bank immediately, a day later, more than US $1 million had been withdrawn without his authorization. About 80 percent of the funds were recovered, and Citibank covered the man's losses for the rest.
-http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=22200302
4&subSection=Attacks/breaches
-http://www.scmagazineus.com/citibank-refutes-reported-hack-by-russian-gang/artic
le/160124/
-http://news.cnet.com/8301-1009_3-10420308-83.html
-http://www.cbsnews.com/stories/2009/12/23/eveningnews/main6016135.shtml
-http://online.wsj.com/article/SB126145280820801177.html?mod=rss_Today%27s_Most_P
opular

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/