SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #10

February 05, 2010

TOP OF THE NEWS

NSA to Help Google Analyze Attack, Improve Security
Director of National Intelligence Warns of Security Threats
Australian ISP Not Liable for Customers' Illegal Downloading

THE REST OF THE WEEK'S NEWS

US Legislators Pass Cyber Security R&D Bill
Hackers Try to Steal Carbon Credits
IE Flaw Allows File Access
Google to Drop IE 6 Support
Ceridian Corp. Data Breach
VoIP Hacker Pleads Guilty
Study: Banking Passwords Often Used for Other Sites

---

********************** Sponsored By zScaler *****************************

WEBCAST - Google was victimized by hackers. Will you be next?
Join us for this educational Webcast on Feb 25, 2010.
Keynote by Peter Firstbrook, Gartner Analyst.
Watch a step-by-step demo of how Chinese hackers attacked big name US companies.
Learn how to protect your organization from such threats.
Register Here: http://www.sans.org/info/54528

**************************************************************************

TRAINING UPDATE
- -- SANS Phoenix, February 14 -February 20, 2010
6 courses and bonus evening presentations, including The Art of Incident Response and Advanced Forensic Techniques: Catching Hackers on the Wire
http://www.sans.org/phoenix-2010/
- -- SANS 2010, Orlando, March 6 - March 15, 2010
38 courses and bonus evening presentations, including Software Security Street Fighting Style
http://www.sans.org/sans-2010/
- -- SANS Northern Virginia Bootcamp 2010, April 6-13
Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
http://www.sans.org/reston-2010/
- -- SANS Security West 2010, San Diego, May 7-15, 2010
23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/
- -- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses
http://www.sans.org/sansfire-2010/

Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Tokyo, Bangalore, Oslo and Dublin all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

NSA to Help Google Analyze Attack, Improve Security (February 4, 2010)

Google is reportedly enlisting the help of the National Security Agency (NSA) to analyze the recently disclosed attack on the company's computer networks with the ultimate goal of protecting the company and its customers from attacks in the future. The arrangement is still being finalized; the terms of any agreement between Google and the NSA will maintain Google customers' privacy.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/02/03/AR2010020304057.
html
-http://www.nytimes.com/2010/02/05/science/05google.html?ref=technology
[Editor's Note (Schultz): NSA and Google working together would have been unheard of only a few years ago. If this relationship proves productive, it will serve as a precedent that other corporations are likely to follow, provided, of course, that NSA does not get too intrusive with respect to Google's private information.

(Skoudis): I wish they'd share a little more information about the procedures they'll put in place to maintain customer's privacy. I'm not looking for the full details, perhaps just a general statement in the future explaining how they anonymize or otherwise protect user data when interacting with government agencies.

(Paller): There are two sides of NSA. One looks at data streams (or doesn't -- it's all very secret). The other side, and the one that is much more important for most of us, protects the DoD agencies and helps them clean up after exactly this type of attack. It is called the IAD (Information Assurance Division), and is run by one of the great leaders in information security, Dick Schaeffer. NSA's IAD has done more to protect other agencies and the public than all the other responsible federal agencies (NIST, DHS, NSF) combined. If I were asked by a company which agency to ask for help, I would give that company three facts: (1) NSA IAD is responsible for protecting all DoD agencies against exactly the same type of attack; they understand what to look for and how to respond. (2) It has, by far, the highest level of "in house" expertise. Other agencies contract for much of their expertise and that creates a powerful fear of disclosure of corporate secrets to other companies. (3) It is very good at keeping secrets. ]

Director of National Intelligence Warns of Security Threats (February 2 & 3, 2010)

In testimony before the US Senate Intelligence Committee, Director of National Intelligence Dennis C. Blair called the recently disclosed attack on Google's computer networks "a wake-up call to those who have not taken this problem seriously." Blair's testimony addressed a range of security issues, including cyber attacks. Blair noted that "malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication." Blair said that the government needs to work closely with the private sector and international authorities to protect cyber space. He urged companies to report cyber attacks as soon as they become aware of them to help the government become aware of the scope of such attacks.
-http://www.nytimes.com/2010/02/03/us/politics/03intel.html?scp=2&sq=dennis%2
0blair&st=cse
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=222600872
-http://www.washingtonpost.com/wp-dyn/content/article/2010/02/02/AR2010020203975.
html
[Editor's Note (Schultz): Efforts to have the US government partner with the commercial arena and international organizations have been initiated numerous times in the past, but they have not been all that successful. What will finally wake high-level government officials and senior management within the commercial arena to the need to get serious about dealing with information security risk is a widespread, prolonged, coordinated series of attacks designed to cripple the economy. Such attacks are inevitable--it is only a matter of time.

