SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #34

May 01, 2009

---

TOP OF THE NEWS

US Cyber Security Needs an Overhaul
US Cyber Warfare Policy Should be Transparent
Swedish ISPs Say They Will Not Log IP Addresses

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Nugache Worm Author Sentenced
POLICY AND LEGISLATION
Lawmakers Seek to Increase Federal Energy Regulatory Commission's Authority
French Legislators to Debate Three Strikes Law Again
DATA PROTECTION & PRIVACY
Four UK NHS Trusts Sign Formal Undertakings for Violating Data Protection Act
VULNERABILITIES
Adobe Acknowledges Reader and Acrobat Flaws
UPDATES AND PATCHES
Mozilla Releases Firefox 3.0.10 and Firefox 3.5 Beta 4
DATA BREACHES, LOSS & EXPOSURE
West Virginia State Bar Computer Network Breached
ATTACKS & ACTIVE EXPLOITS
Conficker Now Turning Infected Machines Into Spam Servers
MISCELLANEOUS
British Army Captain Threw Laptops Overboard
Swine Flu Briefing/Resource and Technical Security Management Newsletter

---

******************* Sponsored By Sourcefire, Inc. ***********************

Your Network Security Isn't Good Enough Anymore

Today's threats-and networks-are dynamic. Unfortunately most network security systems are not.

Join Martin Roesch, Founder and CTO of Sourcefire(R) and Creator of Snort(R), in a series of seminars, as he shows why network security must include full network visibility, relevant context, and automated impact assessment to be effective.

More information http://www.sans.org/info/43048

************************************************************************* TRAINING UPDATE

- - Application Security Workshop April 29, Washington DC http://www.sans.org/appsec09_summit
- - Toronto 5/5-5/13 (15 courses) http://www.sans.org/toronto09/event.php
- - SANSFire in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - New Orleans 5/5-5/10 (6 courses) http://www.sans.org/securityeast09/event.php
- - Pen Testing and Web Add Summit - Looking for training in your own community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

US Cyber Security Needs an Overhaul (April 29, 2009)

Calling the United States' approach to cyber security "broken," "childlike," and "embarrassing," experts in the field are calling for "rethinking how we do (cyber security)." Reports that indicate infiltration of the US power grid and theft of data from the Joint Strike Fighter Project by foreign cyber attackers have brought the issue of cyber security to the forefront; in recent weeks, legislators have introduced bills aimed at fixing the problems in the system. A valuable means of improving federal cyber security is through procurement; if agencies require that the products they purchase have specific security features baked in, vendors are more likely to develop effective products.
-http://news.bbc.co.uk/2/hi/technology/8023793.stm
The full hearing is available at the Senate site - some zingers in there:
-http://hsgac.senate.gov/public/index.cfm?Fuseaction=Hearings.Detail&HearingI
D=fd18b89f-b540-4e9a-9c52-823013751b9b
[Editor's Note (Skoudis): The constant stream of exploitation and excuses for bad security over the past decade may have grown public frustration to the tipping point. It really seems like we are poised to make some major strides forward in improving cyber security, and that's some very good news. ]

US Cyber Warfare Policy Should be Transparent (April 29, 2009)

According to a report from the National Research Council's Committee on Offensive Information Warfare, "the current policy and legal framework regulating use of cyberattack by the United States is ill-formed, undeveloped, and highly uncertain." The report recommends that the US "establish clear national policy on the use of cyberattack, while also continuing to develop its technological capabilities in this area. The US Policy should be informed by open national debate on the technological, policy, legal, and ethical issues of cyberwarfare."
-http://fcw.com/articles/2009/04/29/web-cyberoffense-recommendations.aspx
-http://www.nextgov.com/nextgov/ng_20090429_8883.php
-http://www8.nationalacademies.org/onpinews/newsitem.aspx?RecordID=12651
[Editor's Note (Skoudis): This concept is important as a form of cyber deterrence. While the US doesn't need to go into details about its capabilities, it should signal would-be adversaries that it has significant offensive cyber capabilities and that it is willing to use them. Otherwise, too much ambiguity could lead to tragic miscalculations by would-be foes. ]

Swedish ISPs Say They Will Not Log IP Addresses (April 28 & 29, 2009)

Tele2 AB, one of Sweden's major Internet service providers (ISPs), will become the second ISP in that country to stop logging users' IP addresses; the decision was made in response to Swedish legislation that makes it easier for copyright holders to obtain identities of users suspected of downloading copyrighted material without permission. The law, which took effect on April 1, allows copyright holders to obtain court orders requiring ISPs to provide the IP addresses of computers suspected of being used for illegal downloading. Earlier in April, Swedish ISP Bahnhof announced it would cease keeping log files.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132324&source=rss_null17
-http://arstechnica.com/telecom/news/2009/04/second-swedish-ip-decides-to-nuke-ip
-address-logs.ars

---

*************************** Sponsored Links: ****************************

1) EDUCATIONAL WEBCAST: Keynote by Gartner's Peter Firstbrook, "How Hackers Exploit Browsers & Active Content" http://www.sans.org/info/43053

