SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XI - Issue #39
May 19, 2009
TOP OF THE NEWS
One In Five Teenagers Claim to Have Used Hacking ToolsThree US Cyber Challenges To Be Announced May 29
UK Serious Organized Crime Agency Tackles Cybercrime
THE REST OF THE WEEK'S NEWS
LEGAL ISSUESCorporate Executive Convicted in Corporate Espionage Case
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
US Air Force Cyber Command's New Home
UK Ministry of Defence Admits to Losing 28 laptops This Year
DATA PROTECTION & PRIVACY
National Child Database Goes Live Despite Security Fears
VULNERABILITIES
Password Bypass Bug in Microsoft IIS Version 6.0
DATA LOSS & EXPOSURE
Insider Steals US$9m From Water Company
ATTACKS & ACTIVE EXPLOITS
Another Phishing Attack Targets Facebook Users
Attacks from Gumblar Rise by 190%
MISCELLANEOUS
Google Services Recover From Outage
******************* Sponsored By Sourcefire, Inc. ***********************
Your Network Security Isn't Good Enough Anymore
Today's threats- and networks -are dynamic. Unfortunately most network security systems are not.
Join Martin Roesch, Founder and CTO of Sourcefire(R) and Creator of Snort(R), in a series of seminars, as he shows why network security must include full network visibility, relevant context, and automated impact assessment to be effective. More information http://www.sans.org/info/43713
*************************************************************************
TRAINING UPDATE
- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - Pen Testing and Web Application Attack Summit - June 1-2 http://www.sans.org/pentesting09_summit
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses) http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - National Forensiscs Summit, July 6-14 http://www.sans.org/forensics09_summit/
Looking for training in your own community? http://sans.org/community/ Save 25% on all On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
One In Five Teenagers Claim to Have Used Hacking Tools (15th May 2009)
A recent survey of 4,000 teenagers between the ages of 15 to 18 years of age states that 17% of those surveyed know how to find hacking tools online with one third of that group admitting that they have used the tools. The survey also reveals that 67% of the teenagers surveyed admitted to trying on at least one occasion to hacking into a friend's email or social networking account.-http://www.scmagazineuk.com/One-in-five-teenagers-can-find-hacking-tools-onine/a
rticle/136977/
-http://www.techworld.com/security/news/index.cfm?newsID=115913
[Editor's Note (Paller): Wouldn't it be great if the nation could tap into the energy and talent demonstrated by these young hackers and make enable them to become part of the security community that makes security effective? The next story previews a national initiative that may do just that. ]
Three US Cyber Challenges To Be Announced May 29
This story won't come out until a week from Friday when three national cyber games will be announced at a Center for Strategic and International Studies (CSIS) luncheon. The competitions are part of a huge talent search and talent development program to find and nurture the young people who have the skills to become the next generation of great security professionals) We are telling you about it early because we need your help. One of the three competitions is a very cool capture the flag game in several layers. But we are trying to agree on a name for the SANS competition. Please pick the one, two or three you like best and send them back to apaller@sans.org. Thanks in advance.SANS Netwars
SANS War Games
SANS NetAttack Games
SANS King of the Hill Challenge
SANS Security Challenge
SANS HACK/Anti-HACK
SANS InfoSec Challenge
SANS Challenge Net
SANS Security Warrior Competition
SANS Capture the Flag Student Tournament
SANS War Game Challenge
SANS War Games Challenge
SANS InfoSec Faceoff
UK Serious Organized Crime Agency Tackles Cybercrime (18th May 2009)
The UK's Serious Organized Crime Agency (SOCA) revealed in its annual report how it has been involved in tackling cybercrime. The report highlights the agency's involvement in the FBI's undercover operation against the online criminal forum Darkmarket. The results of that case resulted in 57 arrests worldwide, including 12 in the UK, and over 16,000 compromised UK credit cards being recovered. The agency also discussed its investigation into the attempted GB229 million robbery at Sumitomo Mitsui Banking Corporation in London resulting in the conviction of five men. SOCA has also recently called for greater use of "remote search" techniques, which allow law enforcement agencies to legally hack into a suspect's computer in tackling cybercrime-http://news.zdnet.co.uk/security/0,1000000189,39652583,00.htm
-http://www.pcadvisor.co.uk/news/index.cfm?newsid=115940
-http://www.theregister.co.uk/2009/05/15/soca_hacking/
-http://www.soca.gov.uk/assessPublications/
*************************** Sponsored Links: ****************************
1) Complete Firewall Security Audits in 25% of the time with Tufin. Learn how and get your free shirt.
