SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #28

April 10, 2009

The cybersecurity game changer came this week!

It came with the revelation of foreign nation penetration and control of computers inside power generation and distribution companies. The power company executives had assured Congress and the public that security was their top priority and that they were doing what was needed to protect the power systems in the US. Now we learn that those executives did not even know their systems had been deeply penetrated by nation states- -with software that maintained access for further action during wartime. The revelation is not a game changer because of the public outrage it caused. It is a game changer because Congressional outrage will enable the new security management at the North American Electric Reliability Corporation (NERC) to move the industry quickly from denial to action. Even as late as last month, electric industry executives were complaining that NERC's letter (posted at http://online.wsj.com/public/resources/documents/CIP-002-Identification-Letter-0
40609.pdf ) should never have been written. Instead, they proffered, NERC should keep all the industry's dirty laundry secret. Well, that dirty laundry could destroy the nation's ability to fight and its ability to survive. Kudos to Mike Assante and his NERC team for publishing the letter. If any NewsBites reader hears utility people complaining they cannot act for one reason or another, please send their names to me (apaller@sans.org). It's time for the politicians in the states they serve to know who is putting their citizens and their way of life at risk.
Alan

---

TOP OF THE NEWS

US Power Grid Infiltrated
Pentagon Spent US $100 Million to Repair Damage From Cyber Incidents
Proposed Legislation Would Prohibit SMS Spam

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Eleven Face Charges in NZ Bank Online Theft
POLICY AND LEGISLATION
Three-Strikes Anti-Piracy Law Fails in French Legislature
UPDATES AND PATCHES
Microsoft to Release Eight Security Bulletins on April 14
DATA LOSS & EXPOSURE
Stolen Laptop Contains Commercial Driver's License Holder Data
ATTACKS & ACTIVE EXPLOITS
Conficker Update Spreads Through P2P Network
STUDIES AND STATISTICS
Microsoft Security Intelligence Report
MISCELLANEOUS
FBI Seizes Texas Data Centers' Equipment in Investigation
COOL TRAINING EVENTS
Penetration Testing Summit
Application Security Summit

---

************************ Sponsored By Q1 Labs ***************************

MEETING THE NERC CIP COMPLIANCE CHALLENGE: ARE YOU READY? All public and private energy companies that connect to the bulk power system must comply with this regulation by July 1, 2009, or face potential fines and penalties. Individuals responsible for network and security management at utility companies will want to join this complimentary webinar on April 14 to learn how to substantially reduce the risk of network-based threats and cyber-terrorism and comply with the NERC CIP standards. Register here:
http://www.sans.org/info/42289

*************************************************************************

TRAINING UPDATE

- - Toronto 5/5-5/13 (15 courses) http://www.sans.org/toronto09/event.php
- - SANSFire in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - New Orleans 5/5-5/10 (6 courses) http://www.sans.org/securityeast09/event.php
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- -- Plus San Diego, Amsterdam and more, too. See www.sans.org
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Looking for training in your own community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

US Power Grid Infiltrated (April 8 & 9, 2009)

US national security officials said that the computer networks of the country's electrical grid and other utilities have been infiltrated and seeded with tools that could potentially be used to disrupt communications, electricity, and other elements of the country's critical infrastructure. As yet, there have been no attempts made to use the software to cause damage. Most of the intrusions were not detected by the companies responsible for the systems, but by US intelligence. In light of this report, cyber security experts have begun urging the Federal Energy Regulatory Commission (FERC), the Nuclear Regulatory Commission (NRC) and the Energy Department to push for legislation that would grant them more oversight and authority to manage grid (cyber) security. Earlier this week, before reports of the intrusions, the North American Electric Reliability Corporation (NERC) recommended that energy companies look closely at how they identify critical assets and critical cyber assets. A link to NERC Vice President and Chief Security Officer Michael Assante's letter regarding a compliance survey on critical cyber asset identification can be found below.
-http://online.wsj.com/article/SB123914805204099085.html
-http://fcw.com/Articles/2009/04/08/FERC-needs-to-step-up-oversight-to-safeguard-
grid.aspx
-http://www.nextgov.com/nextgov/ng_20090408_1423.php
-http://www.washingtonpost.com/wp-dyn/content/article/2009/04/08/AR2009040803904_
pf.html
-http://www.cnn.com/2009/TECH/04/08/grid.threat/index.html
-http://www.eweek.com/c/a/Security/Before-Grid-Hack-Reports-NERC-Advises-Industry
-on-Cyber-Assets-479748/
Q&A About Grid Intrusions:
-http://lastwatchdog.com/chinese-russian-cyberspies-lurk-us-electrical-grid/
Assante Letter:
-http://online.wsj.com/public/resources/documents/CIP-002-Identification-Letter-0
40609.pdf
[Editor's Note (Schultz): Over the years there have been many indications that security within electrical companies is deficient. The recent discovery of widespread malware ostensibly installed by agents of foreign countries should leave no doubt that this problem exists and that is is extremely serious given the critical role of the energy sector in the US critical infrastructure. I am thus appaled that all NERC is doing is recommending "that energy companies look closely at how they identify critical assets and critical cyber assets." Recommendations in this arena abound, but they have been largely ignored. Mandates are now clearly necessary. ]

