SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #25

March 31, 2009

Probably the best site for technically grounded insights about what will really happen with Conficker is http://isc.sans.org/.
Alan

---

TOP OF THE NEWS

Canadian Researchers Uncover Huge Cyber Spy Network
Researchers Find Method to Test for Conficker Infection
US Supreme Court Lets Stand Ruling that Anti-Spam Law is Unconstitutional
FTC Says Companies Must Be Truthful Regarding DRM Technology

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Former IRS Employee Charged With Unauthorized Computer Access, Filing Fraudulent Returns
Romanian National Sentenced To 50 Months for Phishing Scheme
Man Arrested, Charged with Stealing Trade Secret
VULNERABILITIES
Proof-of-Concept Exploit Code Published for Mac OS X Kernel Flaws
UPDATES AND PATCHES
Mozilla Releases Firefox 3.0.8 to Fix Two Critical Flaws
DATA LOSS & EXPOSURE
Data Security Breach at Abilene Christian University
ATTACKS & ACTIVE EXPLOITS
Conficker Infects UK Parliamentary Computer Network
STUDIES AND STATISTICS
Most Irish Companies Retain Data, But Few Have Clear Breach Policies
PUBLIC SERVICE NOTICE
For Users of Verizon EVDO cards
COOL TRAINING EVENTS
Penetration Testing Summit
Application Security Summit

---

************************ Sponsored By CA ********************************

Web-Based Security for Business Enablement

While "secure" and "Web" were once incompatible notions, they are now co-elements that support dynamic Web-based commerce. Technologies such as Web access management, single sign-on, identity management, federation, and strong authentication - when leveraged together - represent a more efficient way to conduct IT-enabled business. This IDC whitepaper explores how competitive advantage can be effectively realized through secure Web business enablement technologies. Learn more...
http://www.sans.org/info/41658

*************************************************************************

TRAINING UPDATE

- - Toronto 5/5-5/13 (15 courses) http://www.sans.org/toronto09/event.php
- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - New Orleans 5/5-5/10 (6 courses) http://www.sans.org/securityeast09/event.php
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- -- Plus San Diego, Amsterdam and more, too. See www.sans.org
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Looking for training in your own community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Canadian Researchers Uncover Huge Cyber Spy Network (March 29 & 30, 2009)

Canadian researchers have uncovered what they say is a vast cyber spy network that has infected government and embassy computers in 103 countries around the world. The network, dubbed Ghostnet, appears to be controlled almost exclusively by computers in China. The researchers who discovered the network were monitoring computers belonging to the Dalai Lama's Tibetan government in exile. The malicious software used by the network allows the attackers to monitor a computer's content, including documents and email messages, as well as remotely control webcams and microphones. The researchers have not said that the network is controlled by the Chinese government. Information gathered from the Dalai Lama's computers appears to have been instrumental in an activist's arrest.
-http://www.h-online.com/security/Infiltrated-Chinese-software-spies-on-Tibetan-g
overnment-in-exile-s-computers--/news/112957
-http://news.bbc.co.uk/2/hi/americas/7970471.stm
-http://www.nytimes.com/2009/03/29/technology/29spy.html?adxnnl=1&adxnnlx=123
8457724-1IJBVHl8mv4HSnb1EI%20hCA&pagewanted=print
-http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espio
nage-Network
[Editor's Note (Ranum): This is how to discuss this sort of penetrations. The researchers are being careful in what they claim, are presenting evidence and facts, and are not pushing an agenda. It's nice to see such a mature approach!
(Ullrich): At last year's SANSFIRE conference, our ISC handler Maarten Horenbeck discussed his research into several similar botnets. His "Is Troy Burning" presentation can be found at isc.sans.org/presentations.]

Researchers Find Method to Test for Conficker Infection (March 30, 2009)

Researchers have found a way to detect whether or not a computer is infected with the Conficker worm. Until now, the known methods for determining whether or not a computer was infected with Conficker - monitoring outbound connections on networks and scanning each computer individually - were difficult and consumed significant amounts of resources.. The new technique involves remotely calling the NetpwPathCanonicalize() function. Dan Kaminsky said, "You can literally ask a server if it's infected with Conficker, and it will tell you."
-http://www.securityfocus.com/brief/936
-http://www.theregister.co.uk/2009/03/30/conficker_signature_discovery/
-http://www.h-online.com/security/German-researchers-develop-network-scan-for-Con
ficker-worm--/news/112963
[Editor's Note (Honan): The full research is available from the University of Bonn at
-http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/.
Nmap 4.85 Beta can also detect infected computers and can be downloaded from
-http://nmap.org/download.html.
The US DHS also released a detection tool at
-http://www.dhs.gov/ynews/releases/pr_1238443907751.shtm.

