SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #11

February 09, 2010

Very cool summer camps for high school and college kids who may become America's future cyber guardians/warriors. Camps are planned for Delaware, California and New York with two other states possibly being included this summer and all states in 2011. They are like sports camps for the most talented soccer or basketball players, but these are for the people who already know how systems can be hacked and protected. Randy Marchany, the newly named CISO at Virginia Tech, is doing the design and execution of the camps. The camps are free but to qualify for an invitation, students have to do well in one of the four competitions of the US Cyber Challenge. One of the competitions (the Security Treasure Hunt) will begin running continuously next week. If you have the talent, or know students who do, please send name, email, school, grade, city and state to Sonny Sandelius (ssandelius@sans.org). Sonny will send data about the qualifying competitions and dates for the camps.



Related request for help: Do you have access to workbooks or other material for a training program for adults working with high school age children - appropriate behavior, motivation, etc? We will be doing pre-camp orientation for the 70 security professionals who have volunteered to provide mentoring during the camps, and we need a solid foundation. Thanks in advance. Email suggestions to apaller@sans.org.

Alan

---

TOP OF THE NEWS

Chinese Police Close Down Black Hawk Safety Net Hacker Site
Security Chip That Does Encryption in PCs Hacked
UK Legislative Committee Concerned About Pending Anti-Piracy Law
FBI Wants ISP to Retain Sites Visited Data for Two Years

THE REST OF THE WEEK'S NEWS

Penn State Researchers Develop Algorithm That Fights Stealthy Worms
Prosecutors Transfer NASA and Cisco Hacker's Case to Sweden
Microsoft Reminds Users of Windows Support Cutoff Dates
P2P Users Still Leaking Sensitive Data
Cyber Thieves Hit Poughkeepsie, New York Town Bank Account
Mozilla Removes Trojan-Laced Plug-Ins From Firefox Download Site
Oracle Releases Out-of-Cycle Patch for WebLogic Server Flaw
Microsoft Issues 13 Security Bulletins to Address 26 Vulnerabilities

---

*********** Sponsored By Trusted Computer Solutions ********************

Automated, consistent operating system lock down. Who knew? Whether locking down one server or an entire enterprise, Security Blanket performs fast, consistent, and repeatable OS lock down to industry guidelines such as DISA STIGs, CIS, and SANS CAG Top 20 Critical Controls. Now that you know, give Security Blanket a try for FREE.
http://www.sans.org/info/54659

*************************************************************************

TRAINING UPDATE
- -- SANS Phoenix, February 14 -February 20, 2010
6 courses and bonus evening presentations, including The Art of Incident Response and Advanced Forensic Techniques: Catching Hackers on the Wire
http://www.sans.org/phoenix-2010/

- -- SANS 2010, Orlando, March 6 - March 15, 2010
38 courses and bonus evening presentations, including Software Security Street Fighting Style
htp://www.sans.org/sans-2010

- -- SANS Northern Virginia Bootcamp 2010, April 6-13
Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
htp://www.sans.org/reston-2010

- -- SANS Security West 2010, San Diego, May 7-15, 2010
23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
htp://www.sans.org/security-west-2010

- -- SANSFIRE 2010, Baltimore, June 6-14, 2010
38 courses
http://www.sans.org/sansfire-2010

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at htp://www.sans.org/ondemand/spring09.php

Plus Tokyo, Bangalore, Oslo and Dublin all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Chinese Police Close Down Black Hawk Safety Net Hacker Site (February 8, 2010)

Chinese police have shut down a hacker site that was allegedly involved in recruiting and training thousands of people in malware and cyber attacks. The Black Hawk Safety Net operators are believed to have collected more than 7 million yuan (US $1 million) in membership fees from more than 12,000 paying VIP members; 170,000 additional members had signed up for free memberships. Three people believed to have been running the website have been arrested. The arrests come in the wake of allegations that attacks on Google and other US companies originated in China, allegations that the Chinese government denies.
-http://www.theglobeandmail.com/news/technology/chinese-police-raid-hacker-hub/ar
ticle1460094/
-http://www.theregister.co.uk/2010/02/08/china_cybercrook_training_outfit_raid/
-http://www.cnn.com/2010/TECH/02/08/china.hackers/index.html
-http://www.computerworld.com/s/article/9153238/China_shuts_hacker_training_site_
arrests_three_?taxonomyId=17
-http://news.bbc.co.uk/2/hi/asia-pacific/8503637.stm
[Editor's Note (Ullrich): Chinese media provide a bit more details (e.g. see
-http://news.xinmin.cn/rollnews/2010/02/07/3579571.html).
For example, this group was involved in extortion attacks against Chinese internet cafes. The group asked for approx $800 from internet cafes and threatened them with DoS attacks if they didn't pay. They got tracked down via the phone number they gave these internet cafes to negotiate terms. This group is hardly in the same league as the Google attackers.

