SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #15

February 23, 2010

CALL FOR PARTICIPATION: Summit on Security Architecture. Cisco, NSA, and SANS are helping to bring together the people committed to ensuring security is baked into systems, applications, and most importantly - into the DNA of development organizations. The agenda is already pretty amazing ( http://www.sans.org/security-architecture-summit-2010 ) but we are looking for other amazing processes and tools that make a difference. If you can describe something that works please write a paragraph about what it is and how you know it is effective. Please email apaller@sans.org with subject Security Architecture Summit.

Alan

---

TOP OF THE NEWS

FBI Investigating School District's Remote Webcam Use
Largest Ever Finnish Data Breach Exposes Thousands of Payment Cards
US Military to Allow Limited Use of USB Drives

THE REST OF THE WEEK'S NEWS

FTC Tells Organizations They're Leaking Data Through P2P Networks
Alleged Aurora Attack Code Author Identified; Attacks Linked to Two Schools
Attacks Against Smart Grid Devices Likely to Grow Next Year
Jargon Hinders Everyday Users' Understanding of Cyber Security
Adobe Acknowledges Flaw in Download Manager
Symantec's 2010 State of Enterprise Security Study

---

*********************** A Question From SANS *****************************
SANS Asks... Which information security products, services and providers would you like to hear more about? Answer a short, 3-question survey and be automatically entered to win a $50 Amazon gift card. http://www.sans.org/info/55323
*************************************************************************
TRAINING UPDATE
-- SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style
http://www.sans.org/sans-2010/

-- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
http://www.sans.org/reston-2010/

-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

-- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, June 6-14, 2010 11 courses
http://www.sans.org/boston-2010/

Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Dublin, Dubai, Geneva, Toronto and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

*************************************************************************

---

TOP OF THE NEWS

FBI Investigating School District's Remote Webcam Use (February 18, 19 & 21, 2010)

The FBI is investigating allegations that the Lower Merion School District, in Ardmore, Pennsylvania has been using built-in cameras in school-issued MacBook laptop computers to spy on students at home. Michael and Holly Robbins, parents of a district high school student, have asked a federal judge to bar the district from turning on the webcams. They also want the judge to prevent the district from recalling the computers from students because they fear students will wipe evidence of the cameras' use from the machines. The district maintained it was using the webcam to locate missing computers, and disabled the function two days after the Robbinses filed their suit. According to the lawsuit, the Robbinses' son "was at home using a school issued laptop that was neither reported lost nor stolen when his image was captured by Defendants without his or his parents' permission." The Robbinses' lawsuit is seeking class action status.
-http://www.computerworld.com/s/article/9159778/Irate_parents_in_Pa._say_schools_
use_peeping_tom_technology_?taxonomyId=17
-http://www.cnn.com/2010/CRIME/02/19/laptop.suit/index.html
-http://www.informationweek.com/news/services/data/showArticle.jhtml?articleID=22
3000163

Largest Ever Finnish Data Breach Exposes Thousands of Payment Cards (February 19, 2010)

Police in Finland are investigating a data security breach that exposed more than 100,000 payment cards. A small number of the compromised cards has been used to conduct fraudulent transactions. The data were stolen from an unnamed Helsinki business; the attackers accessed the organization's system several times in January 2010. This is the largest reported case of payment card theft in Finland.
-http://www.yle.fi/uutiset/news/2010/02/hackers_get_data_on_10s_of_thousands_of_p
ayment_cards_1464115.html

US Military to Allow Limited Use of USB Drives (February 18 & 19, 2010)

More than a year after banning the use of USB drives, the US military says it is allowing "a return to limited use of removable devices under very specific circumstances and guidelines." The ban was initiated after infected drives began infecting military networks in late 2008. The new guidelines allow the use of secure USB drives and other removable storage media only as "a last resort for operational mission requirements." Troops wishing to use the devices must obtain specific approval and use only devices that are properly inventoried and government procured and owned. Personally owned devices are prohibited. The approved devices will be password-protected and will encrypt all data that are stored on them. They also may have features that prevent information from being copied or forwarded and prevent certain information from being stored on the drive altogether.
-http://www.defensenews.com/story.php?i=4505089&c=AME&s=TOP
-http://www.nextgov.com/nextgov/ng_20100219_2666.php?oref=topstory
-http://darkreading.com/insiderthreat/security/storage/showArticle.jhtml?articleI
D=223000373&subSection=Storage+security

[Editor's Note (Pescatore): Good idea to provide secure USB devices, since there is obviously a mission need for secure, transportable storage. Even better - also fix the underlying security flaw that allowed the malware to spread, as password protected/encrypting USB drives can still easily contain malware. ]

---

*************************** Sponsored Links ***************************
1) SIEM 2.0 - VIEW Demo of SC Magazine's Best Buy and Innovator of the Year. http://www.sans.org/info/55328
2) ALERT: Google was victimized by hackers. Will you be next? Zscaler Webcast with Gartner Keynote http://www.sans.org/info/55333
3) Attend an Online Demo of iPrism Web Filter and Get a $20 Amazon Giftcard! http://www.sans.org/info/55338
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

FTC Tells Organizations They're Leaking Data Through P2P Networks (February 22, 2010)

The US Federal Trade Commission (FTC) has notified nearly 100 public and private organizations that they are leaking sensitive data through peer-to-peer (P2P) file sharing networks. The compromised data include health information, financial records and license numbers of employees and customers. If companies do not take adequate measures to protect sensitive data from exposure, they could be found in violation of US data protection laws, such as the Gramm-Leach-Bliley Act and Section 5 of the FTC Act.
-http://darkreading.com/security/attacks/showArticle.jhtml?articleID=223100156&am
p;subSection=Attacks/breaches