(Ullrich): Kaminsky's method is important if you need to test a large number of systems remotely. For a quick individual test, check if you can still get to sites like symantec.com or sans.org. Conficker will block access to these sites. For a list of conficker removal tools and other resources, see isc.sans.org/conficker (or use dshield.org/conficker if you are already infected because sans.org will be blocked). Also be aware of malicious fake removal tool that will certainly be offered for conficker.
(Hoelzer): This is excellent and timely news. Tomorrow we will have an opportunity to see how aware the community at large has become. ]

US Supreme Court Lets Stand Ruling that Anti-Spam Law is Unconstitutional (March 30, 2009)

The US Supreme Court will not reinstate Virginia's stringent anti-spam law. Instead, the court will let stand a Virginia Supreme Court ruling that declares the law unconstitutional because it forbids political, religious and other types of messages in addition to unsolicited commercial messages. The decision means that Jeremy Jaynes, who sent millions of spam messages, will have his 2004 conviction under that law reversed. Jaynes is currently serving time in prison for unrelated securities fraud.
-http://www.msnbc.msn.com/id/29960046/
[Editor's Note (Ranum): It's good to see this. As much as we all hate spam, free speech is more important. Recipient-side filtering is (and always will be) the only approach that has any utility, anyway. ]

FTC Says Companies Must Be Truthful Regarding DRM Technology (March 25, 2009)

The US Federal Trade Commission's digital rights management (DRM) conference in Seattle opened with an admonition to companies that they need to be forthcoming about the DRM technology they use and the limits it places upon their products. The example of Sony BMG handling of DRM that amounted to a rootkit was used to illustrate. FTC Acting Deputy Director Mary Engle also said that if companies hide details in the end-user license agreement (EULA) that contradict their advertised policies, the FTC will "come calling."
-http://arstechnica.com/tech-policy/news/2009/03/ftc-well-come-calling-about-dece
ptive-drm.ars
[Editor's Note (Pescatore): I like it. Just like states passing laws that fast food restaurants have to list calories and trans-fat levels, good to see software having to do the same thing. ]

---

************************** SPONSORED LINKS ******************************

1) Join GW's MFS program with concentrations in High Technology Crime Investigation and Security Management! http://www.sans.org/info/41663

2) InstantSecurityPolicy.com - Custom IT Security Policies Created and Delivered Online; Quick, Comprehensive, and Complete. http://www.sans.org/info/41668

3) WEBCAST: Keynote by FORRESTER, "Defenses Against Web 2.0 Threats with Cloud Security" brought by Zscaler http://www.sans.org/info/41673

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Former IRS Employee Charged With Unauthorized Computer Access, Filing Fraudulent Returns (March 30, 2009)

Former US Internal Revenue Service (IRS) contract employee Andrea Bennett has been charged with illegally accessing IRS computers and filing false claims. Bennett allegedly accessed the IRS's Integrated Data Retrieval System 285 times to view tax accounts of a dozen individuals and prepare six fraudulent tax returns. Bennett allegedly received more than US $13,000 in refunds from the fraudulent returns. The people who had false claims filed in their names were unaware of her activity. If convicted, Bennett could face 10 years in prison and a US $500,000 fine. A spokesperson for the Treasury Inspector General for Tax Administration (TIGTA) declined to comment, as the investigation is ongoing.
-http://www.nextgov.com/nextgov/ng_20090330_4956.php
[Editor's Note (Northcutt): The good news is the IRS is aware of the risks and has been monitoring. That monitoring results in busts like Bennet's. However, they need to be more vigilant, below are some other cases and an explanation of TIGTA:
-http://www.accountingweb.com/cgi-bin/item.cgi?id=105351&d=883&h=884&
f=882&dateformat=%o%20%B%20%Y
-http://ftp.irs.gov/privacy/article/0,,id=138125,00.html
If you read the IRS.GOV article above and are confused you are not alone. That ambiguous language and copious use of acronyms violates the OECD guideline to make your privacy policy clear. Suggest the IRS needs to read the Presidential Directive on transparency. ]

