SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #6

January 23, 2009

President Obama posted his agenda for protecting networks; see the first story. And the last item has another very interesting email about the security job market and prospects.
And for the best and brightest pen testers (and others who might need to know how to build effective attack software) a new training program has received off-the-chart high ratings. It teaches how to write exploits that go far beyond what the automated pen testing tools can do. It is our first 700 level course, Security 709, Developing Exploits for Penetration Testers and Security Researchers. It was a huge hit in DC and London and will be given in Orlando in early March along with the two highest rated pen testing courses (http://www.sans.org/sans2009/)
Alan

---

TOP OF THE NEWS

White House Information Network Security Agenda
Millions Infected by Sophisticated Worm Conficker

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES
US Supreme Court Will Not Hear DoJ's COPA Appeal
McKinnon Extradition Decision Delayed (Again)
VULNERABILITIES & MALWARE
Pirated Copies of iWork 09 Contain Trojan
US-CERT Warns of Inadequate Instructions for Disabling AutoRun
UPDATES AND PATCHES
Apple Issues Patches for QuickTime Vulnerabilities in Mac OS X and Windows
DATA BREACHES, LOSS & EXPOSURE
Heartland Data Security Breach
ATTACKS
Keylogging Software Used in Attempt to Steal GBP 229 Million from Bank
MISCELLANEOUS
Invited Article: New Security Standards Adopted by Massachusetts
Another Interesting Email on The Job Market

---

******************* Sponsored By Palo Alto Networks *********************

Reduce Cost and Complexity of PCI Compliance with Network Segmentation. Join Forrester Research for a live webinar that will show you how organizations are using network segmentation with strict user and application control policies to significantly reduce the cost and complexity of PCI compliance, and protect customer data. Don't miss this. Register now to attend. https://www.sans.org/info/37524

*************************************************************************

TRAINING UPDATE

- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

White House Posts Network Security Agenda (January 22, 2009)

In its recently posted Homeland Security Agenda, the Obama administration has outlined its six major information network protection goals: strengthen federal leadership on cyber security; initiate a safe computing R&D effort and harden our nation's cyber infrastructure; protect the IT infrastructure that keeps America's economy safe; prevent corporate cyber espionage; develop a cyber crime strategy to minimize the opportunities for criminal profit; and mandate standards for securing personal data and require companies to disclose personal information data breaches. Notable under the first item is that the administration plans to "establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber security policy."
-http://www.whitehouse.gov/agenda/homeland_security/
-http://www.scmagazineus.com/President-Obamas-cybersecurity-plan-released/article
/126252/
-http://voices.washingtonpost.com/securityfix/2009/01/obama_administration_outlin
es.html?wprss=securityfix
-http://news.cnet.com/8301-1009_3-10148263-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
[Editor's Note (Northcutt): The first link is worth reading. I think I will make a copy of this and see how we are doing in a year, those are some hefty goals. In the meantime, if we can just figure out how to disable AutoRun, that would be a start. I will say this, a national cyber advisor reporting to the President is a really good idea and should have been done long ago.
(Paller) I noted especially the words in the agenda item: Protect the IT Infrastructure That Keeps America's Economy Safe. The president said he would "Work with the private sector to establish tough new standards for cyber security and physical resilience." Perhaps we are going to take security seriously - with the first step being to change federal IT procurement and grant language. ]

Millions Infected by Sophisticated Worm Conficker (January 21, 2009)

The Conficker worm, also known as Downadup, is still troubling computer systems around the globe. The malware crashed the computer system at New Zealand's Ministry of Health; the computers are running again, but staff members are not permitted to access the Internet. IT staff at five hospitals in Sheffield, UK are still in the process of cleaning the worm from more than 800 of the hospitals' 7,000 PCs, three weeks after they became infected. The Sheffield hospital computers became infected after managers turned off Windows update late last year. Internet Storm Center: Six Diaries:
-http://isc2.sans.org/diary.html?storyid=5704
-http://isc2.sans.org/diary.html?storyid=5671
-http://isc.sans.org/diary.html?storyid=5653
-http://isc.sans.org/diary.html?storyid=5596
-http://isc2.sans.org/diary.html?storyid=5695
-http://isc2.sans.org/diary.html?storyid=5701
-http://www.smh.com.au/news/technology/security/worm-hits-nz-government-computers
/2009/01/21/1232471359300.html
-http://www.theregister.co.uk/2009/01/20/sheffield_conficker/
-http://www.silicon.com/publicsector/0,3800010403,39381565,00.htm
[Editor's Note (Honan): Apparently management turned off automatic update to prevent the repetition of an incident whereby PCs in an operating theatre rebooted during surgery. What is worrying is why were PCs located in such a critical area allowed to have access to the Internet or indeed the main hospital network in the first place? ]

