SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #8

January 30, 2009

Next Wednesday, February 4, is the last day to save $250 on most courses at SANS 2009 in Orlando in early March.
Speaking of money, the new security salary and certification survey results are in. Very surprising and encouraging results. Press people are getting it first, but we'll summarize the results for you by next Friday and post the whole survey.
Alan

---

TOP OF THE NEWS

DDoS Attack Devastates Kyrgyzstan's Connectivity
Lawsuit Filed Against Heartland Seeks Class Action Status
Repercussions of the Heartland Breach Acknowledgment
ICANN Working Group in Fast Flux Seeks Public Comment on Initial Report

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Former Fannie Mae Contractor Indicted For Allegedly Planting Malware on System
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
VA Will Settle Data Security Breach Lawsuit for US $20 Million
Children's Database Presents Privacy and Security Concerns
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Eircom to Institute Three Strikes Anti-Piracy Policy
UPDATES AND PATCHES
Nokia Releases Fix for Curse of Silence Vulnerability
Critics Say IE 8's Anti Clickjacking Technology Does Not Offer Blanket Protection
ATTACKS & ACTIVE EXPLOITS
Digital Traffic Sign in Texas Hacked
STUDIES AND STATISTICS
McAfee Study Says Cyber Crime Could Cost Companies US $1 Trillion
MISCELLANEOUS
Educators See Secure Coding Training Challenges, Improvements

---

*********************** Sponsored By Palo Alto Networks *****************

Reduce Cost and Complexity of PCI Compliance with Network Segmentation. Join Forrester Research for a live webinar that will show you how organizations are using network segmentation with strict user and application control policies to significantly reduce the cost and complexity of PCI compliance, and protect customer data. Don't miss this. Register now to attend. https://www.sans.org/info/38109

*************************************************************************

TRAINING UPDATE

- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

DDoS Attack Devastates Kyrgyzstan's Connectivity (January 28, 2009)

Ongoing distributed denial-of-service (DDoS) attacks against Kyrgyzstan's two largest Internet service providers (ISPs) have bumped most computers in the country offline. The attacks began on January 18, and are believed to be controlled by a Russian "cybermilitia." eMail in and out of a US air base has also been affected. The group behind the attacks appears to be the same one that orchestrated similar attacks against the Republic of Georgia last summer. The issue behind the attacks could be Russia's demand that Kyrgyzstan "oust" foreign air forces before it will lend the country US $300 million and invest an additional US $1.7 billion in energy. Some service has been restored in recent days.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9126947
-http://www.theregister.co.uk/2009/01/28/kyrgyzstan_knocked_offline/
[Editor's Note (Pescatore): that just means that Kyrgyzstan's largest ISPs were skimping on DDoS protection, which is like a water company skimping on water filtration.
(Schultz): The number of attacks of this nature (politically motivated denial of service attacks) is bound to grow substantially over time. Securing the Internet against denial of service attacks is a near impossibility, and punishing those who launch such attacks when the culprits are countries is infeasible.
(Northcutt): Estonia, Georgia, Kyrgyzstan. The Russian government claims they are not involved, that this is the work of a "cybermilitia". Some of the command and control IP addresses will be associated with the former Russian Business Network. Patriotic organized crime. What happens when and if this cybermilitia disagrees with Mother Russia? What happens if China fields a cybermilitia that is 1000 times larger? There are claims the Chinese triggered a power blackout in the USA. My guess is that we are allowing forces to be put in motion that those who would like to see the Internet as a lawful and ordered entity will regret within a year or two. Reminds me of the privateer concept. I hope that the USA can forge a different path.
-http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php
-http://www.strategypage.com/htmw/htiw/articles/20080608.aspx]

Lawsuit Filed Against Heartland Seeks Class Action Status (January 28, 2009)

A lawsuit filed in US District Court in Trenton, NJ seeks damages and relief from Heartland Payment Systems regarding the data breach that was disclosed earlier this month. The lawsuit alleges that Heartland failed to notify affected customers of the breach promptly, that it did not take adequate measures to protect the data, and has not offered to compensate those affected by the breach for costs incurred by efforts to protect themselves from identity fraud. The lawsuit was filed by a Minnesota woman, and is seeking class action status.
-http://news.cnet.com/8301-1009_3-10151961-83.html
[Editor's Note (Hoelzer): There continues to be a failure to appreciate the difference between "compliance" and "security". It will be interesting to see how things play out since "compliance" can affect legal liability though it still doesn't fix the underlying "security" issues. This will also begin to shed some light on speed of notification which is still a fuzzy area in the PCI/DSS requirements. There's a discussion on Security Vs. Compliance at
-http://auditexperts.wordpress.com/2009/01/20/you-might-be-compliant-but-are-you-
secure/]

