SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XII - Issue #16
February 26, 2010
TOP OF THE NEWS
Senate Committee Hears of Nation's Unpreparedness for Cyber WarfareMike McConnell's Strategy to Win a Cyber War
Italian Google Verdict Casts Shadow on Freedom of Speech
Google Is Hiring in China
THE REST OF THE WEEK'S NEWS
Report Says Client-Side Vulnerabilities on the RiseComcast Attacker Pleads Guilty
Waledac Botnet Command and Control Domains Cut Off
Baidu Says Attackers Used Social Engineering in Redirect Attack
Three Charged in Mass. ATM Skimming Scheme
Adobe Fixes Critical Flaw in Download Manager
Intel Acknowledges January Breach
HHS Posts List of Reported Health Data Breaches
**************** Sponsored By Trusted Computer Solutions ****************
Automated, consistent operating system lock down. Who knew? Whether locking down one server or an entire enterprise, Security Blanket performs fast, consistent, and repeatable OS lock down to industry guidelines such as DISA STIGs, CIS, and SANS CAG Top 20 Critical Controls. Now that you know, give Security Blanket a try for FREE. http://www.sans.org/info/55613
*************************************************************************
TRAINING UPDATE - -- SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style
http://www.sans.org/sans-2010/
-- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
http://www.sans.org/reston-2010/
-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/
-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/
-- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/
-- SANS Boston 2010, June 6-14, 2010 11 courses
http://www.sans.org/boston-2010/
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php
Plus Dublin, Dubai, Geneva, Toronto and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************
TOP OF THE NEWS
Senate Committee Hears of Nation's Unpreparedness for Cyber Warfare (February 23 & 24, 2010)
Former US Director of National Intelligence (DNI) Admiral Mike McConnell told the Senate committee overseeing on commerce, transportation and technology, that if the nation was attacked today in a cyber war, "we would lose." McConnell told them that it will take a catastrophic cyber attack (one he told them to expect) to force the country to take action to protect IT systems. Jim Lewis, chair of the CSIS Commission on Cybersecurity for the President echoed McConnell's sentiments that private industry needs to take decisive steps to protect IT systems that support the country's critical infrastructure from attacks and that they won't do it until they are forced to do so, through federal procurement and regulation.-http://www.washingtonpost.com/wp-dyn/content/article/2010/02/23/AR2010022305033.
html
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=223100425
[Editor's Note (Paller): Watching the Senators' expressions when Admiral McConnell told them that we would lose in a cyber war, was a powerful awakening. They didn't know! Other than the chairman and ranking member, who served in the same roles on the Senate Intelligence Committee until last year, and had had intense classified briefings, the Commerce Committee members had no idea how far behind the United States has fallen. Their lack of knowledge completely explains why Congress passed such a terrible law (in FISMA), why they never fixed it, and why the Office of Management and Budget staff, living in similar oblivion, won't take the clear and proven steps necessary to reduce the security risk to federal systems. (Schultz): Unfortunately, senior management in the U.S. commercial sector is unlikely to heed McConnell's warning, let alone act on it. The following quote from a prominent CIO summarizes the problem nicely: "You security guys keep talking and talking about the end of the world. It doesn't seem to come." ]
Mike McConnell's Strategy to Win a Cyber War (February 28, 2010)
Mike McConnell says the US needs a "cohesive strategy to meet[the ]
challenge" of cyber war. He says government and industry needs to be more forthcoming on the challenges the nation faces in cyber space. An effective strategy will incorporate both deterrence and preemption because of the varied threats we face. Deterrence involves a clear expression of intent backed up by policies and international agreements as well as real-time monitoring of cyber space and the capability to identify attacks and pinpoint their origins. Preemption involves identifying adversaries who are motivated by ideology rather than greed and taking steps to undermine their ability to launch attacks.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/02/25/AR2010022502493.
html
Italian Google Verdict Casts Shadow on Freedom of Speech (February 24, 2010)
An Italian court has found three Google executives guilty of violating Italian privacy laws in a case involving the posting of a disturbing video. The decision holds the men liable for content posted on the company's system. Prosecutors said the men did not act quickly enough to remove a video of teenagers bullying an autistic boy. The video was removed within two hours of receiving a formal complaint from Italian police, but the video had been available for two months. The three men each received six-month suspended sentences. The ruling has generated strong responses worldwide. The decision has been compared to "prosecuting the post office for hate mail that is sent in the post."-http://www.nytimes.com/2010/02/25/technology/companies/25google.html?ref=technol
ogy
-http://news.bbc.co.uk/2/hi/technology/8533695.stm
-http://www.technewsdaily.com/italian-conviction-of-employees-threatens-entire-in
ternet-100224-0245/
-http://www.informationweek.com/news/hardware/utility_ondemand/showArticle.jhtml?