---

************************ SPONSORED LINKS ******************************

1) Take part in the SANS 5th Annual Log Management Survey: A Leading Source for Actionable Data on Key Issues and Trends. http://www.sans.org/info/37529
2) Visit the SANS Vendor Demo resource page to see the latest INFOSEC products & solutions in action! http://www.sans.org/info/37534

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES

US Supreme Court Will Not Hear DoJ's COPA Appeal (January 21 & 22, 2009)

The US Supreme Court will not hear an appeal from the US Department of Justice to reinstate the Child Online Protection Act (COPA). The law has been criticized as overreaching and vague from the time it was introduced; COPA was signed into law in 1998 and was immediately enjoined by a federal judge in Philadelphia. It would have required private companies to ensure that any content they create or distribute that is deemed harmful to minors was not available to people under the age of 17 or face civil and criminal penalties. This was the third time the Supreme Court has been asked to determine COPA's constitutionality.
-http://www.cnn.com/2009/TECH/01/21/supreme.court.reject/index.html?eref=rss_tech
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9126479&source=rss_topic17
-http://www.nytimes.com/2009/01/22/washington/22scotus.html?scp=1&sq=child%20
online%20protection%20act&st=cse
-http://www.washingtonpost.com/wp-dyn/content/article/2009/01/21/AR2009012101330.
html?sub=AR
-http://news.cnet.com/8301-13578_3-10147171-38.html
[Editor's Note (Ranum): It's funny to hear moralizing from Washington about Yahoo! and Google giving in to pressure from other countries, when the US' own Department of Justice is trying to enforce global bans on bare breasts and buttocks because of its own fundamentalist right-wing leadership. Laws like COPA had none of the desired "cooling effect" on the Internet, and cost the taxpayers tens of millions of dollars to defend and defeat. We need less government on the internet, not more.
(Paller) Marcus may or may not be correct about COPA but I completely disagree with his idea that less government on the Internet is what we need. The only place where cybercrime can be actively fought in real time is "on the wire." Companies that provide those wires have spent a fortune on "government affairs employees" in Washington with special access to government officials who protected them form taking their rightful responsibility. I am hopeful that the pendulum is starting to swing toward more balance between the power of companies and the needs of the country.
(Ranum Counterpoint) Calling for more government intervention makes sense if there is any indication that government intervention is likely to work and be cost-effective. Obviously, "past results do not predict future performance" but I don't think there's evidence that we'll get anything except more expensive boondoggles. The only way that cybercrime has, historically, been fought effectively, is by individual organizations and private citizens defending their own interests. Blaming the companies that "provide the wires" for holding cybersecurity back is similar to the argument that the tobacco industry should bear 100% of the responsibility for people's choosing to smoke; the truth is somewhere in between. But, like with smoking, the best way to protect oneself is to defend one's own interests and not look to a government that has proven time and again that it is incompetent at cybersecurity. ]

McKinnon Extradition Decision Delayed (Again) (January 20, 2009)

Gary McKinnon's lawyer said a decision on whether or not to extradite the man who has admitted to breaking into US government computer systems is on hold for the next several weeks. Last month, McKinnon sent a letter to the director of public prosecutions (DPP), saying he was willing to be tried at home for offenses under the UK's Computer Misuse Act (CMA) to avoid extradition to the US. The question of McKinnon's extradition will not be made until the DPP has made a decision. McKinnon and his legal team would also like a judicial review of an October decision from the home secretary rejecting his appeal against extradition on the grounds that he has been diagnosed with Asperger's Syndrome.
-http://news.cnet.com/8301-1009_3-10145722-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.theregister.co.uk/2009/01/20/mckinnon_extradition_on_hold/
-http://news.bbc.co.uk/2/hi/uk_news/7839591.stm

