SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #3

January 13, 2009

Fascinating note from a manager who registered three people for SANS training this winter despite a corporate ban on nearly all travel and training for the first half of 2009. I had known about his company's ban so when I saw the three registrations come in, I wrote and asked him what happened. His answer is enlightening; it has to do with the thumb drive infections that are hitting so many people. It is the last article in this issue.
Two items on SCADA: We have been trying to get a presentation from Procter & Gamble for three years and we finally succeeded. They will present it at the SCADA Security Summit in Orlando in early February, In this talk they will show how they changed the way they purchase control systems so that the vendor that sold the control system takes full responsibility for implementation *and* for maintaining the system's security through its life cycle. Breathtakingly effective and a model that most other organizations are now beginning to evaluate. Also on SCADA, tell the hotel you are coming to the SCADA Summit to get the $189 rate - otherwise they'll try to charge you the regular $500 rate.
More on the SCADA Summit at: http://www.sans.org/scada09_summit Alan

---

TOP OF THE NEWS

Top 25 Most Dangerous Programming Errors
Cyber Security Education Legislation Introduced

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES
McKinnon Says He Would Plead Guilty To CMA Violations in UK
ARRESTS, CHARGES & CONVICTIONS
Consultancy Executives Face Prison For Cyber Intrusion
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Lost Memory Stick Holds UK Prison Inmate Medical Information
Anonymous Witness Identities Inadvertently Exposed to Press
UPDATES AND PATCHES
Oracle's Quarterly Security Update Slated for January 13
ATTACKS
Many Reporting Mysterious Tiny Charges on Credit Card Statements
University of Rochester (NY) Data Security Breach
Two Arrested in Connection with Credit Card Fraud Scheme
STUDIES AND STATISTICS
PwC Study Shows Financial Services Companies Need to Improve Data Security
MISCELLANEOUS
Police on WiFi Search and Secure Mission in Mumbai
Satyam CEO Arrested
How One Company Cleaned Up The Thumb Drive Attacks- And Learned A Lot In The Process

---

**************************** Sponsored By CA **************************

Web-Based Security for Business Enablement
While "secure" and "Web" were once incompatible notions, they are now co-elements that support dynamic Web-based commerce. Technologies such as Web access management, single sign-on, identity management, federation, and strong authentication ? when leveraged together ? represent a more efficient way to conduct IT-enabled business. This IDC whitepaper explores how competitive advantage can be effectively realized through secure Web business enablement technologies. Learn more https://www.sans.org/info/37048

*************************************************************************

TRAINING UPDATE

- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/ For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Top 25 Most Dangerous Programming Errors (January 12, 2009)

The CWE/SANS Top 25 List enumerates the 25 most dangerous programming errors. The list is a consensus of experts from more than 30 cyber security organizations around the world. The 25 errors are divided into three categories: insecure interaction between components, risky resource management, and porous defenses. Just two of the 25 errors on the list, improper input validation and improper output encoding, are responsible for more than 1.5 million security breaches in 2008. The group has also provided a list of resources to help eliminate the errors at www.sans.org/top25. The Top 25 Errors benefits software buyers, programmers, colleges and employers. First, organizations buying software are now able to stipulate that software developers mitigate the top 25 errors as a condition of purchase. Second, programmers and automated software analyzers will have a checklist against which to measure their work. Third, colleges and universities will have a resource for teaching secure coding. And finally, employers can use the list to evaluate their programmers' skills.
-http://www.sans.org/top25errors/
-http://www.nextgov.com/nextgov/ng_20090112_2005.php
-http://www.techweb.com/article/showArticle?articleID=212701491
-http://www.eweek.com/c/a/Security/List-of-Most-Dangerous-Programming-Errors-Chan
ges-IT-Security-Discussion/
-http://gcn.com/Articles/2009/01/12/Coding-errors.aspx
[Editor's Note (Paller): Will Pelgrin, CISO of New York State, has already integrated the requirement for developers of custom software to mitigate the top 25 prior to software delivery, into standard procurement language. He allowed us to post it for others to use - it is at www.sans.org/AppSecContract]

Cyber Security Education Legislation Introduced (January 9, 2009)

