SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #12

February 13, 2009

TOP OF THE NEWS

Number of Banks Affected By Heartland Breach: 160 and Growing
European Commission Wants Answers from UK Government Over Phorm Trials
Microsoft, ICANN and Others Take Steps to Block Conficker

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Former Web Host Employee Sentenced for Unauthorized Access and Damage
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
LANL Criticized for Lax Attitude Toward Missing Computers
Federal Aviation Administration Data Security Breach
UPDATES AND PATCHES
Apple Issues Updates for Mac OS X
RIM Addresses ActiveX Vulnerability
Microsoft Malicious Software Removal tool targets Srizbi
Microsoft Issues Four Security Bulletins
STUDIES AND STATISTICS
Study Examines Accidental Disclosure of Medical Record Data Through P2P

---

******************** The Penetration Testing Summit *********************

What are some specific criteria to evaluate pen testing companies and determine the quality of their testing regimen? What time-saving techniques can help you accomplish more in less time? Find out at the Penetration Testing and Ethical Hacking Summit June 1-2, Las Vegas. https://www.sans.org/info/38683

*************************************************************************

TRAINING UPDATE

- - SANS 2009 in Orlando in early March ? the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Number of Banks Affected By Heartland Breach: 160 and Growing (February 6 & 12, 2009)

According to the Bank Information Security website, nearly 160 financial institutions have acknowledged that they were affected by the Heartland Payment Systems data security breach. Banks in 40 US states as well as in Canada, Bermuda and Guam have reported that some of their customers' cards were exposed. It is not known how many card accounts were compromised; Heartland says it processes 100 million transactions a month.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9127822&source=rss_topic17
-http://www.bermudasun.bm/main.asp?SectionID=24&SubSectionID=270&ArticleI
D=40389&TM=28150.45
-http://www.theregister.co.uk/2009/02/12/heartland_data_breach_latest/
-http://www.bankinfosecurity.com/articles.php?art_id=1200&opg=1

European Commission Wants Answers from UK Government Over Phorm Trials (February 11 & 12, 2009)

The UK government could face formal action from the European Commission if it does not provide the Commission with information it has requested regarding BT's secret trials of Phorm targeted advertising technology in 2006 and 2007. Despite having been sent three letters, the government has yet to "provide a satisfactory response to the Commission's concerns on the implementation of European law in the context of the Phorm case." The trials were conducted without the consent of BT customers. Although the UK Information Commissioner's office and London Police decided not to take action over the issue, the European Commission grew concerned that the trials may have violated EU laws.
-http://news.zdnet.co.uk/security/0,1000000189,39615480,00.htm
-http://www.theregister.co.uk/2009/02/11/phorm_eu_action_threat/

Microsoft, ICANN and Others Take Steps to Block Conficker (February 12, 2009)

Microsoft is working with ICANN (the Internet Corporation for Assigned Names and Numbers) and other groups to prevent the Conficker worm from receiving updates over the Internet. Many of the domains that Conficker could use have been blocked from registration, and others are being used by researchers to monitor and study the malware. Conficker, also known as Downadup, has infected 10 million PCs worldwide. Microsoft has announced a US $250,000 reward for information leading to the arrest and conviction of the person or people responsible for the Conficker worm.
-http://www.theregister.co.uk/2009/02/12/conficker_reward/
-http://www.heise-online.co.uk/security/Microsoft-ICANN-and-others-move-to-block-
Conficker--/news/112640
-http://news.cnet.com/8301-1009_3-10163084-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Former Web Host Employee Sentenced for Unauthorized Access and Damage (January 26, 2009)

Former Hostgator.com employee Cliff L. Wade has been sentenced to eight months in prison for accessing the web hosting company's systems without authorization and deliberately causing problems in its customer support network. The intrusion occurred after Wade moved to another state and took a job with a different web hosting company. Wade was also sentenced to three years of supervised release following completion of his prison term, and has been ordered to pay a US $100 special assessment.
-http://www.cybercrime.gov/wadeSent.pdf
-http://www.northcountrygazette.org/2008/06/27/hostgator_hack/

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

LANL Criticized for Lax Attitude Toward Missing Computers (February 12, 2009)

The Los Alamos National Laboratory (LANL) has been chastised by the Department of Energy's National Nuclear Energy Administration (NNSA) for treating the theft of three computers from an employee's home as a "property management issue" rather than a cyber security issue. The memo was critical of the lab's overall stance regarding property management, accountability, incident reporting and cyber security. Thirteen computers have been reported lost or stolen from LANL in the last 12 months and 67 computers, including those 13, are currently listed as missing.
-http://pogoarchives.org/m/nss/nnsa-cybersecurity-letter-20090203.pdf
-http://www.eweek.com/c/a/Security/Los-Alamos-Lab-Missing-Almost-100-Computers/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9127862&source=rss_topic17

Federal Aviation Administration Data Security Breach (February 10 & 12, 2009)