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Nugache Worm Author Sentenced (April 29, 2009)

Jason Michael Milmont, who last year admitted to creating the Nugache worm, has been sentenced to one year of home confinement and five years of supervised release. He was also ordered to pay US $37,000 in restitution. Nugache was used to create a botnet that used a peer-to-peer system to send instructions to infected computers. Milmont used the botnet to launch a distributed denial-of-service (DDoS) attack against an online company based in California and to steal financial information, which he used to make fraudulent purchases.
-http://www.theregister.co.uk/2009/04/29/hacker_avoids_prison/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132337&source=rss_null17
[Editor's Note (Northcutt): Complicating factor: apparently Mr. Milmont had a brain tumor. He was very clever though. The Dittrich paper on Nugache at the University of Washington site is also a good read and there are a couple nuggets in the hometown paper link:
-http://staff.washington.edu/dittrich/misc/malware08-dd-final.pdf
-http://www.trib.com/articles/2008/06/28/news/wyoming/doc48656c8a93378754215938.t
xt]

POLICY AND LEGISLATION

Lawmakers Seek to Increase Federal Energy Regulatory Commission's Authority (April 29, 2009)

Legislation expected to be introduced this week in the US Congress is intended to provide increased protection for computer systems that control the country's critical infrastructure. The proposed legislation would give the Federal Energy Regulatory Commission (FERC) the authority to require protective emergency action by companies that own and control the networks that support the country's power grid in the event of certain cyber attacks. Experts say the legislation does not go far enough and should cover companies that control transportation and water elements of the critical infrastructure as well.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/04/29/AR2009042902953_
pf.html
-http://fcw.com/Articles/2009/04/30/Web-FERC-authority.aspx
-http://www.nextgov.com/nextgov/ng_20090429_2476.php
[Editor's Note (Schultz): This legislation may not (as critics have said) go far enough. Still, when it comes to cybersecurity-related legislation, any step ahead is better than none. Greatly expanding the scope of the legislation would also increase the likelihood that serious resistance, resistance that might cause the legislation to hang in committee, would surface. ]

French Legislators to Debate Three Strikes Law Again (April 29, 2009)

The French government has resubmitted legislation that calls for Internet service providers to sever customers' Internet connections if they persist in downloading digital content in violation of copyright laws. Users violating copyright law would first receive an email, then a letter by post, and finally would have their connection cut off. French legislators rejected a version of the bill earlier this month. That vote came as a surprise; previous legislative activity had indicated ample support for the bill's passage. A vote on the new bill is expected next week. Those opposing the legislation say it would be a violation of civil liberties and would prove difficult if not impossible to enforce.
-http://www.msnbc.msn.com/id/30486443/
-http://news.bbc.co.uk/2/hi/technology/8024475.stm

DATA PROTECTION & PRIVACY

Four UK NHS Trusts Sign Formal Undertakings for Violating Data Protection Act (April 30, 2009)

Four UK NHS Trusts found to be in violation of the Data Protection Act have signed formal undertakings saying that they will encrypt all mobile and portable data storage devices. They have also agreed to deploy security measures to ensure that patient data are accessed only by those with authorization. The four trusts are the Cambridge University Hospital HNS Foundation Trust, which lost medical details of 741 patients that were on a memory stick without proper authorization; Central Lancashire Primary Care Trust, which lost an encrypted memory stick with personal medical details of 6,360 patients; the North West London Hospitals NHS Trust, which lost test results of 381 patients due to the theft of two laptop computers and one desktop computer; and Hull & East Yorkshire Hospitals NHS Trust, which lost unencrypted data of 2,300 patients due to the theft and loss of computers.
-http://www.computing.co.uk/computing/news/2241469/four-nhs-trusts-lose-patient
-http://www.cambridge-news.co.uk/cn_news_home/displayarticle.asp?id=412764
-http://news.bbc.co.uk/2/hi/uk_news/england/cambridgeshire/8027709.stm

VULNERABILITIES

Adobe Acknowledges Reader and Acrobat Flaws (April 28 & 29, 2009)

Adobe has acknowledged that "all currently supported shipping versions of Adobe Reader and Acrobat, (versions) 9.1, 8.1.4, 7.1.1 and earlier, are vulnerable to" two flaws that could be exploited to allow remote code execution. Users are encouraged to disable JavaScript in Adobe Reader until the vulnerability is addressed. Proof-of-concept exploit code for both vulnerabilities has been made available on the Internet. You can disable JavaScript in Adobe Reader by using the Preferences menu (Edit, Preferences, JavaScript and uncheck the "Enable Acrobat JavaScript" box). Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=6286
-http://news.cnet.com/8301-1009_3-10229070-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132307&source=rss_null17
-http://www.securityfocus.com/brief/953
-http://www.us-cert.gov/current/index.html#adobe_reader_javascript_function_vulne
rability
[Editor's Note (Skoudis): Ouch... another major flaw in Adobe Reader. Perhaps it's time to either re-architect the underlying security architecture of the product, or ship it with all of its fancy doo-dads (like Javascript execution) disabled... or both. Or, maybe organizations should start looking for alternative, less-often-exploited pdf rendering programs.
(Ullrich): Users should turn off Javascript support and keep it turned off even after a patch is released. This feature appears to be an endless source of similar flaws.
(Pescatore): Between Acrobat and Flash, Adobe has a continuing stream of serious vulnerabilities coming out. Make sure your patch processes are up to dealing with these - workarounds like turning off Javascript never work. I hope there are some next generation versions of these products coming out that will change the trend in critical vulnerabilities. ]