(Paller): The attacks are happening; thousands of US companies and agencies have been deeply penetrated; their networks are "contested territory;" but the public was not told. Now the stories are coming out and the general public is awakening. Note this sentence in the Jan., 26 editorial in the Christian Science Monitor (the editor is an avowed non-techy): "The stakes in the global cyber-war are at least as high as those in the global war on terror." Security people who have cried for years that they didn't have top management buy-in are like the proverbial dog that chases trucks. One of the trucks stops; the dog takes hold of it; and the driver looks down and says "Now what are you going to do with it?" Security people have begun hearing from their top executive, "You were right; it matters; now what are going to do to protect us?" Those who offer NIST-based FISMA compliance or other paper-based audits as a solution and those who think they are being useful by explaining why perfect security is impossible, will have very short security careers. ]

Australian ISP Not Liable for Customers' Illegal Downloading (February 4, 2010)

An Australian judge has ruled that iiNet, Australia's third-largest Internet service provider (ISP), is not responsible for the online activity of its customers. Specifically, iiNet cannot be held liable for its customers' illegal downloading. A group of file companies represented by the Australian Federation Against Copyright Theft (AFACT) sued iiNet, maintaining that the ISP was guilty of copyright infringement because it did not stop its customers from downloading movies illegally.
-http://news.bbc.co.uk/2/hi/technology/8498100.stm
-http://www.theaustralian.com.au/australian-it/iinet-wins-court-case-against-holl
ywood-heavyweights/story-e6frgakx-1225826637560?from=public_rss

---

*********************** Sponsored Link: ************************

Discover how the Top 20 Critical Security Controls can deliver automated security and compliance to your organization's audit program. Register for this webcast today, brought to you by Qualys!
http://www.sans.org/info/54533

*******************************************************************

---

THE REST OF THE WEEK'S NEWS

US Legislators Pass Cyber Security R&D Bill (February 3 & 4, 2010)

The US House of Representatives has passed the Cyber Security Research and Development Act by a 422 to 5 vote. The legislation allocates US $395 million to the National Science Foundation (NSF) for cyber security research projects; it also gives the NSF US $108.7 million for a cyber security scholarship program, and authorizes additional activities at the National Institute of Standards and Technology (NIST). The bill now goes to the Senate.
-http://thecaucus.blogs.nytimes.com/2010/02/04/house-passes-cybersecurity-bill/
-http://www.nextgov.com/nextgov/ng_20100203_2907.php?oref=topstory
-http://news.cnet.com/8301-27080_3-10447627-245.html?tag=newsEditorsPicksArea.0
-http://www.pcworld.com/businesscenter/article/188548/us_house_passes_cybersecuri
ty_randd_bill.html
-http://www.theregister.co.uk/2010/02/04/house_cybersecurity_bill/

Hackers Try to Steal Carbon Credits (February 3 & 4, 2010)

Companies in Europe, Japan, and New Zealand received phishing emails that appeared to come from the German Emissions Trading Authority. The messages told the recipients that they needed to re-register their accounts and were directed to a phony web page where the login credentials were stolen. The information was used to access the companies' accounts. The thieves stole the credits and resold them to unsuspecting buyers. In all, they stole an estimated 250,000 carbon credit permits from six companies; the credits were worth a total of more than US $4 million. The attack caused emissions trading registries in several countries to be shut down temporarily. The carbon trading program allows companies to sell permission to produce greenhouse gases.
-http://www.wired.com/threatlevel/2010/02/hackers-steal-carbon-credits
-http://www.msnbc.msn.com/id/35238124/ns/technology_and_science-security/
-http://news.bbc.co.uk/2/hi/technology/8497129.stm
-http://www.h-online.com/security/news/item/Hackers-paralyse-emissions-trading-sc
heme-921075.html
[Editor's Note (Ullrich): Wherever there is money, there will be criminals.