articleID=223100601
[Editor's Note (Honan): This case could have a lot of ramifications for how service providers operate within the EU. The EU E-Commerce Directive provides service providers, such as Google, protection from liability for any material produced by third parties and for which the service provider simply stores or transmits. However, the provider is not exempt if they are monitoring the content of the material or fail to take that material down once notified. Core to the ruling was the fact that this video was one of the most viewed videos on Google video at the time and as such Google was aware of the video due to the advertisement revenue it was making from its popularity. The appeal to this case will be watched with great interest. ]
Google Is Hiring in China (February 24, 2010)
Google is hiring people in China, putting to rest any rumblings that it plans to pull out of the country. Following the disclosure of attacks on Google systems earlier this year, the company had indicated it no longer wished to censor Internet searches, and hinted that it might shutter its China operations. Google is presently abiding by Chinese laws regarding search results and is in talks with the Chinese government regarding operational changes.-http://www.bloomberg.com/apps/news?pid=newsarchive&sid=arbc4_ButJTs
-http://www.itproportal.com/portal/news/article/2010/2/25/google-bets-china-adver
tises-more-positions/
[Editor's Note (Northcutt): However, the rest of the story was in the last issue of the Economist. According to that highly respected publication, after Google made its big announcement, other tech firm such as Microsoft started efforts to recruit Google China workers. Apparently, while it is true that before the announcement Google workers were intensely loyal to Google, the announcement that Google was shutting down operations in China strongly diminished that loyalty. ]
*************************** Sponsored Links ***************************
1) Rediscover Orlando and hear about Process Control Security issues. Process Control & SCADA Summit March 29-30.
http://www.sans.org/info/55618
2) SANS Inquires... Which information security products, services and providers would you like to hear more about? Answer a short 3 question survey and be automatically entered to win a $50 Amazon gift card. http://www.sans.org/info/55623
3) SIEM 2.0 - VIEW Demo of SC Magazine's Best Buy and Innovator of the Year.
http://www.sans.org/info/55628
*************************************************************************
THE REST OF THE WEEK'S NEWS
Report Says Client-Side Vulnerabilities on the Rise (February 25, 2010)
Data from IBM's X-Force Trend and Risk Report show that while the overall number of reported software flaws dropped slightly last year, the number of reported vulnerabilities in document readers and multimedia applications increased significantly in 2009. The X-Force research and development team recorded 6,601 new flaws in 2009, an 11 percent decrease over the previous year. However, the number of client-side flaws rose 50 percent over 2008's figures. Three of the five most widespread web site exploits involved PDF files.-http://www.computerworlduk.com/technology/security-products/prevention/news/inde
x.cfm?RSS&newsid=19030
[Editor's Note (Pescatore): Since the big snow storm bypassed my area this week, I'm in a glass half-full mood: these statistics mean a significant drop in vulnerabilities being reported on the server side! ]
Comcast Attacker Pleads Guilty (February 25, 2010)
Christopher Allen Lewis has pleaded guilty to one count of conspiracy to intentionally damage a protected computer system for his role in an attack that took Comcast Corp.'s website offline in May 2008. Two other men have also been charged in the case. Paul Michael Nebel has pleaded not guilty; James Robert Black is expected to plead guilty next week. The three men were part of the Kryogeniks phone phreaking group.-http://www.computerworld.com/s/article/9162178/Guilty_plea_for_hacker_who_took_C
omcast_off_Web?taxonomyId=17
Waledac Botnet Command and Control Domains Cut Off (February 25, 2010)
Microsoft has obtained a temporary injunction requiring Verisign to cut off Internet traffic to 277 domains associated with the Waledac botnet. Those domains serve as command and control nodes for Waledac, which is believed to have infected hundreds of thousands of computers worldwide and is used primarily to send spam.-http://www.theregister.co.uk/2010/02/25/ms_waledac_takedown/
-http://www.computerworld.com/s/article/9162158/Court_order_helps_Microsoft_tear_
down_Waledac_botnet?source=CTWNLE_nlt_dailyam_2010-02-25
-http://www.h-online.com/security/news/item/Microsoft-takes-legal-action-against-
botnet-940363.html
-http://news.bbc.co.uk/2/hi/technology/8537741.stm
