SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #23

March 24, 2009

A surge of people (more than 600 in just the last few weeks) have signed up for courses they can take without traveling - On Demand, @Home and On-Site. What surprised me is that the ratings for these courses are just about as high (higher in several cases) as the ratings for SANS courses at the training conferences. Spreading the training over several weeks seems to be really effective. If your travel budget has been cut, and your security people still need to improve their skills, take a look at the schedules for these travel-free courses:

Learn at home at your own schedule, with full audio of SANS instructors plus slides and course books: http://www.sans.org/ondemand/ Learn at home with a live SANS instructor: http://www.sans.org/athome/ Have a SANS instructor come to your site: http://www.sans.org/onsite/
Alan

---

TOP OF THE NEWS

US Smart Grid Spending Opens American Homes and Businesses To Mass Blackouts
Draft Legislation Calls for White House-Level Cyber Security Position
Diebold Admits Voting Machine Audit Log Flaw

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Alleged DoD Hacker Arrested in Romania
POLICY AND LEGISLATION
New Zealand's Stringent Copyright Law a No-Go
Stimulus Package Includes Changes to HIPAA Privacy Rules
VULNERABILITIES
Proof-of-Concept Code Released for Twitter Cross-Site Scripting Flaw
DATA BREACHES, LOSS & EXPOSURE
Cached Data Exposes Credit Card Info
MALWARE
psyb0t Worm Targets Home Users' Routers
ATTACKS & ACTIVE EXPLOITS
Senator Says Cyber Intrusions are on the Rise
STUDIES AND STATISTICS
Symantec Study Shows Most Companies Have Experienced Loss - From Cyber Attacks
MISCELLANEOUS
Heightened Demand Downs Wikileaks

---

***************** Sponsored By IBM Rational AppScan *********************

Improving the security of web applications starts by building software securely. IBM Rational AppScan is a suite of Web application vulnerability scanners that include dynamic and static analysis capabilities. Now you can engage more testers earlier in the development cycle. Try it for yourself. Download and evaluation copy of IBM Rational AppScan Developer Edition.
http://www.sans.org/info/40868

*************************************************************************

TRAINING UPDATE

- - Phoenix 3/23-3/30 (5 courses) http://www.sans.org/phoenix09/
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- - Amsterdam and Melbourne, too. See www.sans.org
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Plus Calgary, New Orleans, San Diego and more...
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

US Smart Grid Spending Opens American Homes and Businesses To Mass Blackouts (March 21, 2009)

The US's high technology, digitally based electricity distribution and transmission system known as the "Smart Grid" is slated to get $4.8 billion from the recent stimulus bill. Tests have shown that a hacker can break into the system, and cybersecurity experts said a massive blackout could result. Garry Brown, Chairman of the Public Service Commission of New York, says the benefits outweigh the risks, but "before we go rushing headstrong into a Smart Grid concept, we have to make sure that we take care of business, in this case cybersecurity."
-http://m.cnn.com/cnn/archive/archive/detail/269000/full
[Editor's Note (Paller) CNN's story hinted at a critical vulnerability. Here is the article reporting the vulnerability has been exploited,
-http://www.pcworld.com/businesscenter/article/161727/power_grid_is_found_suscept
ible_to_cyberattack.html
However, the article's author, Bob McMillan, tells NewsBites that "Travis retracted his comments about worm code being actually being written after I published the story, saying he was misinformed." Despite this retraction, the bottom line is (1) that this vulnerability is real and its scope is huge, (2) that the meter manufacturers are trying to get billions in sales without fixing the flaws, and (3) that only fast leadership by people like Garry Brown of New York with strong help from the US government will stop the vendors from locking these vulnerabilities into millions of homes. ]

Draft Legislation Calls for White House-Level Cyber Security Position (March 20, 2009)