The US Federal Aviation Administration (FAA) is taking steps to contain a data security breach of one of the agency's administrative servers that compromised the personally identifiable information of more than 45,000 current and former employees. The agency is in the process of informing all affected employees by letter. The breach was detected during the agency's Cyber Security Management Center's investigation of unusual activity. The compromised data include names, Social Security numbers (SSNs) and some encrypted medical information. The compromised server "was not connected to the operation of the air traffic control system or any other FAA operational system."
-http://www.nextgov.com/nextgov/ng_20090212_2113.php
-http://fcw.com/Articles/2009/02/10/FAA-data-breach.aspx
-http://www.msnbc.msn.com/id/29108758/
-http://www.washingtonpost.com/wp-dyn/content/article/2009/02/10/AR2009021003899_
pf.html
-http://www.faa.gov/news/press_releases/news_story.cfm?newsId=10394

UPDATES AND PATCHES

Apple Issues Updates for Mac OS X (February 12 & 13, 2009)

Apple Computer has released Security Update 2009-01, an update for Mac OS X that fixes more than two dozen security flaws. The vulnerabilities include an arbitrary code execution flaw in Safari RSS, an information disclosure flaw in Remote Apple Events, a denial of service flaw in AFP server, an arbitrary code execution flaw in CoreText and others. At the same time, Apple issued two Java updates to "address security and compatibility issues."
-http://news.cnet.com/8301-1009_3-10163217-83.html?tag=mncol
-http://www.macworld.com/article/138808/security_update_2009001.html
-http://www.theregister.co.uk/2009/02/13/_security_update_2009_001/

RIM Addresses ActiveX Vulnerability (February 10, 11 & 12, 2009)

Research in Motion (RIM) has issued an update to fix a critical flaw in an ActiveX control in its BlackBerry Application Web Loader for Windows. The application is used to move software from PCs onto the smartphones. The buffer overflow flaw could be exploited to execute code on vulnerable systems; it could also be exploited to crash Internet Explorer (IE). Microsoft has issued a related security advisory that updates its ActiveX killbit list to address this problem.
-http://www.vnunet.com/vnunet/news/2236321/blackberry-software-gets
-http://www.informationweek.com/news/personal_tech/blackberry/showArticle.jhtml?a
rticleID=213402873
-http://www.heise-online.co.uk/security/RIM-closes-critical-hole-in-BlackBerry--/
news/112623
[Editor's Note (Schultz): RIM deserves credit for changing its stance concerning vulnerabilities in BlackBerries over time. Just a few years ago RIM virtually ignored vulnerabilities; now it is announcing vulnerabilities and creating and releasing fixes for them. ]

Microsoft Malicious Software Removal tool targets Srizbi (February 11, 2009)

On Tuesday, February 10, Microsoft released an updated version of its Malicious Software Removal Tool (MSRT) that targets malware on computers that have been recruited to join the Srizbi botnet. Microsoft issues an updated version of MSRT the second Tuesday of each month, the same day it issues security bulletins. The tool checks for and removes certain malware from systems running Windows Vista, Windows XP, Windows 2000 and Windows Server 2003.
-http://www.theregister.co.uk/2009/02/11/patch_tuesday_roundup/
-http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fSrizbi
.gen

Microsoft Issues Four Security Bulletins (February 10, 2009)

Microsoft released four security bulletins on Tuesday February 10 to address several vulnerabilities in Internet Explorer, Exchange Server, Microsoft SQL Server and the Visio component of Microsoft Office. One bulletin addresses two critical remote code execution flaws in IE7 running on Windows XP; the flaws exist for users running other versions of Windows, but have been rated Moderate. A second bulletin fixes two critical flaws in Exchange Server that could be exploited to execute arbitrary code and create denial-of-service conditions. The third and fourth bulletins address important remote code execution flaws in SQL Server and Visio.
-http://www.securityfocus.com/brief/906
-http://news.cnet.com/8301-1009_3-10160693-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.microsoft.com/technet/security/bulletin/ms09-feb.mspx
-http://isc.sans.org/diary.html?storyid=5836

STUDIES AND STATISTICS

Study Examines Accidental Disclosure of Medical Record Data Through P2P (February 12 & January 30, 2009)

A report out of Dartmouth University says that patient information is at greater risk from accidental disclosure through peer-to-peer networks than through the theft or loss of laptops and removable storage devices. The study, "Data Hemorrhages in the Health Care Sector," describes how Professor Eric Johnson and his colleagues, along with P2P monitoring vendor Tiversa, were able to find thousands of records, including medical diagnoses, Social Security numbers (SSNs), insurance information and other data from medical institutions with relative ease. The core of the problem, according to Professor Johnson, is that health care organizations often store sensitive data in highly accessible and portable forms, such as Excel spreadsheets and Word documents.
-http://www.scmagazineus.com/Medical-data-leakage-rampant-on-P2P-networks/article
/127216/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=network_security&articleId=9127066&taxonomyId=142&intsrc=kc
_top

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance ? with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/