Pentagon Spent US $100 Million to Repair Damage From Cyber Incidents (April 7, 2009)

The Pentagon has spent more than US $100 million to mitigate cyber attacks and computer network issues in the last six months. The attacks have run the gamut from vandalism to espionage. The amount spent on attacks from sources outside the US was not specified. Army Brigadier General John Davis urged the government to proactively invest in its computer networks instead of continuing to spend so much on clean up.
-http://www.msnbc.msn.com/id/30090749/
-http://www.usatoday.com/tech/news/computersecurity/2009-04-08-pentagon-cyber_N.h
tm?csp=34
-http://www.scmagazineus.com/Cyberattack-repairs-cost-Pentagon-100-million-in-six
-months/article/130376/
[Editor's Note (Northcutt): Generally the cost of mitigation is a fraction of the value of the information lost, so the $100 million number points to extraordinarily large losses. ]

Proposed Legislation Would Prohibit SMS Spam (April 6 & 8, 2009)

US Senators Olympia Snowe (R-Maine) and Bill Nelson (D-Florida) have introduced legislation that would expand the Can Spam Act to include unsolicited SMS (Short Message Service) messages. The m-Spam Act would allow the Federal Communications Commission (FCC) and Federal Trade Commission's (FTC) to pursue spammers who send messages to mobile phones. It would also prohibit sending unsolicited messages to cell phone numbers listed with the Do Not Call Registry. In the US, cell phone users must pay not only to send text messages, but to receive them as well.
-http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleI
D=216403584
-http://www.eweek.com/c/a/Mobile-and-Wireless/Senators-Seek-DoNotText-List-to-Cur
b-SMS-Spam-584282/

---

************************** SPONSORED LINKS ******************************

1) Is Log & Event Management in your 2009 plan? Check out this SANS Thought Leadership interview http://www.sans.org/info/42294

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Eleven Face Charges in NZ Bank Online Theft (April 9, 2009)

Eleven people are facing charges in New Zealand for allegedly stealing money from online bank accounts. The fraud ring operated by breaking into National Bank accounts through the bank's secure website, transferring funds between accounts and withdrawing the money early the next day before the account was flagged for insufficient funds. One woman, Lauren Sainty, has admitted her role in the scheme and was ordered to repay nearly NZ $3,000 (US $1,744) and to serve 150 hours of community service. Nine other people appeared in court but did not enter pleas; an eleventh failed to show up at all.
-http://www.dailypost.co.nz/local/news/internet-hacker-hits-bank-account/3800248/
[Editor's Note (Honan): The fight against cyber crime will continue to be an uphill struggle if courts continue to signal to criminals that cyber crime is not treated seriously. ]

POLICY AND LEGISLATION

Three-Strikes Anti-Piracy Law Fails in French Legislature (April 9, 2009)

France's National Assembly rejected a bill that would have instituted a three-strikes-and-you're-out approach for individuals who habitually download music and movies in violation of copyright laws. Although the bill had appeared to be moving along with adequate support and was passed in the French Senate last week, the National Assembly rejected it in a 21-15 show-of-hands vote. President Nicolas Sarkozy has expressed his determination to have the law passed; the government has placed it on the agenda for an April 28 special session.
-http://www.google.com/hostednews/ap/article/ALeqM5j4VjVAXxp684miiKgGtfUEnU04OQD9
7F54SO0
-http://www.nytimes.com/2009/04/10/technology/internet/10net.html?_r=1&ref=te
chnology
-http://news.bbc.co.uk/2/hi/europe/7992262.stm

UPDATES AND PATCHES

Microsoft to Release Eight Security Bulletins on April 14 (April 9, 2009)

