SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #55

July 14, 2009

Last month, National Defense University published Frank Kramer's new book, "Cyber Power and National Security." The book quickly became the top book on the desks (and night-stands) of policy makers focusing on cyber security. The technical sections of the book are deep enough to impress the top vulnerability folks, and the policy sections offer fresh and important approaches to the strategic uses of cyber power. Kramer was one of the DoD strategists widely credited with helping to "win the cold war." It's great to have him focusing on cyber security.

Alan


PS. Cloud security is a main topic at the WhatWorks in Virtualization and Cloud Computing Security Summit August 18-19 in Washington DC:
http://www.sans.org/virtualization09_summit/

---

TOP OF THE NEWS

Ireland's Data Retention Bill
Study Finds Companies Lacking Disaster Recovery Plans

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS & SENTENCES
Man Jailed in China for Infecting Software with Viruses
Chinese National Indicted for Export Violations
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
South Korea Steps Up Pace of Establishing Financial Cyber Security Center
France Creates New Cyber Security Agency
SOCIAL NETWORKING
Twitter Hit by Koobface
DATA BREACHES, LOSS & EXPOSURE
LexisNexis Warns of Data Security Breach
ATTACKS & ACTIVE EXPLOITS
Microsoft Warns of Zero-Day Flaw in Office Web Components ActiveX Control
Malware Responsible for DDoS Attacks Deletes Data on Host Computers
MISCELLANEOUS
No Hard Evidence Points to North Korea in DDoS Attacks
Security Control Metric Eases Consensus Process

---

******************** Sponsored By Norwich University ********************

Norwich University's Master of Science in Information Assurance program allows information security professionals to integrate their technical competencies with business management skills. A comprehensive core curriculum and an individual case study project equip graduates with the skills to manage and lead an organization-wide information security program. http://www.sans.org/info/45963

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition http://www.sans.org/ns2009
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - The Forensics Summit starts on July 9, and has four courses http://www.sans.org/forensics09_summit/event.php
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days http://www.sans.org/info/43118
Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/courses.php
Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Ireland's Data Retention Bill (July 13, 2009)

Ireland's Communications (Retention of Data) Bill 2009 will require Internet service providers (ISPs) to retain users' Internet use information for one year; the bill also reduced the amount of time phone records must be retained from three years to two years. The revision of phone record retention brings Irish law in line with a European Union directive that requires member states to retain phone data for at least six months but not more than two years. The retained data will not include the content of phone calls or emails.
-http://www.examiner.ie/ireland/retention-period-for-phone-data-to-be-cut-96213.h
tml
-http://www.siliconrepublic.com/news/article/13407/government/irish-govt-to-retai
n-all-web-text-and-phone-data-for-two-years
[Editor's Note (Honan): The original intention for the Data Retention Bill was to provide the Irish police and defence forces access to the retained data to help tackle serious crime and terrorism. However, this bill also gives access to that same data to Ireland's revenue commissioners
-http://www.examiner.ie/ireland/watchdog-concern-at-revenue-data-access-96329.htm
l.
There is a lot of unease amongst many people about the impact to privacy this bill brings and adding above the scope creep without consultation only adds to that unease and distrust. ]

Study Finds Companies Lacking Disaster Recovery Plans (July 10, 2009)

A study of 117 small and medium-sized Irish businesses found that 43 percent have not established disaster recovery plans. Of those, more than half say they do not plan to create one. Sixteen percent said their organizations were too small to merit a disaster recovery plan, while 12 percent said that implementing such a plan would be too expensive. All companies surveyed said they use backup technology. Sixteen percent of the companies said they store their backup media onsite; 26 percent said their backup storage facilities are not fireproof. Thirty-nine percent of the companies said they had experienced problems retrieving and restoring data from backup media; 31 percent of the companies have never conducted a test restore.
-http://www.siliconrepublic.com/news/article/13397/cio/43pc-of-firms-have-no-disa
ster-recovery-plans
[Editor's Note (Schultz): There is still another reason why small and medium businesses do not have disaster recovery plans, namely the fact that disaster recovery is so difficult and complex to really do correctly. Organizations of this size thus frequently "give up in advance" rather than to invest the time and resources needed. ]