[Editor's Note (Pescatore): If personally identifiable information was found on peer to peer networks, the companies who leaked are very likely already in violation of many laws unless they've notified all the impacted parties via the usual extremely expensive disclosure process. ]

Alleged Aurora Attack Code Author Identified; Attacks Linked to Two Schools (February 19, 20, 21 & 22, 2010)

US computer analysts believe they have identified the author of the attack code used to break into computer systems at Google and more than 30 other US companies. The individual believed to be the author of the code is a 30-something security consultant and is not believed to have launched the attacks. The attacks themselves have been linked to two Chinese schools, one with known ties to the military. Both Shanghai Jiaotong University, a prestigious technology school, and the Lanxiang School have denied any involvement with the attacks.
-http://www.wired.com/threatlevel/2010/02/us-pinpoints-coder-behind-google-attack
/
-http://www.cnn.com/2010/BUSINESS/02/21/google.hackers/index.html
-http://www.nytimes.com/2010/02/19/technology/19china.html
-http://news.bbc.co.uk/2/hi/technology/8527944.stm
-http://www.washingtonpost.com/wp-dyn/content/article/2010/02/19/AR2010021902643.
html
-http://www.nytimes.com/2010/02/22/technology/22cyber.html?partner=rss&emc=rs
s
-http://www.theregister.co.uk/2010/02/21/china_schools_deny_involvement_in_google
_attacks/
-http://www.computerworld.com/s/article/9159258/Chinese_school_linked_to_Google_a
ttacks_also_linked_to_01_attacks_on_White_House_site?taxonomyId=17

Attacks Against Smart Grid Devices Likely to Grow Next Year (February 19, 2010)

According to the Project Grey Goose Report on Critical Infrastructure, cyber attackers are likely to increase their attention to components of the smart grid over the next 12 months. The emergence of smart grid devices will prove a tempting target for hackers. Many will be wireless, and they are likely to be sniffed, penetrated and attacked to deny service. Hackers are likely to become more aggressive, both in the intensity and the frequency of their attacks. The report lists the main threats as state- and non-state-sponsored attackers from the Russian Federation, China, and Turkey. "There have been at least 120" successful attacks against the power grid, although companies say there have been none.
-http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=
223000369&cid=RSSfeed

[Editor's Note (Schultz): Spokespersons for the power grid seems as determined in their repeated denials as do government spokespersons from China!"
(Paller): The data that will be discussed at the SCADA Security Summit (
-http://www.sans.org/scada-security-summit-2010/)
will make it much harder for EEI to claim it isn't happening. ]

Jargon Hinders Everyday Users' Understanding of Cyber Security (February 19, 2010)

Computer experts meeting in Belgium last week discussed problems in cyber security culture that stand in the way of helping regular users protect themselves and their computers. Jargon lends a "mystique" to security, which results in a lack of clarity and among some, a sense of superiority over those who are not well versed in the technical aspects of cyber security. Cyber security language needs to be simplified and users need to be told why they are being asked to do things like create strong passwords and keep them secret, or install security software; the risks of not taking cyber security precautions need to be made clear and real. Education about cyber security needs to be informative and interesting, and created to target various age groups and audiences.
-http://www.msnbc.msn.com/id/35479954/ns/technology_and_science-security/

[Editor's Note (Schultz): The experts were certainly correct in saying that jargon hinders users' understanding of cyber security concepts. What the experts should also have pointed out is that jargon hinders the understanding of concepts in the entire information technology arena--it is by no means a cyber security-specific problem. ]

Adobe Acknowledges Flaw in Download Manager (February 18 & 19, 2010)

Adobe has confirmed the presence of a flaw in its Download Manager that could be exploited to install arbitrary software on vulnerable Windows computers. Exploiting the vulnerability is not trivial, because the Adobe Download Manager is an ActiveX script that is not normally installed permanently on PCs. Attackers could take advantage of the flaw while the Download Manager is active; the Download Manager stays on a machine until that machine is rebooted. Adobe tells users what is being downloaded, but does not ask permission before installing the downloads.
-http://www.h-online.com/security/news/item/Security-problems-in-Adobe-s-Download
-Manager-935642.html
-http://www.theregister.co.uk/2010/02/18/adobe_download_peril/

Symantec's 2010 State of Enterprise Security Study (February 22, 2010)

According to Symantec's 2010 State of Enterprise Security study, 75 percent of responding organizations experienced a cyber security attack within the last year; of those, more than one-third said the attacks were "somewhat/highly effective." The statistics indicate a 29 percent increase in attacks reported over last year. All respondents said they had experienced some sort of cyber loss in 2009. However, just 42 percent of the organizations said that security was their most important issue. The study surveyed 2,100 CIOs, CISOs and IT managers in 27 countries in January 2010.
-http://www.symantec.com/about/news/release/article.jsp?prid=20100221_01
-http://www.scmagazineuk.com/a-rise-in-cyber-attacks-by-one-third-saw-100-per-cen
t-of-enterprises-experience-cyber-losses-in-2009/article/164204/
-http://www.net-security.org/secworld.php?id=8896
-http://www.v3.co.uk/v3/news/2258220/cyber-security-tops-priority

[Editor's Note (Northcutt): Some highlights from my read. Page 7: 25% of the folks surveyed felt they had experienced no cyber attacks in the past 12 months. I know where to go to start looking for totally "owned" organizations. Page 9: attacks caused equal number of losses in three categories: loss of customer PII, downtime, and loss of intellectual property. Page 10: cost of damages consist of essentially equal parts lost productivity, lost revenue, and lost customer trust. ]

---

**********************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/