Romanian National Sentenced to 50 Months for Phishing Scheme (March 30, 2009)

A Romanian man has been sentenced to 50 months in prison for his role in a phishing scheme. A January 2008 indictment alleged that Ovidio-Ionut Nicola-Roman and six accomplices ran the phishing scheme that tricked users into providing their payment card and other financial information; Nicola-Roman pleaded guilty to one felony count of conspiracy to commit fraud in July 2008. The group then allegedly used the information to make fraudulent withdrawals from the users' accounts or buy items with their debit card numbers. Nicola-Roman was apprehended on an Interpol warrant in Bulgaria in 2007 and was extradited to the US in November 2007.
-http://www.theregister.co.uk/2009/03/30/romainian_phisher_sentenced/
-http://news.moneycentral.msn.com/provider/providerarticle.aspx?feed=AP&date=
20090330&id=9742030

Man Arrested, Charged with Stealing Trade Secret (March 27, 2009)

David Yen Lee, a naturalized US citizen, has been arrested by federal agents in Arlington Heights, IL, and charged with theft of a trade secret. Lee was employed as Technical Director of New Product Development at Valspar, a paint and industrial coating manufacturer, until he abruptly resigned from his job earlier this month. Lee surrendered his company laptop and Blackberry when he resigned. An examination of the computer found that all the temporary files had been deleted, suggesting that the computer's history had been cleared; investigators also discovered a hidden file containing unauthorized software, including a copying program. The examination also revealed that 44 gigabytes of data had been downloaded to the computer; the data included Valspar trade secrets. Agents found a thumb drive in Lee's home that contained paint formula trade secrets that were not related to Lee's work projects. The thumb drive was discovered in a packed bag; Lee had purchased a one-way ticket to China.
-http://chicago.fbi.gov/pressrel/2009/cg032709.htm
-http://www.dailyherald.com/story/?id=282101
[Editor's Note (Northcutt): Boy is this similar to the Hanjuan Jin case:
-http://www.backgroundnow.com/blog/background-check/hanjuan-jin-indicted-for-stea
ling-trade-secrets-bound-for-china/]

VULNERABILITIES

Proof-of-Concept Exploit Code Published for Mac OS X Kernel Flaws (March 27, 2009)

Proof-of-concept exploit code for five kernel vulnerabilities in Mac OS X has been published on the Internet. The first vulnerability is a remote heap overflow flaw in the AppleTalk networking stack that could be exploited to create denial-of-service conditions. The second and third vulnerabilities involve a local kernel memory leak that could result in the kernel running out of memory. The fourth vulnerability involves a race condition in the HFS vfs sysctl interface and could be exploited to cause kernel memory corruption. The fifth vulnerability involves a local arbitrary kernel memory overwrite in the HFS IOCTL handler and could be exploited to execute arbitrary code with kernel level privileges.
-http://www.techweb.com/article/printArticle?articleID=216401181&printArticle
=true

UPDATES AND PATCHES

Mozilla Releases Firefox 3.0.8 to Fix Two Critical Flaws (March 27 & 28, 2009)

Mozilla has released an updated version of Firefox, Firefox 3.0.8, to address a pair of critical security flaws. The browser has been updated for Windows, Mac and Linux systems. The flaws involve XSL transformation vulnerability and the XUL element; both could be exploited to crash the browser and allow arbitrary code execution.
-http://www.h-online.com/security/Firefox-3-0-8-now-available--/news/112952
-http://download.cnet.com/8301-2007_4-10206467-12.html?part=rss&subj=news&
;tag=2547-1009_3-0-20]


-http://www.pcworld.com/article/162139/firefox_patches_zeroday_hacking_contest_bu
gs.html
-http://www.theregister.co.uk/2009/03/30/firefox_update/
-http://www.mozilla.org/security/announce/2009/mfsa2009-12.html

DATA LOSS & EXPOSURE

Data Security Breach at Abilene Christian University (March 26, 2009)

