SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #36

May 08, 2009

What is actually happening behind the scenes in the White House 60 day review of Cybersecurity surfaced at 10:30 AM this morning - with Dick Clarke as the outside protagonist and Larry Summers as the inside antagonist. http://www.huffingtonpost.com/richard-a-clarke/obamas-challenge-in-cyber_b_19992
6.html

Get $200 Travel Voucher if you register for the Penetration Testing Summit by May 15. Details: http://www.sans.org/pentesting09_summit/travelbucks.php
Alan

---

TOP OF THE NEWS

NERC Board Approves Revised Cyber Security Standards
DOT Inspector General's Audit Report Criticizes FAA Cyber Security
Heartland Payment Systems Regains PCI DSS Compliance

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Alleged Cisco Source Code Thief Indicted
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
NSA Director Calls for Cyber Security Partnership
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Closing Arguments in RealDVD Case Expected on May 8th
VULNERABILITIES
Windows 7 Release Candidate Has Disappointments and Improvements
UPDATES AND PATCHES
Microsoft Will Offer Fix for PowerPoint Vulnerability on May 12
Google Updates Chrome Twice in One Week
DATA LOSS & EXPOSURE
Virginia Dept. of Health Professionals Says Stolen Data Were Backed Up
MISCELLANEOUS
FBI Agent Talks About Dark Market Under Cover Case

---

*********************** Sponsored By Q1 Labs **************************

FREE, DOWNLOADABLE, VIRTUAL APPLIANCE FOR LOG & COMPLIANCE MANAGEMENT: Recognizing that enterprises of all sizes are required to collect and manage event logs - and in response to the challenging economic and business conditions facing organizations everywhere - Q1 Labs is providing a FREE, feature-rich log management solution called QRadar SLIM Free Edition (FE). Click here to download now: http://www.sans.org/info/43398

*************************************************************************

TRAINING UPDATE

- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - Pen Testing and Web Application Attack Summit - June 1-2 http://www.sans.org/pentesting09_summit
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses) http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - National Forensiscs Summit, July 6-14 http://www.sans.org/forensics09_summit/
Looking for training in your own community? http://sans.org/community/ Save 25% on all On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

NERC Board Approves Revised Cyber Security Standards (May 6, 2009)

The board of the North American Electric Reliability Corporation (NERC) has approved changes to cyber security standards for the North American power system. The revised standards address training, cyber threat identification, and recovery of the power grid from cyber attacks. NERC requires compliance with the standards from "all bulk power system owners, operators, and users." Entities will be audited for compliance starting on July 1, 2009. Failure to comply can result in fines of up to US $1 million a day in the US.
-http://www.csoonline.com/article/491943/New_Cyber_Security_Standards_for_N._Amer
ican_Power_System
-http://www.upi.com/Business_News/2009/05/06/NERC-adopts-latest-grid-cybersecuity
-step/UPI-79681241636106/
-http://www.nerc.com/page.php?cid=2|20

DOT Inspector General's Audit Report Criticizes FAA Cyber Security (May 4, 6 & 7, 2009)

According to an audit report from the US Department of Transportation Office of the Inspector General, the country's air traffic control systems have been breached and continue to be vulnerable to cyber attacks. The intruders gained access to personnel records and network servers. The attacks affected Federal Aviation Administration (FAA) support systems, but the report says that they have the potential to spread to systems involved directly in air traffic communications, surveillance and flight information. The audit noted more than 750 high risk vulnerabilities in web applications used at the agency. It also found a lack of adequate intrusion detection and that the agency failed to manage cyber security incidents in a timely manner. The FAA responded to the report by noting that support systems and operational systems are not connected; the agency did agree that stronger security measures need to be implemented.
-http://www.msnbc.msn.com/id/30602242/
-http://gcn.com/Articles/2009/05/06/Air-traffic-control-vulnerabilities.aspx
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132663&source=rss_null17
-http://www.techweb.com/article/showArticle?articleID=217300749§ion=News
-http://news.cnet.com/8301-1009_3-10236028-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.oig.dot.gov/StreamFile?file=/data/pdfdocs/ATC_Web_Report.pdf
[Editor's Note (Ranum): When someone says systems are "not connected" I always wait for the "...except" which I know is going to follow. While it's the easiest, cheapest, and best form of security ever, "not connected" seems to be surprisingly hard to implement correctly, for something that needs no actual implementation. ]

