SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #9

February 03, 2009

Tomorrow, Feb 4, is the last day to save $250 on SANS' 38 courses in
Orlando starting March 1 or 2. http://www.sans.org/sans2009

---

TOP OF THE NEWS

Bank Secrecy Act Data Needs More Protection, Says GAO
USAJobs Data Stolen in Monster.com Breach
DoJ Employee Security Test Fools Thrift Investment Board

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES
Former Microsoft Employee Says Suit Filed Against Him is Retaliatory
ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Former Fannie Mae Contractor Pleads Not Guilty to Planting Malware on System
Guilty Plea in Swatting Case
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
LANL Officials Say Stolen Computers and Missing Blackberry Don't Contain Sensitive Data
UPDATES AND PATCHES
Novell GroupWise Security Updates
ATTACKS & ACTIVE EXPLOITS
Techwatch Hit With DDoS Extortion Attack
MISCELLANEOUS
Melbourne Data Center Power Failure
London Hospitals' Worm Infection "Entirely Avoidable"

---

*************************** Sponsored By CA *****************************

Web-Based Security for Business Enablement
While "secure" and "Web" were once incompatible notions, they are now co-elements that support dynamic Web-based commerce. Technologies such as Web access management, single sign-on, identity management, federation, and strong authentication - when leveraged together - represent a more efficient way to conduct IT-enabled business. This IDC whitepaper explores how competitive advantage can be effectively realized through secure Web business enablement technologies. Learn more... http://www.sans.org/info/38228">http://www.sans.org/info/38228

*************************************************************************

TRAINING UPDATE

- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Bank Secrecy Act Data Needs More Protection, Says GAO (February 2, 2009)

According to a report from the Government Accountability Office (GAO), the US Treasury Department's Financial Crimes Enforcement Network (FinCEN) needs to strengthen the security of the financial data it retains and shares with other agencies and other governments. FinCEN uses its own computer network as well as those of the Internal Revenue Service (IRS) and the Treasury Communications System (TCS) to administer the Bank Secrecy Act (BSA). While security on all the systems has been addressed to some degree, "the organizations ... inconsistently applied or not fully implemented controls to prevent, limit, or detect unauthorized access to" the systems and the information they hold. The BSA requires that banks keep records and report financial activity to monitor suspicious transactions.
-http://www.gao.gov/new.items/d09195.pdf
-http://gcn.com/Articles/2009/02/02/FinCEN-020209.aspx
[Editor's Note (Weatherford): Unfortunately, the "inconsistently applied or not fully implemented controls" finding is probably more common than not...in both the public AND private sector. It's not that the security and IT people don't know it's important but more of a lack of executive commitment, therefore not enough funding and personnel resources. As Prof Gene Spafford says, "Information security has transformed from simply 'preventing bad things from happening' into a fundamental business component..." A lot of people still haven't internalized that fact. ]

USAJobs Data Stolen in Monster.com Breach (January 31 & February 2, 2009)

The USAJobs program director has acknowledged that the Monster.com database breach disclosed in January involved some data from the government jobs website. The compromised data include user IDs, passwords and names, but resumes, Social Security numbers (SSNs) and financial information were not affected. USAJobs is powered by Monster.com. USAJobs has posted a warning that the stolen email addresses could be used in a phishing attack. This story was first reported by the Internet Storm Center
-http://isc.sans.org/diary.html?storyid=5737
-http://fcw.com/Articles/2009/02/02/Government-jobs-site-is-hacked.aspx
-http://www.washingtonpost.com/wp-dyn/content/article/2009/01/30/AR2009013003716.
html?sub=AR
-http://www.usajobs.gov/securityNotice.asp

DoJ Employee Security Test Fools Thrift Investment Board (January 30, 2009)

The Justice Department tested its employees' susceptibility to phishing attacks with an email that appeared to come from the Thrift Savings Plan, but neglected to inform the Federal Retirement Thrift Investment Board. The phony phishing message told recipients that they could recoup losses if the value of their Thrift Savings Plan has fallen more than 30 percent. They were given a January 31 deadline to provide personal information to participate in the non-existent program. The TSP board learned of the test on January 28, nearly two weeks after the message was sent out; by that time, it had already put anti-fraud efforts into place.
-http://www.google.com/hostednews/ap/article/ALeqM5iOgj0IuXeQR5XWjevDZu4qS-tWOQD9
613O6O0
-http://www.govexec.com/story_page.cfm?articleid=41938&dcn=todaysnews
[Editor's Note (Ranum): This sort of test generally serves only to embarrass people and hasn't been shown to have any useful long-term effect. When I see someone trying this kind of stuff, I think it's just a case of some auditor or pen-tester trying to prove their worth by having something about which they can scream "GOTCHA!"
(Paller): Actually there is hard data showing that this type of security awareness testing is effective; security awareness programs that do not include such testing should be looked at as not particularly useful. Justice gets kudos and should keep it up - maybe with the addition of using a fictional organization rather than a real organization as the phishing target. ]