http://www.sans.org/info/43718
2) InstantSecurityPolicy.com - Professional IT Security Policies, created and delivered online with innovative wizard, free samples available.
http://www.sans.org/info/43723
3) Zscaler EDUCATIONAL WEBCAST: Keynote by GARTNER'S Peter Firstbrook, "Newer Threats and Newer Defenses against Web 2.0"
http://www.sans.org/info/43728
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
Corporate Executive Convicted in Corporate Espionage Case (15th May 2009)
David Goldenberg, a former vice-president of the electronics firm AMX Corp, pleaded guilty in a New Jersey court to illegally accessing internet e-mail belonging to a marketing firm working for a competitor, Creston Electronics. Goldenberg appears to have gained access to web-based email accounts for four employees of the marketing firm, Sapphire Marketing. Over a seven month period Goldenberg accessed these email accounts and is believed to have gained access to Creston Electronics future product plans, customers, pricing and contract negotiations with dealers. Goldenberg's activities were detected when a staff member in Sapphire noticed that her emails were being forwarded to another account. Crestron Electronics' executive vice president Randy Klein said "the full damage caused by our chief competitor illegally obtaining this information is immeasurable and has seriously impacted our past, present and future business." Sentencing in the case is due on June 26th.-http://www.networkworld.com/news/2009/051409-amx-email-espionage.html?page=1
-http://www.pcworld.com/businesscenter/article/164931/corporateespionage_email_br
eakin_case_zaps_electronics_industry.html
-http://www.northjersey.com/business/news/44853647.html
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
US Air Force Cyber Command's New Home (18th May 2009)
The US Air Force is to locate its cyber command headquarters at the Lackland Air Force Base in San Antonio, pending the results of an environmental impact study to be completed later this summer. The operations will focus on defending Air Force computers and networks from disruptions and cyber attacks. Lackland is also home to the Intelligence, Surveillance and Reconnaissance Agency, the Cryptologic Systems Group, the 67th Network Warfare Wing, the Information Operation Center and the Joint Operations Warfare Command.-http://www.mysanantonio.com/military/45051917.html
-http://fcw.com/articles/2009/05/18/air-force-cyber-command.aspx
UK Ministry of Defence Admits to Losing 28 laptops This Year (15th May 2009)
Between January 1st and May 11th of this year the UK Ministry of Defence has admitted that 28 laptops, 20 USB Drives, four PCs and a Blackberry were lost or stolen. It is unclear as to whether or not any of the lost devices were encrypted. Minister of State Bob Ainsworth said " "New processes, instructions and technological aids are also being implemented to mitigate human errors and raise awareness of every individual in the department."-http://news.zdnet.co.uk/security/0,1000000189,39652594,00.htm
-http://www.itpro.co.uk/610882/ministry-of-defence-has-lost-28-laptops-this-year
-http://news.bbc.co.uk/2/hi/uk_news/8050905.stm
DATA PROTECTION & PRIVACY
National Child Database Goes Live Despite Security Fears (18 May 2009)
The UK Government will launch a national database system, ContactPoint, containing details of all children under 18 years of age in England. ContactPoint was proposed following investigations into the death in 2000 of a young girl by her abusive guardians. The investigation found that while various agencies held crucial information relating to her case, that information was not shared, a factor many believe led to her death. The system has twice been delayed amid security concerns with a report from auditors Deloitte and Touche in 2007 claiming the database could never be totally secure. The UK Government says the system is vital in preventing any children from slipping through the net and that the 390,000 people who will be authorized to access the database will have gone through stringent security training.-http://news.bbc.co.uk/2/hi/uk_news/education/8052512.stm
-http://www.theregister.co.uk/2009/05/17/contactpoint_follow_up/page4.html
-http://www.thisislondon.co.uk/newsheadlines/article-23693634-details/Government+
child+database+goes+live/article.do?expand=true
VULNERABILITIES
Password Bypass Bug in Microsoft IIS Version 6.0 (16th May 2009)