Heartland Payment Systems Regains PCI DSS Compliance (May 5 & 7, 2009)

Heartland Payment Systems is once again compliant with the Payment Card Industry Data Security Standard (PCI DSS). Visa suspended Heartland from its Validated Service Providers list earlier this year; the company was placed on probation, which allowed it to process credit card transactions while in the process of recertification. A data breach at Heartland exposed payment card information for tens of thousands of transactions. Heartland says the breach and its repercussions have cost it US $12.6 million thus far; the company plans to roll out an end-to-end data encryption system later this year.
-http://www.nacsonline.com/NACS/News/Daily/Pages/ND0505094.aspx
-http://www.itworld.com/security/67598/security-breach-cost-heartland-126-million
-so-far
-http://www.theregister.co.uk/2009/05/07/heartland_breach_costs/

---

*************************** Sponsored Link: ****************************

1) Zscaler EDUCATIONAL WEBCAST: Keynote by GARTNER'S Peter Firstbrook, "Newer Threats and Newer Defenses against Web 2.0" http://www.sans.org/info/43403

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Alleged Cisco Source Code Thief Indicted (May 5, 2009)

A Swedish man has been indicted in a US court on charges that he allegedly stole Cisco source code. Philip Gabriel Pettersson allegedly broke into Cisco Systems' network in 2004 and stole the code; he was 16 at the time. Pettersson also faces charges that he allegedly broke into NASA's computer network at least twice, also in 2004. He faces a total of three counts of intrusion and two counts of misappropriation of trade secrets. For each charge, Pettersson faces a maximum penalty of 10 years in prison, three years of supervised release and a US $250,000 fine.
-http://www.theregister.co.uk/2009/05/06/cisco_source_code_hack_charges/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=009132585
-http://www.cybercrime.gov/petterssonIndicted.pdf
[Editor's Note (Pescatore): Since 2006 there have been continuing reports of counterfeit network hardware showing up on the market, sometimes with questionable software loads. Remember: routers and switches aren't all that different from servers: they are hardware with a software load. Make sure you verify suppliers of everything you buy and that you have a way to assure that all software running on that hardware doesn't do what it shouldn't do.
(Paller) What John Pescatore prescribes is essential, but easier said than done. This is an area for government leadership in testing and verifying supply chains and the products of supply chains. How different is this really from food safety where the nation acts together to ensure the supply is safe? ]

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

NSA Director Calls for Cyber Security Partnership (May 5 & 6, 2009)

In prepared testimony before the US House Armed Services Committee, National Security Agency (NSA) director Lt. General Keith Alexander told legislators that the country's military, federal agencies and private sector need to work together to protect critical networks from cyber attacks. Alexander said that they "have to work as a team
[because ]
the way we are working today does not work." The cyber command center will facilitate that cooperation.
-http://www.nextgov.com/nextgov/ng_20090506_6733.php
-http://www.msnbc.msn.com/id/30575707/
-http://www.theregister.co.uk/2009/05/06/cyber_command_center_proposal/
-http://news.bbc.co.uk/2/hi/technology/8033440.stm
[Editor's Note (Schultz): Talk of teamwork and cooperation between the US government and the commercial arena has circulated for years, unfortunately mostly to little or no avail.
(Northcutt): I hope this happens, I really do, but for as long as I can remember, I have been reading things like this, attending meetings with government officials and hearing the same old stuff. If I may share an Alan Paller story from 1999, Alan told me he had attended three meetings on sharing information involving the private sector and multiple agencies across government. In every case, each of the government officials said the same thing, "We really need to share information better, if all the agencies and companies would send us their data, we will coordinate it." Each official was from a different part of government, and even though the official before them had just said the same thing, they would stand up and say it, too. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Closing Arguments in RealDVD Case Expected on May 8th (May 5 & 7, 2009)

The case regarding the legality of RealNetworks' DVD-copying software is drawing to a close; Judge Marilyn Hall Patel expects to hear closing arguments on Friday, May 8. The case revolves around a temporary restraining order that prevents RealNetworks from selling a product called RealDVD that would allow consumers to backup DVDs they purchase to their PCs under the "fair use" doctrine of US copyright law. Hollywood movie studios maintain the product was developed to make it easier for people to make bootleg copies of their products and that it violates the Digital Millennium Copyright Act.
-http://www.pcmag.com/article2/0,2817,2346726,00.asp
-http://news.bbc.co.uk/2/hi/technology/8027907.stm