Repercussions of the Heartland Breach Acknowledgment (January 27 & 28, 2009)

Since Heartland Payment System's revelation last week of a data security breach of potentially massive proportions, financial institutions across the US have begun reissuing thousands of payment cards. Some of the institutions are also acknowledging instances of payment card fraud resulting from the Heartland breach. The breach also prompted the Washington Credit Union League to push legislation requiring data protection controls for all merchants and third parties that process payment card data. In a separate but related story, the sniffer that was used to steal the payment card account information was found on an unallocated portion of a server disk. It was well enough hidden that it eluded two teams of forensic investigators before being found through a string of temp files.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9126879&intsrc=hm_list
-http://www.storefrontbacktalk.com/securityfraud/heartland-sniffer-hid-in-unalloc
ated-portion-of-disk/
[Editor's Note (Hoelzer): One of the motivators for PCI/DSS was to prevent the need for governments to legislate security for the payment card industry. Failure to effectively verify compliance is potentially leading to a world where that happens anyway!
(Honan): The StoreFrontBackTalk article gives interesting details on how the breach occurred. It highlights that we cannot always rely on technology, such as AV or IPS/IDS signatures, to defend our systems and need to augment them with the mundane matters of reviewing log files for unusual traffic/activity and ensuring all staff are aware of the risks when clicking on attachments or links.]

ICANN Working Group in Fast Flux Seeks Public Comment on Initial Report (January 26 & 28, 2009)

The Internet Corporation for Assigned Names and Numbers (ICANN) Working Group on Fast Flux has released an initial report seeking public comment. The group is apparently in a bind about how to address the technology that is used by botmasters to thwart takedown attempts, but also by content distribution networks for tasks like load balancing and even by proponents of free speech to evade censorship in restrictive countries. The group is also divided about whether taking action on fast flux is even within its purview.
-http://icann.org/en/announcements/announcement-26jan09-en.htm
-http://gnso.icann.org/issues/fast-flux-hosting/fast-flux-initial-report-26jan09.
pdf
-http://www.theregister.co.uk/2009/01/28/icann_fast_flux_report/

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Former Fannie Mae Contractor Indicted For Allegedly Planting Malware on System (January 29, 2009)

A Unix engineer formerly employed as a contractor at Fannie Mae has been indicted on a charge of computer intrusion for allegedly planting malware on the organization's computer system. The program lay dormant on the system and was set to activate on January 31, 2009; if it had been allowed to activate, it could have destroyed important files. Rajendrasinh Makwana was fired from his position on October 24, 2008. The malware was discovered less than a week after Makwana's departure; it was appended to another legitimate script that was set to run daily. Apparently even after he was fired, Makwana's access privileges were not revoked.
-http://www.eweek.com/c/a/Security/Fired-Engineer-at-Fannie-Mae-Accused-of-Planti
ng-Malware-Time-Bomb/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9127040&source=rss_topic17

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

VA Will Settle Data Security Breach Lawsuit for US $20 Million (January 27 & 28, 2009)

The US Department of Veterans Affairs (VA) will pay US $20 million to settle a lawsuit brought on behalf of 26.5 million individuals whose personal data were on a laptop and external storage device stolen in a May 2006 robbery. The computer and drive were recovered and investigators determined that the information had not been accessed. Nonetheless, the suit proceeded to collect damages for emotional distress and expenses incurred while affected individuals monitored their credit reports. The VA agreed to settle to avoid any further litigation. The settlement must be approved by a judge before it becomes final.
-http://www.cnn.com/2009/POLITICS/01/27/va.data.theft/
-http://www.msnbc.msn.com/id/28880494/
-http://fcw.com/articles/2009/01/28/va-settlement.aspx
[Editor's Note (Pescatore): Getting off for $20M is cheap compared to other incidents of large scale, but just think: they could have bought and installed laptop encryption on about 100,000 laptops for that amount. ]

Children's Database Presents Privacy and Security Concerns (January 27, 2009)

Privacy advocates and parents have expressed concern about the number of people who will have access to a new database that will hold personal details of all 11 million children under the age of 18 living in England. The data will include names, addresses, dates of birth, parent information, doctors' names and school information. The database will be accessible to nearly 400,000 local officials, charity workers, youth workers, career advisers and education and health professionals. If children have been in contact with social workers or youth workers, that information will be noted in their records.
-http://www.timesonline.co.uk/tol/news/uk/education/article5594645.ece
-http://news.bbc.co.uk/2/hi/uk_news/education/7850871.stm