---

*************************** SPONSORED LINKS******************************

1) WEBCAST: Hacking Web 2.0 with Browser Exploits
http://www.sans.org/info/45968
2) SANS Vendor Demo Spotlight: Intellitactics - SAFE LP Do more with your logs: PnP log acquisition from any device located anywhere. http://www.sans.org/info/45973
3) Be sure to register for the Ask The Expert Webcast: Managing Change and Event Monitoring for Sustainable NERC CIP Compliance http://www.sans.org/info/45978 Sponsored By: NitroSecurity

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS & SENTENCES

Man Jailed in China for Infecting Software with Viruses (July 13, 2009)

A court in Shanghai has sentenced a man to two-and-a-half years in jail for inserting viruses into software products made by his former employer, an IT company. In late 2007, the company's clients began complaining that the software was automatically deleting data from their computers. Pu Jiazhi had resigned from the company several months earlier; police examining his computer found evidence that he had created the malware responsible for deleting the data. Pu's actions cost the company more than 250,000 yuan (US $36,584) in compensation to its clients.
-http://www.shanghaidaily.com/sp/article/2009/200907/20090713/article_407225.htm

Chinese National Indicted for Export Violations (July 9, 2009)

Chi Tong Kuok has been indicted for alleged conspiracy, money laundering, smuggling and attempting to export a defense article without a license. According to a government affidavit, Kuok told investigators that he was "acting at the direction of officials for the People's Republic of China" when he attempted to locate, purchase and send to China devices that would allow China to eavesdrop on US government and military communications. In one case, he was able to purchase a pair of restricted military radios and have them sent to an address in Macau. Most of the rest of his activity was monitored by US undercover agents who were tipped off to Kuok's intentions by someone Kuok had contacted in the defense industry. Last month, Kuok was arrested in Atlanta during a stopover on his flight from Paris to Panama.
-http://www.wired.com/threatlevel/2009/07/export/
-http://www.wired.com/images_blogs/threatlevel/2009/07/kuok_indictment.pdf

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

South Korea Steps Up Pace of Establishing Financial Cyber Security Center (July 13, 2009)

South Korea has moved up the date for completion of a cyber security center for financial and economic institutions in the wake of recent cyber attacks on government, news, and financial websites. The new center's system will be linked to the country's National Cyber Security Center and will be designed to detect and defend against distributed denial-of-service (DDoS) attacks.
-http://www.koreaherald.co.kr/NEWKHSITE/data/html_dir/2009/07/13/200907130061.asp
[Editor's Note (Honan): The UK CPNI have developed an excellent model, the Warning Advice and Reporting Point www.warp.gov.uk, to build these type of community focused cyber security centres. In fact, I used the WARP model with the support of SANS to establish Ireland's first CERT team www.iriss.ie. ]

France Creates New Cyber Security Agency (July 9, 2009)

France has created a new national agency to help defend government and commercial networks from attacks. The French Networks and Information Security Agency (FNISA) - in French, Agence Nationale de la Securite des Systemes d'Information, or ANSSI - will conduct round-the-clock real-time monitoring of sensitive government networks and recommend best practices for government and commercial network operators. FNISA will also provide information about cyber threats and protecting computers to the general public and help develop trusted IT products for French companies and the government. FNISA replaces the Central Directorate for Information System Security and comprises wider responsibilities.
-http://www.pcworld.com/article/168135/france_creates_new_national_it_security_ag
ency.html
-http://www.ecommerce-journal.com/news/16770_france_launches_a_new_agency_to_stri
ke_cyber_attacks
-http://www.ssi.gouv.fr/IMG/pdf/ANSSI_PRESS_RELEASE.pdf

SOCIAL NETWORKING

Twitter Hit by Koobface (July 10, 2009)

Twitter is suspending accounts of members whose computers are infected with Koobface. The malware posts phony messages on users' Twitter accounts with links that lead to a site that attempts to infect other users' computers. Twitter users often use shortened links because of the character limit for each post. The shortened URLs can mask where the link actually leads.
-http://www.computerworld.com/s/article/9135399/Twitter_suspends_accounts_of_user
s_with_infected_computers?source=rss_security
-http://www.theregister.co.uk/2009/07/10/twitter_koobface_spread/
-http://www.scmagazineuk.com/Twitter-users-infected-by-Koobface-virus/article/139
833/
[Editor's Note (Pescatore): ISPs should do more of this type of thing, with some advanced notice. ISPs can easily see which of their subscribers are making DNS calls that indicate early stages of bot compromises and give warning. Then if they see signs of later stage malware, block. If your telephone started attacking other peoples telephones, the phone company would disconnect your line. ]