US Representative Sheila Jackson Lee (D-Texas) has introduced legislation that would require the National Science Foundation (NSF) and the US Department of Homeland Security (DHS) to establish a grant program to improve cyber security education at the college level. The grant funds could be used for professional development programs, associate degree programs and to buy equipment for training. The bill would also establish a program to allow state, local, tribal and private sector officials participate in and learn about the DHS's National Cyber Security Division.
-http://fcw.com/articles/2009/01/09/rep-jackson-lee-proposes-cybersecurity--bill.
aspx
[Editor's Note (Schultz): I'd be interested in learning what the relationship between Representative Lee's cyber security education improvement proposal and the National Security Agency's initiative to recognize so called "centers of academic excellence" in information assurance is. The latter has not accomplished much except to label a large number of university's information security/assurance programs, many of which have bare bones curricula, as "centers of academic excellence." Ms. Lee's proposed legislation should not be signed into law unless it promises to produce more positive outcomes than has the NSA's initiative.
(Weatherford): This is one of the most effective and lasting uses of grant funding we've seen proposed. There have been avenues to seek this type of funding in the past but this might streamline the application process and eliminate some of the DHS grant program bureaucracy. Maybe...
(Pescatore): This is one of the "devil is in the details" kind of things. Sounds good on the surface, but if anyone remembers the Law Enforcement Assistance Act back in the 1980's, vaguely throwing money at security with grants that allow broad discretion in what is security-related almost invariably have zero impact on real issues. ]

---

**************************** SPONSORED LINKS **************************

1) Take part in the SANS 5th Annual Log Management Survey: A Leading Source for Actionable Data on Key Issues and Trends. http://www.sans.org/info/37053
2) Visit the SANS Vendor Demo resource page to see the latest INFOSEC products & solutions in action! http://www.sans.org/info/37058
3) "Compliance" does not mean "Secure". Is your organization maximizing vulnerability management to maintain compliance standards? Listen to this popular SANS webcast on emerging VM trends featuring David Hoelzer. http://www.sans.org/info/37063

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES

McKinnon Says He Would Plead Guilty To CMA Violations in UK (January 12, 2009)

In a letter to prosecutors in the UK, Gary McKinnon has said that he would plead guilty to hacking charges there in a last ditch effort to avoid extradition to the US. McKinnon has admitted that he broke into US government computers shortly after the 9/11 attacks. He maintains he was looking for evidence of UFOs and that the systems were poorly secured. The US government estimated his actions caused US $1 billion worth of damage. McKinnon and his attorneys have tried numerous other avenues to avoid extradition. At present, the Crown Prosecution Service is reviewing McKinnon's letter. McKinnon's legal team is also seeking one more challenge to the extradition decision because the government did not take into account that he has been diagnosed with Asperger's Syndrome.
-http://news.cnet.com/8301-1009_3-10140993-83.html?tag=newsEditorsPicksArea.0
-http://www.washingtonpost.com/wp-dyn/content/article/2009/01/12/AR2009011200614.
html
-http://www.theregister.co.uk/2009/01/12/mckinnon_uk_trial_letter/

ARRESTS, CHARGES & CONVICTIONS

Consultancy Executives Face Prison For Cyber Intrusion (January 8, 2009)

Two men are facing prison time for deleting a former customer's website. Pradyumna Samal, president and CEO of Seattle-based consulting company Minecode, and Sandeep Verma, a Minecode project manager, have pleaded guilty to charges of computer intrusion in US District Court. A statement from the US Department of Justice (DOJ) indicates that the business relationship between Minecode and a client, Vinado, deteriorated in 2006; in December 2006, Samal ordered Verma to take down Vinado's online gift shop, which Minecode had built for Vinado, causing losses of approximately US $5,000. The following month, Samal apparently deleted Vinado's website, email server and database, causing an estimated loss of US $115,000. Samal and Verma each face up to one year in prison and they could be fined up to US $100,000. Their company could face a US $240,000 fine and five years of probation.
-http://www.pcworld.com/businesscenter/article/156715/web_designers_admit_to_tras
hing_clients_web_site.html
-http://seattle.bizjournals.com/seattle/stories/2009/01/05/daily33.html
-http://seattle.fbi.gov/dojpressrel/2009/pr010809.htm
[Editor's Comment (Northcutt): This is a pretty big webhosting company too, they have done some big projects, hard to believe they would be that stupid and petty. Here is what the CEO Samal says, " We're committed to performance and client satisfaction," says PK Samal, CEO of Minecode. "It allows us to develop long-term relationships with our clients and to provide them with consultative, proactive advice based on our continued understanding and discovery of their needs."
-http://www.minecode.com/CaseStudyDetail1.aspx?case=15&lob=Web%20Solutions]

