SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #20

March 12, 2010

Utility executives just received the March-April EnergyBiz magazine with the article (page 47) on the advanced persistent threat inside utilities. It is called "Utilities are Contested Territory" and you can find it at http://www.nxtbook.com/nxtbooks/energycentral/energybiz0310/index.php?startid=47

To clear up confusion about the two SANS programs where security breaches at US utilities will be discussed:

1. The SCADA Security Summit (where the FBI will share much of what they have seen and the two principal experts who best understand the advanced persistent threat inside utilities will share what they are seeing) is open to everyone. That program also includes the important new NERC security risk workshop, two free courses offered by DHS, and two SANS immersion courses, plus sessions on automated policy monitoring, grid security, and more. To register for the conference go to http://www.sans.org/scada-security-summit-2010/

2. The webcast on the 19th, focusing only on the APT, is EXCLUSIVELY for employees of US utilities. To get credentials for the webcast email apaller@sans.org

Late breaking news. Josh Wright, the nation's top wireless security expert just agreed to use the SCADA Security Summit to release information on the important new wireless security problem for control systems in the grid.

Alan

---

TOP OF THE NEWS

Intelligence Data Aggregation Difficulties Blamed on Policy and Privacy Issues
LifeLock Pays US $12 Million to Settle FTC Charges

THE REST OF THE WEEK'S NEWS

HSBC Apologizes to 24,000 Customers for Data Theft
Allaple Worm Author Sentenced
Second Man Sentenced for TJX Attacks
Pennsylvania State CISO Loses Job After Speaking on Panel at RSA
Former TSA Employee Allegedly Attempted to Infect Computer Systems
Zeus Botnet Takedown Short-Lived
BT Chief Speaks Out Against Suspending Filesharers' Internet Service
Google in Talks With Chinese Government; Development Expected "Soon"
Twitter Launches URL Screening Service
Microsoft Releases Two Security Bulletins
Exploit Code Released for Critical IE Flaw

---

*************** Sponsored By Trusted Computer Solutions ****************

Is your IT organization struggling to keep your enterprise servers in compliance with security policy? Could your organization pass a surprise security audit today? Security Blanket performs fast, consistent, and repeatable operating system lock down to industry or custom security settings in minutes, not days. Audit ready, all the time! Try Security Blanket for FREE.
http://www.sans.org/info/56118

*************************************************************************

TRAINING UPDATE

-- SANS Northern Virginia Bootcamp 2010, April 6-13
Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
http://www.sans.org/reston-2010/

-- SANS Security West 2010, San Diego, May 7-15, 2010
23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

-- SANSFIRE 2010, Baltimore, June 6-14, 2010
38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

-- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, August 2-8, 2010 11 courses
http://www.sans.org/boston-2010/

Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php
Plus Dubai, Geneva, Toronto, Singapore and Brisbane all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

*************************************************************************

---

TOP OF THE NEWS

Intelligence Data Aggregation Difficulties Blamed on Policy and Privacy Issues (March 10, 2010)

Testifying at a Senate Homeland Security and Governmental Affairs Committee hearing, deputy director of information sharing and knowledge development at the National Counterterrorism Center Russell Travers said that policy and privacy issues, not technology, are hindering the government's "ability to search and aggregate information" that might help identify terrorist suspects. The issues put constraints on how officials can use the data, because agencies that gather foreign intelligence cannot engage in domestic spying. However, committee chair Senator Joe Lieberman (I-Conn.) said that at an earlier hearing, the center's director said that the problems were technological.
-http://www.nextgov.com/nextgov/ng_20100310_9102.php?oref=topnews
-http://fcw.com/articles/2010/03/10/web-nctc-counterterrorism-technology.aspx
[Editor's Note (Pescatore): Imagine a see-saw, or teeter-totter. On one side of that put the privacy controls as hindrance to intelligence agencies sharing data. Now, drop the inter-agency organizational barriers to sharing information onto the other side, and watch the privacy barriers get launched up in the air and fly into outerspace. ]

LifeLock Pays US $12 Million to Settle FTC Charges (March 9 & 10, 2010)