-https://isc.sans.org/diary.html?storyid=8299
[Editor's Note (Pescatore): Pulling dandelions makes the lawn look better for a while, but you really need regular pre-emergence weed control to make a difference in the long run. ]
Baidu Says Attackers Used Social Engineering in Redirect Attack (February 24, 2010)
Chinese search engine Baidu says that the attackers who redirected its users to another page used social engineering to obtain the information needed to carry out the attack. The attackers pretended to be Baidu employees while chatting online with the search engine's registrar, Register.com. The attacker chatting online with the Register.com tech help requested that Baidu's email address on file be changed. The registrar sent a confirmation code for the email change to Baidu's old email address. Because the attacker could not access that account, he provided a phony and incorrect confirmation code to the support person, who went ahead with the change anyway. The registrar initially refused to help when Baidu contacted register.com for help after discovering the redirect attack.-http://www.computerworld.com/s/article/9162118/Baidu_Registrar_incredibly_change
d_our_e_mail_for_hacker?taxonomyId=17
Three Charged in Mass. ATM Skimming Scheme (February 24, 2010)
Three men have been charged in connection with an ATM skimming scheme resulting in the theft of more than US $137,000 from Massachusetts banks over a six week period. The skimmers were affixed to ATMs Bank of America and Citizens Bank; they harvested data from cards' magnetic strips. The group allegedly also used hidden cameras to capture the cards' personal identification numbers. Ivaylo Hristov, Anton Venkov and Vladislav Vladev have been charged with bank fraud, aggravated identity theft and using counterfeit ATM cards. Hristov and Vladev were also charged with possession of device-making equipment. They each face up to 57 years in prison and US $1.25 million fines. Venkov faces up to 42 years in prison and a US $1.25 million fine.-http://www.theregister.co.uk/2010/02/24/atm_skimming_charges/
Adobe Fixes Critical Flaw in Download Manager (February 23 & 24, 2010)
Adobe has fixed a critical flaw in its Download Manager that could be exploited to install arbitrary software on vulnerable computers. Attackers would need to trick users into clicking on a maliciously crafted link on the adobe.com domain. Adobe Download Manager does not normally reside on users' computers. Instead, it installs when users are updating Adobe products and removes itself when the machine is restarted. The flaw affects all versions of Adobe Download Manager prior to the version released on February 23.-http://www.theregister.co.uk/2010/02/23/adobe_download_peril_abated/
-http://www.h-online.com/security/news/item/Adobe-patches-critical-vulnerability-
in-Download-Manager-938921.html
-http://www.adobe.com/support/security/bulletins/apsb10-08.html
Intel Acknowledges January Breach (February 23, 2010)
Intel has acknowledged in a Securities and Exchange Commission (SEC) filing that it was targeted by a "sophisticated" attack in January. The disclosure was made in a section of the filing that describes incidents and circumstances that could potentially have adverse effects on the company's bottom line. An Intel spokesperson says that while the attack occurred around the same time as the attacks against Google and other US companies, there is no hard evidence linking the Intel attack to the others. He also said that attackers attempt to gain access to Intel's systems on a "very regular" basis.-http://www.theregister.co.uk/2010/02/23/intel_hacking_incident/
-http://www.msnbc.msn.com/id/35542493/ns/technology_and_science-security/
-http://content.usatoday.com/communities/technologylive/post/2010/02/intel-disclo
ses-yet-another-corporate-network-breach/1
HHS Posts List of Reported Health Data Breaches (February 23, 2010)
The US Department of Health and Human Services (HHS) has posted a list of organizations that have suffered breaches of unsecured protected health information affecting 500 or more individuals. The posting of the list is required under the HITECH Act. HHS breach notification rules require that organizations report such breaches to HHS and the media within 60 days. Breaches affecting fewer than 500 people must be reported annually. The list includes 36 separate breaches and affects more than 1 million individuals; the majority of the breaches involved computer theft, unauthorized access and missing or stolen data storage devices.-http://www.healthdatamanagement.com/news/breach_notification_security_hitech-398
14-1.html
-http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/poste
dbreaches.html
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/