Officials at Abilene Christian University say they know who is responsible for a cyber intrusion that exposed the personal information of an undisclosed number of individuals affiliated with the school. The server containing a database of usernames and passwords for the ACU's internal email system was attacked at the end of February and officials have said they have no reason to believe that any data have been misused. The vulnerability that was exploited to gain access to the server has been fixed. The suspect's identity has not been disclosed because of the ongoing investigation, but it appears the individual acted alone. The suspect has been cooperating with investigators.
-http://www.reporternews.com/news/2009/mar/26/acu-says-computer-server-hacked/

ATTACKS & ACTIVE EXPLOITS

Conficker Infects UK Parliamentary Computer Network (March 27, 2009)

The Conficker worm has reportedly infected the UK parliament's computers. A parliamentary spokesperson declined to answer questions beyond confirming that the computers had been infected. All major antivirus companies have had signatures protecting currently updated computers against the worm available since November 2008. The infection suggests that Parliament's antivirus software is not updated on a regular basis, although the worm's detection means that at least one machine has up-to-date signatures. Once Conficker was detected, Parliamentary workers were requested to remove unauthorized computers from the network.
-http://www.h-online.com/security/Conficker-infects-UK-parliament--/news/112947
-http://news.cnet.com/8301-1009_3-10206354-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
[Editor's Note (Ranum): Security systems that are based on the end user complying because they were asked nicely only work for networks with a handful of users. If you're in a situation where you have to "request to remove unauthorized computers from the network" you've already irredeemably lost control of the situation. ]

STUDIES AND STATISTICS

Most Irish Companies Retain Data, But Few Have Clear Breach Policies (March 27, 2009)

According to a survey from the Irish Computer Society's (ICS) Privacy Forum, nearly 95 percent of Irish organizations retain personal data, but just 31 percent have formal data breach policies in place. More than half of those surveyed said their organizations do not have formal data retention and destruction policies. Nearly 40 percent of the surveyed organizations believe the proposed two year period for data retention required of ISPs is too long. In addition, confidence in ISPs' ability to protect data from unauthorized access is low; 81 percent of respondents said they have little or no confidence in the ISPs' ability to do so.
-http://www.siliconrepublic.com/news/article/12597/cio/95pc-of-organisations-stor
e-personal-data-but-few-know-how-to-protect-it
[Editor's Note (Honan): This survey makes interesting reading as it highlights that as a result of the Data Protection Act companies have focused on the protection of data. However, the fact that very few have anything in place should those protections fail implies that Ireland should introduce breach disclosure laws to ensure that gap is closed. ]

PUBLIC SERVICE NOTICE

For Users of Verizon EVDO cards

(Northcutt): I was reviewing my cell phone bill and there was a $199.00 roaming charge for Mexico. Only problem, I have not been to Mexico. I called Verizon and they graciously agreed to remove it from my bill, but warned me it was only this once. I was in San Diego in the Gaslamp district, it looks like that is about 20 miles from the Mexican border, but Verizon said that sometimes the Mexican signal is stronger and the modem connects to the strongest signal. They said the issue is even worse between the US and Canadian border. Bottom line, if you want to avoid several hundred dollars in roaming fees, it is probably best to remove your modem from your system when not using it ( bummer for the folks with built in modems ), make sure the network you connect to is National Access, and probably kill the VZACCESS application when not working. If anyone else has a near border data roaming story you are willing to share, drop me a note, stephen@sans.edu.

COOL TRAINING EVENTS

Penetration Testing Summit

Where else can you find the best speakers from other hacker conferences all at one program: HD Moore on the future of Metasploit; Joshua Wright on evolving wireless attacks; Jeremiah Grossman on the Top Ten Web Hacking Techniques; Robert "rSnake" Hansen on web app vulnerabilities; Paul Asadoorian on late-breaking pen test techniques; Larry Pesce on using document metadata in pen tests; Jason Ostrum on VoIP pen testing; Ed Skoudis on secrets of pen testing? The Summit is June 1 and 2 in Las Vegas. Registration information is here:
-http://www.sans.org/pentesting09_summit/

Application Security Summit - April 9 - Washington DC.

Learn from actual users which application security tools and processes work best and participate in establishing requirements that may be used for large scale procurement of these tools across government.
-http://www.sans.org/appsec09_summit/

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/