(Skoudis): Wow! This is just so utterly modern, really showing how much the world has changed in ten years: hacking to steal carbon credits for illicit sale cripples trading registries? We've entered a new world. ]

IE Flaw Allows File Access (February 3 & 4, 2010)

Microsoft has issued a security advisory warning of a vulnerability in Internet Explorer (IE) that affects users running Windows XP or who have disabled IE Protected Mode. The vulnerability essentially turns vulnerable computers into "public file server
[s ]
;" attackers can exploit the flaw to access files with known filenames and locations if they trick users into visiting specially-crafted websites. The vulnerability is the result of incorrectly rendering local files in the browser. It affects IE 5.01 and IE 6 on Windows 2000; IE 6 on Windows 2000 SP 4; and IE 6, 7 & 8 on Windows XP and Windows Server 2003.
-http://www.microsoft.com/technet/security/advisory/980088.mspx
-http://www.theregister.co.uk/2010/02/04/ms_browser_bug/
-http://www.computerworld.com/s/article/9151838/IE_flaw_gives_hackers_access_to_u
ser_files_Microsoft_says?taxonomyId=17
[Editor's Note (Pescatore): This apparently will not be patched in the coming "Vulnerability Tuesday" patch release next week from Microsoft. No known active attacks documented against this one to date but still a good idea to be as restrictive as possible on Windows user settings until it is patched. ]

Google to Drop IE 6 Support (February 3, 2010)

Google has announced that as of March 1, 2010, its applications will no longer support Internet Explorer 6 (IE 6). Although Google did not say so directly, the decision may have been influenced by recently disclosed attacks against Google and other US companies that exploited a vulnerability in IE 6. The attacks prompted public warnings in Germany, France and Australia against using IE 6.
-http://www.msnbc.msn.com/id/35219388/ns/technology_and_science-security/
[Editor's Note (Skoudis): It's about time. Kudos to Google for pushing this. IE 6 is really growing long in the tooth, and it is time to move on. ]

Ceridian Corp. Data Breach (February 3 & 4, 2010)

A cyber security breach at Bloomington, Minnesota-based payroll processing company Ceridian Corp. has compromised the personally identifiable information of 27,000 individuals at 1,900 companies. The compromised information includes names, Social Security numbers (SSNs)and some bank account numbers. According to a notification letter, the breach occurred in December 2009. The incident was reported to police and the FBI immediately after Ceridian learned of it.
-http://www.startribune.com/business/83505102.html?elr=KArksUUUU
-http://minnesota.publicradio.org/display/web/2010/02/04/ceridian/

VoIP Hacker Pleads Guilty (February 3, 2010)

Edwin Andrew Pena has admitted to earning more than US $1 million by selling millions of voice over Internet protocol (VoIP) call minutes that were sent over stolen network resources. On Wednesday, Pena pleaded guilty to wire fraud and conspiracy to commit wire fraud and unauthorized access to a protected computer. He could be sentenced to up to 25 years in prison and fined at least US $500,000. Between 2004 and 2006, Pena and an accomplice, Robert Moore, routed at least 10 million minutes of VoIP calls through providers' networks without permission. They gained access to those networks through brute force attacks (that worked because default passwords had not been changed) to determine security codes. They also routed the attacks through third party computers. Pena and Moore were arrested in 2006. Moore pleaded guilty to conspiracy to commit computer fraud and was sentenced to two years in prison. He has been released.
-http://www.theregister.co.uk/2010/02/03/voip_hacker_guilty/

Study: Banking Passwords Often Used for Other Sites (February 2, 2010)

Nearly three-quarters of computer users have the same password for their online banking accounts that they have for other, less secure websites. Data drawn from 4 million users of Trusteer's Rapport browser security service indicates that 47 percent of users have the same usernames and passwords for multiple sites, including financial account sites. The implications are serious; if cyber thieves obtain login information for someone's social networking account, they have a good chance of being able to access that person's online financial accounts as well.
-http://www.darkreading.com/insiderthreat/security/vulnerabilities/showArticle.jh
tml?articleID=222600800&subSection=Vulnerabilities+and+threats
-http://www.theregister.co.uk/2010/02/02/e_banking_password_fail_survey/
[Editor's Note (Skoudis): This is one of my biggest concerns with breaches of relatively unimportant web sites. Users so often synchronize their passwords. Thus, bad guys can grab passwords from unimportant sites and use them to access the same user's accounts at online banks. Worse yet, the bad guys can perform a little social networking research to find the enterprise employer of the user, and attempt to login to remote access facilities of the organization. That's a compelling reason for multi-factor authentication for enterprise remote access. ]

---

**********************************************************************

The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/