LifeLock has agreed to pay the US Federal Trade Commission and 35 states' attorneys general US $12 million to settle charges that the Arizona-based company used phony claims to entice consumers to purchase its identity theft protection services. LifeLock is widely known for displaying the CEO's Social Security number (SSN) on billboards. US $11 million of the fine will be used to refund LifeLock subscribers' payments. Among the false claims were assurances that the information subscribers provided to LifeLock would be held securely; in fact, none of the data the company stored were encrypted, either in storage or in transit, and the company did not limit access to the data on a need-to-know basis. In addition, LifeLock lacked up-to-date software patches.
-http://www.ftc.gov/opa/2010/03/lifelock.shtm
-http://www.wired.com/threatlevel/2010/03/lifelock-accused-of-running-con-operati
on/
-http://www.computerworld.com/s/article/9168098/Update_LifeLock_to_pay_12M_to_set
tle_FTC_states_complaint?taxonomyId=17
-http://redtape.msnbc.com/2010/03/lifelock-settles-deceptive-advertising-case-wit
h-ftc-ags.html
-http://www.informationweek.com/news/security/storage/showArticle.jhtml?articleID
=223400055
-http://www.theregister.co.uk/2010/03/09/lifelock_settlement/

---

*************************** Sponsored Links ***************************

1) Hear the experts talk about the Advanced Persistent Threat at the Process Control and SCADA Summit March 29-30.
http://www.sans.org/info/56123

2) Register for SANS Analyst Program Webcast: Calculating TCO with Adaptive IPS sponsored by Sourcefire.
Click here: http://www.sans.org/info/56128

3) Sign up today for SANS Webcast: Privileged User Monitoring: Automating Compliance & Managing Risk sponsored by LogRhythm.
Go to http://www.sans.org/info/56133

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

HSBC Apologizes to 24,000 Customers for Data Theft (March 11, 2010)

HSBC has revised the number of customer records compromised by a former employee upward to 24,000. Initially, the bank said that fewer than 10 customers were affected by the data theft. Later, that number was revised to 15,000, and now it appears that an additional 9,000 accounts were compromised. The data were stolen by a former bank employee who attempted to sell the information. The bank does not believe that the stolen information would allow unauthorized access to the accounts, but it could leave account holders open to prosecution for tax evasion. The former employee, Herve Falciani, allegedly copied the data onto a non-bank-issued computer.
-http://www.v3.co.uk/computing/news/2259370/hsbc-theft-affects-thousands
-http://www.irishtimes.com/newspaper/breaking/2010/0311/breaking43.html
-http://www.computerworld.com/s/article/9169218/HSBC_Data_theft_incident_broader_
than_first_thought?taxonomyId=17
[Editor's Note (Schultz): A recent study showed that 59 percent of ex-employees of organizations admit that they have taken some of their organization's data with them when they left. ]

Allaple Worm Author Sentenced (March 11, 2010)

An Estonian man has been sentenced to 31 months in prison for creating the Allaple worm that infected computers and used them to launch distributed denial-of-service (DDoS) attacks. Artur Boiko chose the targets of the attacks, an insurance company and an Internet service provider (ISP); Boiko was involved in a dispute with insurance company over a car accident claim. Boiko reportedly created several versions of the worm, which was considered as an aggravating factor in determining the length of his sentence. He has also been ordered to pay restitution of 5.1 million Kroons (US $446,000) to the insurance company and 1.4 million Kroons (US $122,000) to the ISP.
-http://www.theregister.co.uk/2010/03/11/allaple_ddos_vxer_jailed/

Second Man Sentenced for TJX Attacks (March 11, 2010)

Humza Zaman has been sentenced to 46 months in prison for his role in the attacks on computer systems at TJX, Office Max, Heartland Payment Systems and other companies. Zaman was charged with laundering hundreds of thousands of dollars for Albert Gonzalez, who is believed to be the mastermind behind the attacks that stole information on more than 100 million payment cards. Zaman has also been ordered to pay a US $75,000 fine. In April he pleaded guilty to one count of conspiracy. He was formerly employed as a programmer at Barclays Bank. Gonzalez is currently awaiting sentencing. Another man involved in the scheme, Stephen Watt, was sentenced to two years in prison late last year.
-http://www.wired.com/threatlevel/2010/03/tjx-conspirator-sentenced-to-46-month/