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Eircom to Institute Three Strikes Anti-Piracy Policy (January 28 & 29, 2009)

Irish ISP Eircom has reached an agreement with major record labels to impose a "three strikes and you're out" policy to combat illegal filesharing. Eircom, with a 40 percent market share, is the largest ISP in Ireland. The record labels, Warner, Sony BMG, EMI and Universal, pursued their agenda through the Irish Recorded Music Association (IRMA). Customers will receive two warnings about file sharing; if they persist in the illegal activity, their Internet service will be terminated. Eircom will contact customers based on information gathered by the record labels. The record labels plan to work to implement similar agreements with other ISPs in Ireland.
-http://www.siliconrepublic.com/news/article/12181/new-media/big-four-music-label
s-and-eircom-in-landmark-piracy-settlement
-http://www.irishtimes.com/newspaper/frontpage/2009/0129/1232923373331.html

UPDATES AND PATCHES

Nokia Releases Fix for Curse of Silence Vulnerability (January 28 & 29, 2009)

Users of Nokia phones can now download a fix for the vulnerability known as the Curse of Silence that could be exploited to render the devices unable to receive SMS or MMS messages. Attackers could exploit the flaw by sending specially crafted messages which would prevent the phone from receiving future messages. Nokia phone owners whose devices are vulnerable to such an attack can download SMS Cleaner, an application that will remove any malformed messages.
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=212903359&subSection=Vulnerabilities+and+threats
-http://www.heise-online.co.uk/security/Nokia-releases-Curse-of-Silence-SMS-cure-
-/news/112516
[Editor's Note (Pescatore): May be all be cursed by fewer text messages... ]

Critics Say IE 8's Anti Clickjacking Technology Does Not Offer Blanket Protection (January 28 & 29, 2009)

Although Microsoft claims that the latest version of its Internet Explorer, IE 8, will protect users from clickjacking attacks, critics maintain the technology will not be effective. Clickjacking involves tricking users into clicking on links without realizing that they are doing so; it can be used to make stock trades, change security software configurations or download malware onto users' computers. Microsoft's approach to the problem requires that website developers place special tags on the pages. If web developers do not use the tags, then users will not be protected.
-http://www.techworld.com/security/news/index.cfm?newsID=110108
-http://blog.wired.com/business/2009/01/why-ie8s-clickj.html

ATTACKS & ACTIVE EXPLOITS

Digital Traffic Sign in Texas Hacked (January 28 & 29, 2009)

A roadside traffic sign in Austin, Texas was hacked into so that it displayed a message warning passing motorists of zombies ahead. Police are investigating the incident, and if they are caught, the perpetrators could face misdemeanor road sign tampering charges. The vandals broke a lock on the sign and then managed to gain access to the computer that controls its readout because it was using a default password. They also changed the password, so city employees had to wait for the manufacturer to reset the password before the sign could be changed. A city spokesperson acknowledged that while "the sign's content was humorous, ... the act of changing it wasn't."
-http://www.dallasnews.com/sharedcontent/dws/news/localnews/transportation/storie
s/013009dnmetzombies.1595f453.html
-http://blogs.computerworld.com/default_passwords_on_road_signs_in_austin

STUDIES AND STATISTICS

McAfee Study Says Cyber Crime Could Cost Companies US $1 Trillion (January 29, 2009)

A study from McAfee suggests that data security breaches and other types of cyber crime could cost businesses around the world as much as US $1 trillion in lost intellectual property and the expense of repairing damage. Malware increased 400 percent in 2008, according to McAfee CEO David DeWalt. The study surveyed more than 800 chief information officers at companies in eight countries and found that 80 percent of malware detected aimed for financial gain. In addition, 42 percent of those responding believe that people who had lost their jobs with the company were the biggest threat to data security.
-http://www.eweek.com/c/a/Security/McAfee-Study-Says-Businesses-Risk-1-Trillion-i
n-Data-Security-Losses/
-http://news.cnet.com/8301-1009_3-10152246-83.html?tag=mncol

MISCELLANEOUS

Educators See Secure Coding Training Challenges, Improvements (January 27, 2009)

The article illuminates Purdue's secure coding courses and their creator, Pascal Meunier, and shows how rare such programs are in US colleges.
-http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1346086,00.h
tml

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/