According to Microsoft's Security Bulletin Advance Notification, the company will release eight security bulletins on Tuesday, April 14. Five of the bulletins are deemed "critical," two have been rated "important" and one rated "moderate." The bulletins will address security issues, including remote code execution, elevation of privilege and denial-of-service in Windows, Internet Explorer (IE), DirectX, Excel, Word and Microsoft's security software. Six of the eight bulletins will require a restart.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9131386&source=rss_topic17
-http://www.microsoft.com/technet/security/bulletin/ms09-apr.mspx
-http://news.cnet.com/8301-1009_3-10216360-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20

DATA LOSS & EXPOSURE

Stolen Laptop Contains Commercial Driver's License Holder Data (April 7, 2009)

A laptop computer stolen from a state office building in Kapolei, Oahu, Hawaii contains personally identifiable information of nearly 1,900 state commercial driver's license holders. The compromised information includes names, addresses and Social Security numbers (SSNs). The computer was stolen on March 18, although the drivers were not notified until April 6.
-http://www.honoluluadvertiser.com/article/20090407/BREAKING01/90407109/-1

ATTACKS & ACTIVE EXPLOITS

Conficker Update Spreads Through P2P Network (April 9, 2009)

The Conficker worm appears to be updating itself through a P2P network, placing an as-yet unknown payload on infected machines. The code that is being placed on the machines is encrypted, which complicates analysis. Conficker exploits a Windows vulnerability that was addressed in an October 2008 security bulletin from Microsoft. The new Conficker variant installs Waledac bot software and possibly scareware on infected computers.
-http://www.theregister.co.uk/2009/04/09/conficker_botnet_update/
-http://news.cnet.com/8301-1009_3-10215678-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9131380&source=rss_topic17
-http://www.h-online.com/security/Conficker-now-definitely-downloading-updates--/
news/113044
-http://www.techweb.com/article/showArticle?articleID=216500125§ion=News

STUDIES AND STATISTICS

Microsoft Security Intelligence Report (April 8, 2009)

Microsoft's Security Intelligence Report, which covers events in the second half of 2008, says that scareware, programs that lead users to believe their machines are infected with malware and urge them to buy phony anti-virus software, has emerged as a significant threat. The report examined file format attacks as well, which rely on users opening maliciously crafted files. Most of the file format attacks in the second half of 2008 exploit a known flaw in Windows that was patched in 2006.
-http://www.h-online.com/security/Microsoft-Security-Intelligence-Report-is-publi
shed--/news/113034
-http://www.scmagazineus.com/Microsoft-report-shows-scareware-file-fomat-bugs-on-
rise/article/130399/
-http://www.theregister.co.uk/2009/04/08/microsoft_security_report/
[Editor's Comment (Northcutt): That would make a good security awareness tip of the day. Title: Don't buy antivirus when you are scared about your computer. Text: One type of malicious code is scareware. It tries to convince you that your system is infected; it may be. But if you buy antivirus under those conditions, the attacker can take you to the website of his choice, keep your thirty dollars, not give you actual antivirus, have your credit card details, and load malware on your system. Instead go to a reputable store, buy the antivirus, and install it on your system. Also, consider running the free Microsoft Safety Scanner. ]

MISCELLANEOUS

FBI Seizes Texas Data Centers' Equipment in Investigation (April 7, 2009)

The FBI seized servers and other equipment from two Texas data centers. The raids were prompted by investigations into allegations of outstanding AT&T and Verizon bills. The owner of one of the co-location facilities said FBI agents raided his home as well and seized electronic equipment belonging to other family members. Although the investigations are focused on just two companies - Premier Voice and Lone Star Power - agents seized equipment belonging to other, unrelated companies that were using the same data centers.
-http://blog.wired.com/27bstroke6/2009/04/data-centers-ra.html
[Editor's Note (Honan): Make sure your business continuity plan includes a contingency should your provider be no longer able to provide services to you as a result of having their services cut off by another third party or indeed should equipment that your data or services reside on are seized by law enforcement agents. ]

COOL TRAINING EVENTS

Penetration Testing Summit

Where else can you find the best speakers from other hacker conferences all at one program:
HD Moore on the future of Metasploit; Joshua Wright on evolving wireless attacks; Jeremiah Grossman on the Top Ten Web Hacking Techniques; Robert "rSnake" Hansen on web app vulnerabilities; Paul Asadoorian on late-breaking pen test techniques; Larry Pesce on using document metadata in pen tests; Jason Ostrum on VoIP pen testing; Ed Skoudis on secrets of pen testing?
The Summit is June 1 and 2 in Las Vegas. Registration information is here:
-http://www.sans.org/pentesting09_summit/

Application Security Summit - April 9 - Washington DC.

Learn from actual users which application security tools and processes work best and participate in establishing requirements that may be used for large scale procurement of these tools across government.
-http://www.sans.org/appsec09_summit/

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/