(Weatherford): A possible explanation: The Black Hawk Safety Net became a political liability when they began shaking down Chinese businesses and were just unnecessary competition for the government.

(Northcutt): The Chinese Government started cracking down on some hackers about a year ago, possibly because they are now hitting Chinese sites as well as foreign sites. Dark Visitor has published information on several of these events:
-http://www.thedarkvisitor.com/2009/07/chinese-hackers-suspected-of-breaking-gree
n-dam-arrested/]

Security Chip That Does Encryption in PCs Hacked (February 9, 2009)

Christopher Tarnovsky discovered a way to crack the TCP chip on which many military and commercial security schemes rely. Without solid security at the client, there can be no confidence in the confidentiality or integrity of communications. Tarnovsky's hack requires physical access to the chip; it cannot be performed remotely.
-http://abcnews.go.com/Technology/wireStory?id=9780148

UK Legislative Committee Concerned About Pending Anti-Piracy Law (February 5, 2010)

The UK's Joint Select Committee on Human Rights has expressed concern that pending anti-piracy legislation could violate Internet users' rights. The Digital Economy Bill proposes cutting off the Internet connections of users who continue to download content in violation of copyright law after repeated warnings. The Committee is particularly concerned that the law would allow for "over-broad powers" and that the technical measures of the bill and how those measures would be applied are not "sufficiently specified."
-http://news.bbc.co.uk/2/hi/technology/8500876.stm

FBI Wants ISP to Retain Sites Visited Data for Two Years (February 5, 2010)

The FBI wants Internet service providers (ISPs) to keep records of which websites its customers visit and to retain the data for two years. The agency believes that the information could prove useful in investigations of serious crimes. Existing federal regulations require telecommunications providers to keep records of toll calls for 18 months; the information logged includes the "name, address, and telephone number of the caller, telephone number called, date, time and length of call." The FBI is not seeking the content of communications, just "non-content transactional data."
-http://news.cnet.com/8301-13578_3-10448060-38.html

FBI Wants ISP to Retain Sites Visited Data for Two Years (February 5, 2010)

The FBI wants Internet service providers (ISPs) to keep records of which websites its customers visit and to retain the data for two years. The agency believes that the information could prove useful in investigations of serious crimes. Existing federal regulations require telecommunications providers to keep records of toll calls for 18 months; the information logged includes the "name, address, and telephone number of the caller, telephone number called, date, time and length of call." The FBI is not seeking the content of communications, just "non-content transactional data."
-http://news.cnet.com/8301-13578_3-10448060-38.html

---

*************************** Sponsored Links ***************************

1) Replace Cisco CS-MARS from the MARS creators.
Upgrade to AccelOps at your current MARS maintenance fee and receive a full year of maintenance & support.
http://www.sans.org/info/54664

2) ALERT: Webcast - Google was victimized by hackers. Will you be next?
Keynote by Gartner Analyst.
http://www.sans.org/info/54669

3) Discover how the Top 20 Critical Security Controls can deliver automated security and compliance to your organization's audit program.
Register for this webcast today, brought to you by Qualys!
http://www.sans.org/info/54674

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Penn State Researchers Develop Algorithm That Fights Stealthy Worms (February 5 & 8, 2010)

Researchers at Penn State have developed code that targets local scanning worms. The algorithm could be used to thwart the spread of the worms through computer networks. The researchers' algorithm can measure a worm's virulence, determine which machines on a given network are infected and identify which packets are being sent in attempts to spread the worm. The algorithm also allows infected machines to remain online so they can continue to be used for legitimate functions.
-http://darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=2227
00362
-http://news.techworld.com/security/3212013/researchers-identify-algorithm-that-s
tops-worms-spreading/

Prosecutors Transfer NASA and Cisco Hacker's Case to Sweden (February 8, 2010)

US prosecutors have announced that the case against a man who allegedly broke into computer systems at NASA and stole sensitive data will be transferred to Sweden. Philip Gabriel Pettersson, who was 16 at the time of the alleged intrusion at Cisco, was indicted last May in San Francisco, but he could not be extradited from Sweden to face the charges. No reasons were given for the change. Swedish authorities would not guarantee that they would charge Pettersson, who is now 21.
-http://www.theregister.co.uk/2010/02/08/swedish_hacker_prosecution/
-http://www.wired.com/threatlevel/2010/02/sweden-probing-cisco-nasa-hacks/

Microsoft Reminds Users of Windows Support Cutoff Dates (February 8, 2010)

Microsoft will stop support for Windows 2000 and certain versions of XP and Vista over the next few months. After April 13, 2010, Microsoft will no longer issue security updates for Vista RTM (release to manufacturing). Vista users are encouraged to upgrade to Vista Service Pack 1 or Service Pack 2, which were issued in March 2008 and May 2009, respectively. After July 13, 2010, Microsoft will no longer issue support Windows 2000 at all, and will no longer issue security updates for Windows XP SP2. Users still running Windows XP SP2 are urged to upgrade to SP3 or to Windows 7.
-http://www.computerworld.com/s/article/9153498/Microsoft_warns_of_lapsing_Window
s_support