VULNERABILITIES

Windows 7 Release Candidate Has Disappointments and Improvements (May 6, 2009)

Microsoft's Windows 7 release candidate, which was made available earlier this week, is already disappointing some for not implementing certain changes that would improve security. There was hope that with Windows 7, Microsoft might change its long-standing practice of hiding file type extensions in Explorer, but the newest release still hides the extensions. The problem is that attackers can trick the system into displaying a file called, for example, name.txt.exe as a .txt file, which users would perceive as being safer than an .exe file. On a brighter note, the Windows 7 version of AutoPlay does not automatically run applications on external data devices except for CD/DVD players.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132626&source=rss_null17
-http://news.cnet.com/8301-1001_3-10234336-92.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://voices.washingtonpost.com/securityfix/2009/05/file_extensions_still_hidde
n_i.html
-http://www.techweb.com/article/showArticle?articleID=217300251§ion=Secur
ity

UPDATES AND PATCHES

Microsoft Will Offer Fix for PowerPoint Vulnerability on May 12 (May 7, 2009)

Microsoft's will release just one security bulletin on Tuesday, May 12. The critical update will address a remote code execution vulnerability in PowerPoint. Microsoft acknowledged the flaw in early April when it issued an advisory warning that it was being used in "limited and targeted attacks." The vulnerability affects PowerPoint 2000, 2002, 2003 and 2007. The small security release is good news for PC users, as the same day, Adobe plans to will release security updates for Reader and Acrobat.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132672&source=rss_null17
-http://www.theregister.co.uk/2009/05/07/microsoft_patch_tuesday_notice/
-http://www.microsoft.com/technet/security/bulletin/ms09-may.mspx

Google Updates Chrome Twice in One Week (May 7, 2009)

Google released two updates for its Chrome browser in two days. The first update addresses two security flaws. The first, described as critical, is an input validation error in the bitmap data processing in the rendering process. It could be exploited to execute arbitrary code. The second flaw is an integer multiplication checking bug in the Skia 2D graphics library that could be exploited to crash a browser tab or execute code in the browser's sandbox. Chrome 1.0.154.64, which was released on Tuesday, May 5, reportedly caused crashes during startup for some users; that issue was addressed in Chrome 1.0.154.65, released on Thursday, May 7.
-http://www.h-online.com/security/Google-s-Chrome-browser-vulnerable--/news/11323
1
-http://www.theregister.co.uk/2009/05/07/chrome_security_update/
-http://news.cnet.com/8301-17939_109-10236166-2.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://googlechromereleases.blogspot.com/2009/05/stable-update-security-fix.html

DATA LOSS & EXPOSURE

Virginia Dept. of Health Professionals Says Stolen Data Were Backed Up (May 7, 2009)

The Virginia Department of Health Professions has issued a statement saying that the data an attacker claims to have encrypted were backed up and the files secured, so the data have not been lost. The agency's website currently offers only a static page while law enforcement officials investigate the attack. The cyber extortionist has demanded US $10 million in return for the password to the encrypted database.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132678

MISCELLANEOUS

FBI Agent Talks About Dark Market Under Cover Case (May 6, 2009)

FBI agent J. Keith Mularski answers questions about the two years he spent undercover as a cyber criminal, infiltrating Dark Market, an underground Internet forum that traded in malware, stolen financial account information and other criminal cyber activity. Mularski spent the better part of two years almost constantly online; he was able to convince other members that he was a master spammer and eventually became the administrator for the Dark Market forum server. The operation led to 60 arrests in countries around the world, including the UK, the US, Germany, and Turkey.
-http://news.cnet.com/8301-1009_3-10234872-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
[Editor's Note (Honan): Agent Mularski should be commended for his work and demonstrates the impact proactive law enforcement can have on cyber crime. Not only does his work have direct consequences resulting in arrests but the disharmony and distrust generated within the criminal community by this type of action pays huge dividends. Hopefully the powers that be will see the merit in this type of work and provide the necessary resources and training to conduct similar operations.]

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/