---

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES

Former Microsoft Employee Says Suit Filed Against Him is Retaliatory (February 1 & 2, 2009)

A former Microsoft employee being sued by the company says that the lawsuit is retaliation for a patent infringement lawsuit he brought against Microsoft. Microsoft's suit alleges that Miki Mullor took a job at the company to gather information that would help his lawsuit. When Mullor applied for the position at Microsoft, he said that his company, Ancora, was no longer in business even though it still was and he was its CEO. Mullor allegedly downloaded documents that were not related to his job, but were related to the content of his patent infringement case against the software giant. Mullor filed his suit in June 2008 against Dell, Toshiba and Hewlett-Packard, because their products use the technology the ownership of which is in dispute; Microsoft became a party to the case at a later date. Mullor was fired from Microsoft in September 2008.
-http://computerworld.co.nz/news.nsf/scrt/F0AD9FDB6A3C0BFBCC25755000761087?opendo
cument&utm_source=security&utm_medium=email&utm_campaign=security
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9127138&intsrc=hm_list
-http://seattlepi.nwsource.com/business/398089_msftsuit30.html

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Former Fannie Mae Contractor Pleads Not Guilty to Planting Malware on System (February 1 & 2, 2009)

The former Fannie Mae contract employee who has been accused of planting malware on the organization's computer system has entered a plea of not guilty. Rajendrasinh B. Makwana was fired from his position on October 24, 2008. Less than two hours later, he allegedly placed a malicious script on the system that would have disabled monitoring alerts and logins, deleted the root passwords to 4,000 servers, erased data and backup data, and more, if the rogue program had not been found by another employee just days later. The malware had been programmed to deploy on January 31, 2009. If he is convicted, Makwana faces 10 years in prison. An Indian national, he is free on bond and has surrendered his passport.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9127157&intsrc=hm_list
-http://news.cnet.com/Ex-Fannie-Mae-programmer-says-not-guilty-of-virus/2100-7348
_3-6248856.html?tag=txt.alert.hed
[Editor's Note (Weatherford): How many times do we have to see these kind of incidents before Information Security Officers begin to DEMAND that HR engages the IT staff to immediately de-provision departing employees, especially fired and disgruntled employees. ]

Guilty Plea in Swatting Case (January 29 & 30 & February 2, 2009)

An 18-year-old Massachusetts man has pleaded guilty to felony charges of conspiracy to retaliate against a witness, victim or informant and conspiracy to commit access device fraud and unauthorized access of a protected computer and for his role in a swatting conspiracy case. Swatting involves making phony emergency calls under spoofed phone numbers. Matthew Weigman also hacked into a phone line designated for Sprint supervisors to eavesdrop on customer support calls and steal credit card information. He faces up to 13 years in prison.
-http://dallas.fbi.gov/dojpressrel/pressrel09/dl012909.htm
-http://blog.wired.com/27bstroke6/2009/01/guilty-plea-bli.html
-http://www.theregister.co.uk/2009/02/02/phone_phreaker_plea/

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

LANL Officials Say Stolen Computers and Missing Blackberry Don't Contain Sensitive Data (January 31, 2009)

Officials at the Los Alamos National Laboratory said that three computers stolen from an employee's home in Santa Fe, NM and a Blackberry lost in a "sensitive foreign country" do not constitute a security breach. The scientist from whose home the computers were taken had permission to have the machines at his home; computers that are permitted to be taken offsite do not contain sensitive information. The Blackberry has been described as "a souped up cell phone" and reportedly contained no sensitive information.
-http://www.google.com/hostednews/ap/article/ALeqM5iw9rxVWN8Zl9moifdK6wxzy91eAQD9
61J2B83
[Editor's Note (Schmidt): How in the world can they say the computers contain no sensitive information. About the only computers I know that have no sensitive information on them are those with nothing but the OS that have never been used. If they were authorized to be taken home for work purposes, there had to be something on there, including log on credentials. It is amazing how people can call a BlackBerry a "souped up cell phone" No mention if data was encrypted, or even password protected.
(Honan): Email is probably the largest repository of sensitive information in an organisation and most laptops, Blackberrys or PDAs will have an email client and subset of that repository on them. So whenever you hear that a stolen mobile device such as a Blackberry or laptop does "not contain sensitive information", take it with a large grain of salt. ]