DATA BREACHES, LOSS & EXPOSURE

LexisNexis Warns of Data Security Breach (July 13, 2009)

LexisNexis has sent letters to more than 13,000 people, warning them that their personal information may have been accessed by a Florida man who is allegedly involved in a mafia racketeering conspiracy. Lee Klein may have used his access to LexisNexis Seisint databases to help others commit fraud. Klein allegedly supplied other people with information that could be exploited in a fraudulent check cashing operation; he also allegedly used his access to the database to find information on extortion or assault targets.
-http://www.computerworld.com/s/article/9135479/LexisNexis_warns_of_breach_after_
alleged_mafia_bust?source=rss_security

ATTACKS & ACTIVE EXPLOITS

Microsoft Warns of Zero-Day Flaw in Office Web Components ActiveX Control (July 13, 2009)

Just one day before its scheduled security release, Microsoft has issued an advisory warning of attacks that exploit an arbitrary code execution vulnerability in the Spreadsheet ActiveX control in Microsoft Office Web Components. Attackers could use the attack to gain user rights equal to those of the local user. The flaw affects numerous Microsoft products. The advisory includes instructions for setting the kill bit for the control in the registry. ISC (posted long before any of the others except Microsoft):
-http://isc.sans.org/diary.html?storyid=6778
-http://www.microsoft.com/technet/security/advisory/973472.mspx
-http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973
472-released.aspx
-http://www.eweek.com/c/a/Security/Microsoft-Warns-of-New-Attack-as-Patch-Tuesday
-Nears-854317/
-http://www.scmagazineus.com/Another-ActiveX-zero-day-bug-from-Microsoft/article/
139939/
-http://www.h-online.com/security/Microsoft-warns-of-vulnerability-in-Office-Web-
Component--/news/113752
-http://voices.washingtonpost.com/securityfix/2009/07/microsoft_newly_discovered_
ms.html
-http://www.computerworld.com/s/article/9135471/Microsoft_admits_new_ActiveX_zero
_day_bug?source=rss_security

Malware Responsible for DDoS Attacks Deletes Data on Host Computers (July 9 & 10, 2009)

The malware behind the distributed denial-of-service (DDoS) attacks that hit sites in South Korea and the US also includes instructions to delete data on the PCs it has infected starting on July 10, 2009, so the computers used in the attacks are at risk as well. The code is designed to copy files with about 30 different common extensions into encrypted files, then overwrite the originals. It will also modify Master Boot Records on infected machines. The attacks' sophistication increased over the several days it was targeting the sites. The malware is known as W32.Dozer.
-http://www.techweb.com/article/showArticle?articleID=218401559§ion=News
-http://voices.washingtonpost.com/securityfix/2009/07/pcs_used_in_korean_ddos_att
ack.html

No Hard Evidence Points to North Korea in DDoS Attacks (July 10 & 13, 2009)

South Korea was hit with a third wave of cyber attacks late last week, but the Korean Communications Commission has not listed North Korea among the possible origins of the attacks. The attacks appear to be coming through Germany, Austria, Georgia, the US and South Korea, although North Korea could conceivably be responsible. Despite any hard evidence linking North Korea to the attacks, US congressman Peter Hoekstra (R-Mich.) has called for the US to launch retaliatory cyber attacks against North Korea for the attacks, which also hit US targets earlier this month.
-http://www.securecomputing.net.au/News/149906,third-wave-of-attacks-hits-south-k
orea.aspx
-http://www.theregister.co.uk/2009/07/13/korean_ddos/
-http://www.computerworld.com/s/article/9135406/Analysis_Was_North_Korea_behind_t
he_DDOS_attack_?source=rss_security
[Editor's Note (Pescatore): A security firm in Vietnam (
-http://blog.bkis.com/?p=718)
is saying their analysis of the code shows the master command and control server is in the UK. Congressman? (Ranum): Unless Congressman Hoekstra has knowledge that no one else seems to have, his suggestion is ill-informed and irresponsible. ]

Security Control Metric Eases Consensus Process (February 26, 2009)

The process of reaching a consensus on information security documents can sometimes get mired in endless, trivial discussions. A group of experts trying to reach consensus on the Solaris Security document published by the Center for Internet Security turned to a technique described by Chris Calabrese. By assigning numeric values to factors relating to security controls and plugging them into a simple equation, the process became objective rather than subjective, and consensus was more easily achieved.
-http://righteousit.wordpress.com/2009/02/26/calabreses-razor/

---

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/