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Lost Memory Stick Holds UK Prison Inmate Medical Information (January 9, 2009)

UK Health officials have apologized following the loss of a memory stick that contains personally identifiable information of people who had been seen as medical patients while at HM Prison Preston. The data are encrypted, but the password was apparently attached to the device. The data include 6,360 entries. The stick was lost on December 30. Employees of NHS Central Lancashire involved in the incident have been suspended pending the results of an investigation.
-http://www.lep.co.uk/news/Apology-after-prisoners39-health-info.4862265.jp

Anonymous Witness Identities Inadvertently Exposed to Press (January 8 & 9, 2009)

A spokesperson for US Attorney Patrick Fitzgerald inadvertently included a document containing sensitive information to an attachment to an email announcement sent to members of the media. The spokesperson intended to attach a complaint against two men who are facing felony charges in an alleged foreign exchange futures fraud scheme. The complaint mentions a number of unidentified witnesses; the inadvertently included document discloses their identities. Members of the media who received the errant information were asked to destroy it quickly.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9125438&source=rss_topic17
-http://www.theregister.co.uk/2009/01/09/email_snafu_disgorges_fed_rap_sources/

UPDATES AND PATCHES

Oracle's Quarterly Security Update Slated for January 13 (January 9, 2009)

Oracle's quarterly security patch release is scheduled for Tuesday, January 13, the same day as Microsoft's scheduled monthly security update release. While Microsoft has announced it will issue just one security bulletin, Oracle's release comprises 41 fixes that affect "hundreds of Oracle products." Oracle's batch of patches includes a number of critical fixes, including nine for Oracle Secure Backup, two for Oracle Application Server, and five for Oracle BEA WebLogic server software.
-http://www.theregister.co.uk/2009/01/09/patch_splurge/
-http://www.heise-online.co.uk/security/Oracle-plans-massive-update-for-Tuesday--
/news/112384
-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan20
09.html

ATTACKS

Many Reporting Mysterious Tiny Charges on Credit Card Statements (January 11 & 12, 2009)

According to numerous postings at online forums, people have begun finding US $0.25 charges on their credit card bills; the charges appear to come from companies called Adele Services and GFDL. There are two possible explanations. First, thieves could be testing the validity of stolen credit card information, and second, thieves could be trying to make money by stealing tiny amounts from millions of people. Credit card holders are urged to check their statements for suspicious charges.
-http://www.boston.com/business/personalfinance/articles/2009/01/11/mysterious_cr
edit_card_charge_may_have_hit_millions_of_users?mode=PF
-http://voices.washingtonpost.com/securityfix/2009/01/tiny_charges_often_precede_
big.html?wprss=securityfix

University of Rochester (NY) Data Security Breach (January 11, 2009)

The FBI and the New York state attorney general are investigating a data security breach at the University of Rochester (U of R). A cyber intruder stole personally identifiable information of 450 current and former U of R students from a school database. The compromised data, which include names and Social Security numbers (SSNs), were copied to a computer with an IP address indicating that it was not on campus. U of R IT workers discovered the problem on January 7; the 450 people affected by the breach are being notified by letter.
-http://www.whec.com/article/stories/S739036.shtml?cat=572

Two Arrested in Connection with Credit Card Fraud Scheme (January 11, 2009)

Although two men are in custody in connection with a rash of fraudulent credit card transactions, law enforcement authorities have not been able to determine how the information was stolen. It appears that all the victims used a DVD rental machine at a gas station in Smithfield, Utah, but examination of the machine's hard drive shows no evidence of tampering, and examination of the DVD rental machine did not indicate the presence of a card skimmer. Fraudulent charges totaling more than UIS $100,000 were made in a variety of locations, including Northern California, Illinois, Florida and Spain. Officials received a tip when someone attempted to use a gift card that was traced back to one of the compromised credit card accounts; two men were arrested at a hotel in San Francisco.
-http://hjnews.townnews.com/articles/2009/01/11/news/news02-01-11-09.txt

STUDIES AND STATISTICS

PwC Study Shows Financial Services Companies Need to Improve Data Security (January 9, 2009)