VULNERABILITIES & MALWARE

Pirated Copies of iWork 09 Contain Trojan (January 22, 2009)

Illegal copies of Apple's iWork 09 have been appearing on filesharing websites. The pirated software is believed to contain a Trojan horse program known as iServices.A. The Trojan has root access to infected computers. Once in place, it connects to a remote server and downloads additional software that makes the infected computer part of a botnet. The Trojan has already been inadvertently downloaded by an estimated 20,000 users. Internet Storm Center:
-http://isc2.sans.org/diary.html?storyid=5734
-http://www.heise-online.co.uk/security/Copies-of-iWork-09-from-BitTorrent-may-co
ntain-trojan--/news/112470
-http://www.theregister.co.uk/2009/01/22/mac_trojan_attack/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9126609&source=rss_topic17
-http://voices.washingtonpost.com/securityfix/2009/01/pirated_iwork_software_infe
cts.html?wprss=securityfix
[Editor's Note (Skoudis): This is an interesting one. It shows another example of the bad guys' targeting Macs, this time with malware that is more than a toy or proof of concept, a trend that will likely increase as Apple gains more market share. But, even more interesting, it sends a chill across would-be downloaders of the pirated software, something in Apple's interest. ]

US-CERT Warns of Inadequate Instructions for Disabling AutoRun (January 21, 2009)

The US Computer Emergency Readiness Team (US-CERT) has issued a warning about advice from Microsoft about protecting PCs from the Downadup worm. The method for disabling AutoRun/AutoPlay in Microsoft's Windows operating systems does not completely disable those functions, leaving PCs vulnerable to attack. US-CERT recommends modifications to the Windows registry that will be effective in disabling the AutoRun capabilities. Internet Storm Center:
-http://isc2.sans.org/diary.html?storyid=5695
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9126478&intsrc=hm_list
-http://www.heise-online.co.uk/security/Microsoft-s-instructions-for-disabling-Au
toRun-don-t-work--/news/112469
-http://www.us-cert.gov/cas/techalerts/TA09-020A.html
[Editor's Note (Skoudis): This is really a bummer, but it does illustrate that we're going to be busy in the information security business for a long time. Even our defensive mechanisms have flaws that are regularly discovered. Make sure you implement this fix, and do so quickly. ]

UPDATES AND PATCHES

Apple Issues Patches for QuickTime Vulnerabilities in Mac OS X and Windows (January 22, 2009)

Apple has released a pair of patches to address security flaws in the QuickTime media player for both Mac OS X and Windows. The first patch fixes seven remote code execution vulnerabilities in the way the player handles user input. The second patch addresses one flaw in the MPEG-2 component of QuickTime for Windows. All of the vulnerabilities addressed in the patches fall under the h4eqading of improper input validation, one of the most pernicious of the recently released list of the 25 Most Dangerous Programming Errors. Internet Storm Center:
-http://isc2.sans.org/diary.html?storyid=5725
-http://www.securityfocus.com/brief/890

DATA BREACHES, LOSS & EXPOSURE

Heartland Data Security Breach (January 20, 2009)

Princeton, NJ-based Heartland Payment Systems has acknowledged a data security breach that may affect tens of millions of payment card accounts. The breach apparently occurred in 2008, and Heartland says the only data affected by that breach were the names and/or number associated with payment cards; no merchant data, Social Security numbers (SSNs), addresses or phone numbers were compromised. Heartland discovered the breach after MasterCard and Visa contacted the company regarding suspicious activity associated with certain accounts. Investigators found malware lurking on Heartland's network. Heartland's system processes 100 million transactions a month.
-http://www.msnbc.msn.com/id/28758856/
-http://www.theregister.co.uk/2009/01/20/heartland_payment_breach/
-http://news.cnet.com/8301-1009_3-10146275-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.heise-online.co.uk/security/Over-100-million-credit-debit-cards-compr
omised--/news/112452
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9126345&source=rss_topic17
-http://zerodaythreat.com/?p=289
-http://www.2008breach.com/
(This one was set up by Heartland)
[Editor's Note (Ullrich): The interesting twist here: A lot of transactions processed by Heartland are "offline" swiped card transactions in retail stores and restaurants. Just pushes home the fact that even if you do not use your card number online, it will still end up stolen via network exploits.]