Senate Commerce Committee Chairman John D. (Jay) Rockefeller IV (D-W.Va.) and Senator Olympia Snowe (R-Maine) are drafting legislation aimed at improving the country's cyber security. Most significantly, the bill would establish an Office of the National Cybersecurity Advisor which would be part of the Executive Office of the president. The office would have the authority to disconnect critical systems from the Internet if it has reason to believe they are under threat of imminent attack. The office would also be charged with overseeing a review of the national cyber security program every four years.
-http://www.nextgov.com/nextgov/ng_20090320_3129.php
-http://news.cnet.com/8301-13578_3-10200710-38.html
[Editor's Note (Pescatore): It is not even worth addressing the "disconnect if under threat" piece. Imagine if banks closed their doors if they were under threat of robbery, or if Congress shut down when there was a threat of dangerous legislation - OK, maybe that last wouldn't be so bad. I think the focus should be less on the Czar side and more on addressing the issue Ed Amoroso of ATT raised - making sure the government uses its purchasing power to drive higher levels of security into products and services.
(Ranum): The idea of being able to mandate a disconnect, or have agencies prepared for a disconnect, is very good - it forces the question of "what if we come under an Estonia style extended attack?" and having at least a tiny bit of preparedness along the lines of knowing which wires to cut in the event of a massive penetration. I've seen too many cases in which an organization is massively penetrated and discovers that it's impossible to shut the command and control for a botnet down long enough to clean it up, because there are too many unknown backdoors. ]

Diebold Admits Voting Machine Audit Log Flaw (March 22 & 23, 2009)

In a hearing in California last week, Premier Election Solutions, formerly known as Diebold, admitted that a flaw in its voting machines software can lose votes and fail to log the loss. Logs are an essential component of election audits. The flaw exists in all versions of the company's tabulation software.
-http://www.pcworld.com/businesscenter/article/161718/diebold_admits_voting_machi
ne_flaw.html
-http://fcw.com/Articles/2009/03/23/Web-Diebold-admits-voting-system-flaws.aspx

---

************************** SPONSORED LINKS ******************************

1) Zscaler Presents a Webcast with Keynote by Forrester: Risks and Defenses Against Web 2.0 Threats, Register Today. http://www.sans.org/info/40873

2) Learn from DTCC how RSA enVision (r) SIEM platform transformed their security operations. Read now: http://www.sans.org/info/40878

3) Alert Logic webinar demonstrates how cloud computing makes log management better, faster, and cheaper. Sign up today: http://www.sans.org/info/40883

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Alleged DoD Hacker Arrested in Romania (March 20, 2009)

Romanian police have arrested a man who allegedly broke into and damaged US Department of Defense computer systems. Eduard Lucian Mandru allegedly placed Trojan horse programs on some of the systems and deleted access logs, causing damages that cost US $35,000 to fix. The suspect was identified because an email address linked to the attack was also used in a CV Mandru posted on job-hunting websites. Mandru faces up to 12 years in prison; it is not yet known if the US will pursue extradition.
-http://www.scmagazineus.com/Romanian-DoD-hacker-nabbed/article/129193/
-http://www.theregister.co.uk/2009/03/20/pentagon_hack_suspect_cuffed/

POLICY AND LEGISLATION

New Zealand's Stringent Copyright Law a No-Go (March 23, 2009)

New Zealand Prime Minister John Key said that a potentially divisive Internet piracy law has been withdrawn. The Copyright Amendment Act would have required Internet service providers (ISPs) to sever Internet connections of customers who were suspected of violating copyright laws, even if the allegations were not proven. The law was slated to take effect last month, but it was postponed when citizens protested. Prime Minister Key acknowledged that there needs to be some sort of Internet copyright law; a new law will be introduced at a future date.
-http://news.smh.com.au/breaking-news-technology/new-zealand-withdraws-controvers
ial-internet-law-20090323-97d5.html

Stimulus Package Includes Changes to HIPAA Privacy Rules (March 18, 2009)

The federal stimulus package includes amended rules regarding the Health Insurance Portability and Accountability Act (HIPAA). The new provisions require doctors to keep records of when they disclose patient information. The previous regulations allowed doctors to share patient information for treatment, payment or healthcare reasons without noting when the information was shared. The new provisions do not take effect until January 2014. Medical practices are also required to post notices of data security breaches if 10 or more patients are affected. If the number of affected patients is 500 or more, the practice must notify all affected patients, a media outlet and the US Department of Health and Human Services (HHS).
-http://www.aafp.org/online/en/home/publications/news/news-now/government-medicin
e/20090318hipaa-security-rules.html
[Editor's Note (Cole): If you work in health care now is the time to act, even though the new laws will not take effect for 5 more years. As systems and networks are re-designed, start to incorporate detailed logging, concise access lists and control of patient information. It is easier to design security in than try to fix it later. ]

VULNERABILITIES

Proof-of-Concept Code Released for Twitter Cross-Site Scripting Flaw (March 21, 2009)