A WebDAV vulnerability in Microsoft's Internet Information Server 6.0 (IIS) enables attackers to gain access to password-protected files and directories controlled by the web server. Attackers can also use the exploit to upload and download files to the server. The attack exploits a flaw in the processing of Unicode characters added to a web address. WebDAV is not enabled by default on IIS 6.0. Web administrators are urged to temporarily disable WebDAV until the issue is addressed. A spokesperson from Microsoft said "We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," but the US-CERT team are reporting "active exploitation" of the bug.-http://www.theregister.co.uk/2009/05/18/iis6_file_pilfering_bug/
-http://www.h-online.com/security/Security-hole-in-IIS-6-0--/news/113303
-http://www.us-cert.gov/current/index.html#microsoft_internet_information_service
s_iisInternet
Storm Center:
-http://isc.sans.org/diary.html?storyid=6397
DATA LOSS & EXPOSURE
Insider Steals US$9m From Water Company (May 15th 2009)
An former employee at the California Water Service Company is being sought by police for allegedly transferring US$ 9 million from the company's accounts into a number of offshore bank accounts and subsequently fleeing the country. Former internal auditor for the company, Abdirahman Ismail Abdi, resigned from his position on April 27. He is alleged to have returned to the premises later that night and made three wire transfers totalling US$ 9 million to bank accounts in Qatar. The transactions were spotted by the company the next morning and the money was returned. Currently Abdi's whereabouts is unknown but federal agents believe he may have fled the country as his wife and children flew to Germany on April 28.-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/05/15/BA4U17KGAE.DTL
-http://www.scmagazineus.com/California-water-company-insider-steals-9-million-fl
ees-country/article/136923/
ATTACKS & ACTIVE EXPLOITS
Another Phishing Attack Targets Facebook Users (15th May 2009)
Users of the social networking site Facebook have been subjected to another phishing attack. The attackers gained access to the social networking site by using legitimate user accounts and then directing the contacts of the compromised accounts to websites containing malicious software. The attackers ostensibly gained access to the initial accounts by exploiting easy-to-guess passwords.-http://technology.timesonline.co.uk/tol/news/tech_and_web/article6294169.ece
-http://www.theregister.co.uk/2009/05/15/facebook_phishing_scam/
-http://news.bbc.co.uk/newsbeat/hi/technology/newsid_8055000/8055644.stm
[Editor.s Note (Schultz): Social networking is incredibly popular, yet it poses so many risks that people should think twice before joining any social networking site. I decline all invitations to join MySpace, Facebook, and other sites mainly because of the risk of identity theft when personal information is shared on these sites. ]
Attacks from Gumblar Rise by 190% (15th May 2009)
Infection rates for an attack that has been slowly spreading since late March have jumped nearly 190 percent in the last week. The attack, called Gumblar, infects legitimate websites with malicious code causing visitors to the site to be infected with a family of Trojans. The attack targets known exploits in Adobe PDF and Adobe Flash files. Once a system has been compromised, the malware will steal any FTP credentials on the user's PC and replace the links in Google search results, which allows the attackers to redirect the user to a site of the attacker's choosing. Users are advised to update to the latest versions of Adobe software.-http://www.computerweekly.com/Articles/2009/05/15/236069/reports-of-gumblars-dea
th-greatly-exaggerated.htm
-http://www.scmagazineus.com/Gumblar-website-compromises-increase-188-percent-thi
s-week/article/136836/
MISCELLANEOUS
Google Services Recover From Outage (15th May 2009)
An error in Google's traffic routing system is believed to have been the cause of a service outage lasting several hours on May 14. Google has stated the error caused several Google services to route all traffic through its Asian servers. The resulting load in network traffic caused a slowdown in a number of services including Gmail, YouTube and Google Search. Google estimates that the outage impacted 14% of users. A problem with Gmail in April left many users unable to access their email. These problems has caused a number of commentators to question the viability of using the Google Services for enterprise use.-http://www.vnunet.com/vnunet/news/2242321/google-owns-service-outage
-http://www.smh.com.au/news/technology/biztech/google-back-up-after-outage/2009/0
5/15/1242335859759.html
Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=6388
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/