UPDATES AND PATCHES

Mozilla Releases Firefox 3.0.10 and Firefox 3.5 Beta 4 (April 30, 2009)

Just one week after releasing Firefox 3.0.9, Mozilla has released Firefox 3.0.10 to address a bug that caused the browser to crash in certain situations. The crash issue could result in memory corruption; it may have been inadvertently introduced when developers were fixing an earlier vulnerability. Mozilla has also released Firefox 3.5 Beta 4. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=6274
-http://www.theregister.co.uk/2009/04/30/firefox_week_bug/
-http://blog.internetnews.com/skerner/2009/04/mozilla-firefox-updates-to-301.html

DATA BREACHES, LOSS & EXPOSURE

West Virginia State Bar Computer Network Breached (April 28 & 29, 2009)

The West Virginia state bar said that it discovered a computer intrusion that penetrated the organization's internal computer network. The State Bar's Ad Hoc Technology Committee considers all information on the network compromised. The affected data include the Social Security numbers (SSNs), names and addresses of current and former members. All affected individuals will be notified of the breach. The breach was discovered during a website upgrade; the website has been offline since April 17 as a result of the intrusion. Forensic experts are investigating.
-http://www.wvmetronews.com/index.cfm?func=displayfullstory&storyid=30188
-http://sundaygazettemail.com/News/200904280322

ATTACKS & ACTIVE EXPLOITS

Conficker Now Turning Infected Machines Into Spam Servers (April 28 & 29, 2009)

The Conficker worm is now installing malware called Waledac on infected machines; the malware turns the machines into spam servers. The affected computers are being used to send out spam at a rate of about 10,000 -20,000 messages per machine each day, far below the volume of which they are capable, but low enough to avoid being detected. As many as 12 million machines are believed to be infected with Conficker.
-http://www.zdnetasia.com/news/security/0,39044215,62053678,00.htm
-http://www.msnbc.msn.com/id/30453812/
[Editor's Note (Skoudis): Just last week at RSA, I mentioned that the most likely outcome of Conficker is that it would be used for fairly mainstream and pedestrian purposes such as spam. Kind of anti-climactic given all the hype.
(Ullrich): The "12 million" machine number appears to be outdated. Thanks to all the media coverage, conficker was removed from most of these systems and there are probably only 1-2 Million infected systems left at this point.
(Honan): This is where having proper egress rules on your firewall restricting email traffic from only the IP addresses of your email servers helps you to not become part of the spam problem. If you are actively monitoring your firewall logs it will also detect infected machines on your network. ]

MISCELLANEOUS

British Army Captain Threw Laptops Overboard (April 30, 2009)

British Army intelligence officer Captain James Rands told the High Court that he threw two laptops into the English Channel to destroy them. The hearing was part of an effort by six Iraqis who maintain they were mistreated at a battle near Basra in 2004 to make the government order a judicial review. The laptop held photographs of 20 people who had been killed in the battle; the photos were taken to identify the dead. Captain Rands told the court that he believed tossing the machines into the sea was a "nothing issue." When asked if he perhaps invented the story of throwing the laptops overboard to avoid having his computer's memory inspected, Captain Rands replied that he "had a large volume of work documents that p(he) was not supposed to have on (his) computers, (and that) it ... looks worse than it actually is."
-http://www.theregister.co.uk/2009/04/30/army_laptops/
-http://www.telegraph.co.uk/news/newstopics/onthefrontline/5248472/Army-intellige
nce-officer-threw-laptops-in-English-Channel.html
[Editor's Note (Hoelzer): His last statement forces you to wonder how often trusted people have improperly put sensitive data on mobile systems despite what are sometimes significant controls. How, exactly, is that "not as bad as it seems?"!
(Schultz: It sounds as if the British Army needs to provide more security awareness and training to its officers, as evidenced by Captain Rands' ludicrous statements. ]

Swine Flu Briefing/Resource and Technical Security Management Newsletter (May 1, 2009)

Information on the Swine Flu is somewhat fragmented and sometimes sensational or incorrect. SANS has put a briefing package together that may be a useful resource on the topic:
-http://www.sans.edu/resources/leadershiplab/pandemic_watch2009.php
In addition, we are experimenting with a monthly newsletter concept designed for people that used to have hands-on technical jobs and are now dealing with group leader or middle management responsibilities. Please take a look. If you like it, hate it, feel it is OK, but needs something additional, please share your thoughts with stephen@sans.edu.
-http://www.sans.org/newsletters/execubytes/2009/execubytes_1_1.pdf

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/