A cross-site scripting vulnerability in Twitter could be exploited to spread malware virally through the microblogging service. While as yet only proof-of-concept code has been released, the flaw could be exploited to hijack Twitter accounts or compromise users' computers. Twitter has been notified about the flaw.
-http://www.h-online.com/security/Twitter-XSS-vulnerability--/news/112905
-http://www.techweb.com/article/showArticle?articleID=216000011§ion=News
[Editor's Note (Northcutt): I was thinking, "yeah, so what," until I read the punch line of at the h-online site. A big risk is that the 140 character limit all but forces you to use tinyurl when you post a URL. So, users have no idea what they are clicking on until they do.. Personally, I think I am OK. I follow security people that I know, and I use noscript, but the potential is certainly here for continued problems. ]

DATA BREACHES, LOSS & EXPOSURE

Cached Data Exposes Credit Card Info (March 23, 2009)

Cached data from a server that is no longer in use has exposed 22,000 credit card numbers including CVVs, expiration dates, names and addresses; 19,000 of the cards could still be active. Most of the card numbers are for accounts in the US and the UK, though some Australian accounts are affected as well. The cached data appear to be from a now-defunct payment processing gateway that managed credit card transactions for a number of websites.
-http://www.itnews.com.au/News/99250,aussie-stumbles-on-19000-exposed-credit-card
-numbers.aspx
-http://www.theregister.co.uk/2009/03/23/cache_exposes_cybercrime_data/
[Editor's Note (Cole): Stolen credit cards are often not used for 6-9 months. A good practice to reduce exposure is to have a limit on your cards and periodically (every 6 months) replace your card. ]

MALWARE

psyb0t Worm Targets Home Users' Routers (March 23 & 24, 2009)

The psyb0t worm recruits home networking devices into powerful botnets. The malware is believed to have infected more than 100,000 routers. The botnet has been used to conduct distributed denial-of-service (DDoS) attacks. The malware may also be capable of conducting deep packet inspection to steal usernames and passwords.
-http://www.theregister.co.uk/2009/03/24/psyb0t_home_networking_worm/
-http://www.h-online.com/security/Botnet-based-on-home-network-routers--/news/112
913

ATTACKS & ACTIVE EXPLOITS

Senator Says Cyber Intrusions are on the Rise (March 20, 2009)

Cyber intruders broke into computers in the office of Senator Bill Nelson (D-Fla.). There was no classified information on the PC workstations that are used by three Nelson staffers: his foreign policy aide, his deputy legislative director and a former NASA advisor. Nelson is working with fellow Senators Rockefeller and Snowe (see story above) on legislation that would create a cyber security czar position in the White House. Senator Nelson serves on the Senate Intelligence, Armed Services and Finance Committees. In a statement disclosing the intrusions, Senator Nelson acknowledged that other computers on Capitol Hill have experienced similar attacks.
-http://lastwatchdog.com/lawmaker-hacked-cyber-invasions/
-http://blogs.usatoday.com/technologylive/2009/03/senators-comput.html?loc=inters
titialskip
-http://billnelson.senate.gov/news/details.cfm?id=310162&
[Editor's Note (Schultz): There should be no mystery here. US Congress computers are a constant target of attacks, and a surprisingly large proportion of these attacks are successful. ]

STUDIES AND STATISTICS

Symantec Study Shows Most Companies Have Experienced Loss - From Cyber Attacks (March 23, 2009)

Research from Symantec shows that 98 percent of the 1,000 IT managers from companies in the US and Europe said their companies experienced tangible loss from a cyber attack of some sort over the last two years. Forty-six percent of respondents said that cyber attacks resulted in downtime for their companies; 31 percent said customer and/or employee data were stolen; and 25 percent said corporate data were taken. Three-quarters of the European respondents said their companies are outsourcing some portion of their security operations.
-http://www.networkworld.com/news/2009/032309-study-most-organizations-hit-by.htm
l
-http://www.vnunet.com/vnunet/news/2238947/firms-outsourcing-security

MISCELLANEOUS

Heightened Demand Downs Wikileaks (March 23, 2009)

The Wikileaks website is down just days after it published a list of websites allegedly banned by the Australian Communications and Media Authority (ACMA). The Australian Communications minister refutes the authenticity of the list. The Wikileaks site now displays a message saying that "Wikileaks is overloaded by global interest," and requesting donations to pay for additional resources.
-http://wikileaks.org/
-http://www.securecomputing.net.au/News/140636,acma-blacklist-proves-too-popular-
for-wikileaks.aspx

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/