UPDATES AND PATCHES

Novell GroupWise Security Updates (January 30 & February 2, 2009)

Novell has issued security updates to address several vulnerabilities in GroupWise WebAccess. A critical buffer overflow flaw could be exploited to allow code injection and execution. The updates also fix cross-site scripting, cross-site request forgery and script insertion vulnerabilities. Some of the flaws could be exploited to steal information from vulnerable users by getting them to view a specially crafted email.
-http://www.heise-online.co.uk/security/Security-Updates-for-Novell-GroupWise--/n
ews/112542
-http://www.scmagazineuk.com/Email-vulnerabilities-on-Novell-GroupWise-WebAccess-
detected/article/126602/
-http://news.zdnet.co.uk/security/0,1000000189,39607304,00.htm
-http://www.theregister.co.uk/2009/01/30/novell_groupwise_vulns/

ATTACKS & ACTIVE EXPLOITS

Techwatch Hit With DDoS Extortion Attack (January 30, 2009)

On January 27, Techwatch was hit with a distributed denial-of-service (DDoS) attack that increased in intensity from 446Mbps to 2Gbps over the course of two days. The digital television news website was back online on January 29, after deploying advanced traffic filters. The attack was launched as an extortion attempt. The Overclockers.uk website was also recently the target of a DDoS attack; it is offering a GBP 10,000 (US $14,218) reward for information leading to the arrest and conviction of those responsible for that attack.
-http://www.theregister.co.uk/2009/01/30/techwatch_ddos/
[Editor's Note (Schultz): The size of the offered award in this case is not likely to be much motivation for cooperation. ]

MISCELLANEOUS

Melbourne Data Center Power Failure (February 2, 2009)

A Primus data center in Melbourne, Australia suffered a major power failure that included the failure of an emergency diesel backup generator. The outage left many Internet and VoIP customers without service for several hours on Sunday, February 1. The managing director of Internode, an Australian Internet service provider (ISP) affected by the crash, said that his company would work with Primus to ensure that such a failure does not recur.
-http://www.pcworld.idg.com.au/article/275063/major_melbourne_datacentre_suffers_
complete_power_failure
-http://www.news.com.au/heraldsun/story/0,21985,24996784-2862,00.html

London Hospitals' Worm Infection "Entirely Avoidable" (February 2, 2009)

A review of the worm infection that affected three London hospitals last November found that the incident was "entirely avoidable." The Mytob worm infected 4,700 PCs at St. Bartholomew's, the Royal London Hospital in Whitechapel and The London Chest Hospital; as a result, some ambulances were rerouted and some recordkeeping had to be done with pen and paper. While administrative systems were running again within three days, it took two additional weeks to scan all the machines to ensure they were clear of infection. The review determined that the initial infection resulted from misconfigured anti-virus software and spread so widely due to a decision by administrators to disable security updates because they had caused some computers to reboot while surgery was underway.
-http://www.theregister.co.uk/2009/02/02/nhs_worm_infection_aftermath/
[Editor's Note (Weatherford): Sometimes you read these things and just have to laugh. This article states that, "Mytob, which also goes under the name MyDoom, was introduced "accidentally" into the network with "no malicious intent,"..." Oh really? The intent may not vae been malicious, but the results are the same and it's called "system unavailability!" Interesting also that while this specific Mytob incident occurred last November, additional hospitals were infected with Conficker just last month after guess what - "managers turned off Windows security updates for all 8,000 PCs on the vital network."
-http://www.theregister.co.uk/2009/01/20/sheffield_conficker/
(Schmidt): First time I have seen turning off anti-virus and security updates classified as a "mis-configuration". I can only wonder (and fear) what networked computers are used for during surgery. I think I would worry more about what could be modified on a computer used in surgery than I would worry about it rebooting.
(Ranum): This is a fantastic and important illustration of the failure of "penetrate and patch" security models. If you need to keep your systems up, you can't rely on a security paradigm based on "patch, reboot, patch again" -- anyone who really understands production systems knows that you simply cannot have them undergo uncontrolled restarts. I'm amazed that not configuring machines so that they might reboot during surgery is described as "misconfigured." There is a deeper problem here: the security model is poorly chosen. ]

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/