ATTACKS

Keylogging Software Used in Attempt to Steal GBP 229 Million from Bank (January 22, 2009)

A UK court heard details of an alleged attempted bank heist involving surreptitiously installed computer software, people from several countries and a poker game used as a cover. A number of individuals attempted to steal GBP 229 million (US $318.1 million) from Sumitomo Mitsui Banking Corporation in the fall of 2004. A security supervisor at the bank allegedly allowed two Belgian men into the bank's London offices where they allegedly placed spyware on computers that allowed them to steal account access information. The guard and the men who installed the software have admitted their roles in the scheme, which was thwarted when the electronic funds transfer forms were completed incorrectly. Several other people involved in establishing the accounts to receive the stolen funds have been implicated in the scheme, but deny the charges against them. Bank employees became suspicious when they returned to work one weekend after attempts had been made to transfer the money - it was obvious that their computers had been tampered with.
-http://www.timesonline.co.uk/tol/news/uk/crime/article5563001.ece
-http://www.telegraph.co.uk/news/uknews/4307731/Lord-masterminded-plot-to-steal-2
29-million-by-hacking-into-City-bank-computers.html
-http://www.networkworld.com/news/2009/012209-clerical-error-foiled-sumitomo-bank
.html

"Invited Article: New Security Standards Adopted by Massachusetts"

By: Janine Hiller, Professor of Business Law, Virginia Tech. Massachusetts security regulations adopted in 2008 are so controversial that the deadline for compliance has already been extended, and comments about possible amendments will be heard January 16th, 2009. The requirements, intended to prevent identity theft, incorporate a good deal of the standard FTC security provisions; a comprehensive security program, identification of internal and external risks, employee security policies, and the like. Furthermore, the regulations list specific security actions that must be implemented. Several highly debated provisions include mandatory encryption of personal information of Massachusetts residents held in a laptop or portable device, contractually requiring third party service providers to comply with security protections, and a written certificate of compliance from those providers. The January 1, 2009 deadline was extended to May 1, 2009 for contractual compliance and general provisions of the regulation, and January 1, 2010 for encryption and certification. These seem to be the most specific and strongest security regulations to date. The importance of one state's specific security requirements for the protection of residents' personal information can not be overemphasized; as the Data Breach Notification laws showed, one state's laws can affect other residents, and can spur action by other states.
Standards are found here:
-http://www.mass.gov/?pageID=ocaterminal&L=3&L0=Home&L1=Consumer&
L2=Identity+Theft&sid=Eoca&b=terminalcontent&f=idtheft_201cmr17&
csid=Eoca
See Massachusetts Office of Consumer Affairs and Business and Business Regulation for further information.

Another Interesting Email on The Job Market

(used with permission)
*From:* Kevin Hemsley
*Sent:* Tuesday, January 20, 2009 7:05 PM
*Subject:* Re: FINANCIAL ASSISTANCE FOR DISPLACED SECURITY PROFESSIONALS
I too have found myself unemployed due to a recent lay off. I have been working very hard to bring my certifications current, and to obtain new certifications. In the process, I have been burning my reserve cash and find myself wishing for two more certifications with diminishing funds. I was very fortunate to be accepted in the SANS work study program and will be serving as the class facilitator in Las Vegas for the SANSR +ST Training Program for the CISSPR Certification Exam. In addition to completing my CISSP, I very much desire to pursue the GCIH and GPEN certifications.
I recently missed an employment opportunity because I didn't have these certifications that another candidate had. I was told that if I would have had the certifications, I would have been their number one pick. As it stood I, was number two out of 21 and number 1 got the job. The training that I am trying to find a way to get is: SEC504: Hacker Techniques, Exploits & Incident Handling SEC560: Network Penetration and Ethical Hacking
As you know, there is still a lot of demand for security professionals. However, there is also an increasing number of applicants for these positions.
Competition is getting stronger, and experience and good certifications are key in today's world. I think what you are doing to help SANS alumni is very commendable. If you should have any available seats, I would be very grateful for the help. Thank you, Kevin Hemsley

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescactore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/