P2P Users Still Leaking Sensitive Data (February 5, 2010)

Researchers gave a presentation at ShmooCon last week that indicates that people using peer-to-peer (P2P) filesharing programs are unaware of exactly what information they are making publicly available. Larry Pesce and Mick Douglas gave a presentation in which they said they were able to access people's driver's licenses, passports and tax returns. The researchers activity was prompted by recent disclosures that sensitive government information, including communications, navigation and management systems data for Marine One, the President's helicopter. The researchers were able to locate the sensitive files using simple search terms such as "doctor," "passport," "license," and "visa," as well as a number of different file extensions.
-http://www.csoonline.com/article/532963/ShmooCon_P2P_Snoopers_Know_What_s_In_You
r_Wallet

Cyber Thieves Hit Poughkeepsie, New York Town Bank Account (February 5 & 8, 2010)

The town supervisor of Poughkeepsie, New York, has called it "unacceptable" that a local bank failed to notify her office of several attempted fund transfers to a bank account in Eastern Europe. In all, US $378,000 was taken from a city account and transferred to Ukraine; about $95,000 has been recovered. The fraudulent transactions were placed on January 11 and 12, 2010. The cyber thieves attempted nine transactions; four were successful.
-http://www.theregister.co.uk/2010/02/05/online_bank_heist/
-http://www.poughkeepsiejournal.com/article/20100204/NEWS05/2040339/Myers--Hacker
-stole--378-000-from-town-account--sent-it-to-Ukraine
-http://www.computerworld.com/s/article/9153598/Poughkeepsie_N.Y._slams_bank_for_
378_000_online_theft?taxonomyId=17
[Editor's Note (Northcutt : Very important that people lock down systems used for online bank transfers. SANS is running Bit9 corporately as well as the free Microsoft Steady State on the systems we share. That took a bit of configuration, but we are up and running. I have a single user version of Savant Protection on my netbook. Hackers for Charity is using Deep Freeze. Even if you do not run lock down software on all your systems, you need to get it on your accounting systems soon. I would love to hear your experience with lock down software, stephen@sans.edu:
-http://www.bit9.com/
-http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx
-http://www.savantprotection.com/
-http://www.faronics.com/
-http://www.hackersforcharity.org/long-journey/back-to-work/]

Mozilla Removes Trojan-Laced Plug-Ins From Firefox Download Site (February 5 & 8, 2010)

Mozilla has removed a pair of plug-ins from its Firefox add-on site after learning that they contain malicious code. Version 4 of the Sothink Web Video Downloader 4.0 and all versions of Master Filer contain Trojan Horse programs designed to infect Windows users' computers. Users who have downloaded these plug-ins are advised to uninstall them and run their antivirus software to clean up any infections.
-http://download.cnet.com/8301-2007_4-10448331-12.html?tag=mncol;title
-http://www.scmagazineus.com/mozilla-says-two-firefox-browser-plug-ins-contain-tr
ojan/article/163344/
-http://www.theregister.co.uk/2010/02/05/malicious_firefox_extensions/

Oracle Releases Out-of-Cycle Patch for WebLogic Server Flaw (February 5 & 8, 2010)

Oracle has issued an out-of-cycle patch for a vulnerability in its WebLogic application server that was disclosed several weeks ago. Attackers could exploit the flaw to execute commands remotely without authentication on vulnerable machines. The vulnerability affects the Node Manager component of the Oracle WebLogic Server.
-http://www.computerworld.com/s/article/9152998/With_bug_public_Oracle_rushes_out
_WebLogic_fix?source=rss_news
-http://www.theregister.co.uk/2010/02/08/oracle_weblogic_update/
-http://securitywatch.eweek.com/oracle/oracle_patches_dangerous_weblogic_server_f
law.html
Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=8194

Microsoft Issues 13 Security Bulletins to Address 26 Vulnerabilities (February 4, 2010)

Microsoft issued 13 security bulletins today. Five of the bulletins have been given critical ratings, and seven have been rated important. In all, the bulletins describe fixes for 26 vulnerabilities. One of the bulletins addresses a known privilege escalation flaw in the Windows kernel. The bulletins affect several editions of Windows, Office XP and Office 2003 on Windows and Office 2004 for Mac.
-http://www.computerworld.com/s/article/9152258/Microsoft_slates_colossal_Windows
_patch_next_week?source=rss_news
-http://blogs.zdnet.com/security/?p=5390&tag=content;wrapper
-http://www.microsoft.com/technet/security/bulletin/ms10-feb.mspx

---

**********************************************************************


The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)



John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.



Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.



Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States



Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.



Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.



Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.



Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.



Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.



Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.



Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.



David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.



Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.



Alan Paller is director of research at the SANS Institute



Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.



Clint Kreitner is the founding President and CEO of The Center for Internet Security.



Brian Honan is an independent security consultant based in Dublin, Ireland.



David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.



Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/