According to the PricewaterhouseCoopers (PwC) sixth annual Global State of Information Security study, financial services companies need to improve their data security practices. Fifty-one percent of the more than 660 financial services companies responding to the survey say they do not hold their partners to their own privacy policies. More than half of the companies "have no accurate information about the collection, transmission and storage of customer and employee information. Forty-one percent of the companies said they do not encrypt their databases, 52 percent do not encrypt file sharing practices, 43 percent do not encrypt backup tapes, and 33 percent do not encrypt laptops.
-http://www.vnunet.com/vnunet/news/2233717/financial-firms-security-found
-http://blog.iwr.co.uk/2009/01/financial-firms.html

MISCELLANEOUS

Police on WiFi Search and Secure Mission in Mumbai (January 13, 2009)

Police in Mumbai, India, along with groups of volunteers, are scouring areas of the city for unsecured WiFi connections. Prior to physical attacks in Delhi and Ahmedabad, email messages claiming responsibility for the attacks were sent over such networks. When an unsecured access point is discovered, police have the authority to issue a notice to the owner directing that it be secured. Those not complying with the notices could then receive notices under the Criminal Procedure Code. Both homes and businesses are subject to the requirement.
-http://timesofindia.indiatimes.com/Mumbai/Cops_will_pay_you_a_visit_to_secure_Wi
Fi/articleshow/3958103.cms
-http://www.business-standard.com/india/news/mumbai-police-plug-wi-fi-security-ho
les/00/56/346002/
-http://blog.wired.com/defense/2009/01/open-wi-fi-is-f.html

Satyam CEO Arrested (January 8 & 9, 2009)

Customers of the India-based outsourcer Satyam are paying careful attention to what may be the company's implosion from an accounting scandal. Last week, Satyam chairman Ramalinga Raju admitted that his company falsified revenue and profit margins; he was arrested on Friday. Companies around the world use Satyam's services for supply chain management and business intelligence. Companies are being advised to activate contingency plans if they have them, or if not, make arrangements to find other providers quickly. Satyam depends heavily on US companies; analysts have estimated that more than half of Satyam's annual US $2 billion revenue comes from the US. The disclosure of the falsified financials has resulted in two class-action lawsuits in the US; the Securities and Exchange Board of India is also conducting an investigation.
-http://www.informationweek.com/news/management/outsourcing/showArticle.jhtml?art
icleID=212701699
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9125538&intsrc=hm_list

How One Company Cleaned Up The Thumb Drive Attacks- And Learned A Lot In The Process.

Here's the email I got in answer to "Why Did You Send People To SANS This Year When You Have A Ban On Training and Travel?" Alan,
Take a closer look; you'll find that 12 or 13 people are coming from (company) to SANS in Orlando, not just my three. The others are coming from other divisions. Here's why. You remember the big wave of attacks last November where infections were spread by thumb drives. We got hit by that. It is amazing how often people use those things. It spread to dozens of Windows file servers, and from there jumped to thousands of workstation systems. Clogged our networks. It was so bad a lot of machines, including the ones on the top floor of this building, had to be taken off line - and that got some unwanted visibility from the CEO.
We called both our AV vendors but neither had a signature for this virus yet. It took a long time and a lot of pain before we found all the machines that were hit, stop the spread to new machines, and got rid if the (expletive deleted) thing. The whole company - every US division and international.
So what does that have to do with my guys going to SANS? It turns out our CEO was in the UK visiting our facility there and somehow the topic of the virus came up and our UK manager told him it had hardly been aproblem at all in the UK. He said his security guys found it within afew minutes and cleaned it out. As you might imagine the CEO's follow-upemail to me was unpleasant. So I called my counterpart in the UK andasked him how he had dealt with the attack so easily. He told me one of his guys knew what to do immediately. He said used the built-in WindowsWMIC command to find systems with the malware processes running and thatalso told him about the changes made by the malware. Then, he used thereg command to remove an entry from the auto-start capabilities ofinfected machines to stop the malware from running on startup. He also said the reg command let him change the USB and CD/DVD autorun function to stop similar infections. After shutting down the malware and stopping it from spreading, he said he used a couple more techniques to clean up the infected machines quickly. I asked where his guy learned all that. He said at SANS, in a course called 504 which I later learned was your Hacker Exploits and incident Handling class. I reported that back to our CEO. He told me to make sure every division had at least two people who knew those techniques. So, our travel ban was lifted for SANS.

==end==

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescactore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/