Pennsylvania State CISO Loses Job After Speaking on Panel at RSA (March 10 & 11, 2010)

Robert Maley, Pennsylvania's former chief information security officer (CISO), lost his job ostensibly because he spoke about a security incident with the Commonwealth's online driving test system without obtaining approval in advance. The Commonwealth requires that employees get permission to speak about official matters before making public statements about them. A spokesperson for Pennsylvania Governor Edward Rendell acknowledged that Maley no longer works for the Commonwealth, but declined to offer any details, citing Commonwealth privacy rules. Maley spoke on a panel of state CISOs at the RSA conference about an incident in which a driving school allegedly discovered and exploited an "anomaly" in the state driver's license test scheduling system that allowed it to bump its students to the front of the queue.
-http://www.scmagazineus.com/pennsylvania-ciso-out-of-a-job-following-rsa-confere
nce-appearance/article/165524/
-http://www.computerworld.com/s/article/9169098/Pennsylvania_fires_CISO_over_RSA_
talk
-http://blogs.govinfosecurity.com/posts.php?postID=478
-http://www.pennlive.com/midstate/index.ssf/2010/03/pennsylvanias_web_security_of
f.html
[Editor's Note (Pescatore): If he violated rules about getting approval, you can't argue about some form of punishment. If there had been previous warnings and other violations of policy, firing might be justified. But, unless there is all that history, firing someone for talking at this level about a security incident shows a misguided belief in security through obscurity.

(Ranum): By firing him, they have given the "anomaly" more publicity than if they did a press release about it. ]

Former TSA Employee Allegedly Attempted to Infect Computer Systems (March 10 & 11, 2010)

A former US Transportation Security Administration (TSA) employee has been indicted by a federal jury in Denver for alleged database tampering. On Tuesday, March 9, Douglas James Duchak was charged with two counts of attempting to damage protected TSA computers. The following day, he pleaded not guilty in US District Court. If he is found guilty, he faces up to 10 years in prison and a fine of up to US $500,000. Duchak was employed for more than five years as an analyst at the TSA's Colorado Springs Operation Center (CSOC). He was informed last October 15 that he was being let go; the following week, he allegedly uploaded malicious code to a terrorism database. Duchak was indicted on two counts. The first alleges that he injected unauthorized code into CSOC server that holds the US Marshall's Service Warrant Information Network; the second alleges that he attempted to load malware into a server that holds the Terrorist Screening Database.
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=223500107
-http://denver.fbi.gov/dojpressrel/pressrel10/dn031010.htm
-http://www.msnbc.msn.com/id/35803009/ns/technology_and_science-security/
-http://www.computerworld.com/s/article/9169019/Former_TSA_analyst_charged_with_c
omputer_tampering?taxonomyId=17
-http://www.wired.com/threatlevel/2010/03/tsa-worker-charged-with-attempted-sabot
age/

Zeus Botnet Takedown Short-Lived (March 10, 11 & 12, 2010)

Less than a day after the outage of the Troyak ISP appeared to have hobbled the Zeus botnet by disabling 100 of its command and control servers, the ISP has found a new upstream provider and roughly one-third of the disabled command and control servers are again functioning. The short-lived outage was believed to have cut off at least 25 percent of Zeus command and control servers. It is unclear if Troyak's outage was the result of law enforcement action, researchers, or even the criminal themselves; a Troyak spokesperson said the outage was caused by an administrative error.
-http://www.theregister.co.uk/2010/03/11/zeus_botnets_resurrected/
-http://www.computerworld.com/s/article/9169118/After_takedown_botnet_linked_ISP_
Troyak_resurfaces?taxonomyId=17
-http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=106315
39
-http://www.theregister.co.uk/2010/03/10/massive_zeus_takedown/

BT Chief Speaks Out Against Suspending Filesharers' Internet Service (March 10, 2010)

Ian Livingston, CEO of British Telecom, said that illegal file sharers should be fined instead of having their Internet service suspended. He and other industry voices wrote a letter to the Financial Times, urging MPs to change a proposed amendment to the Digital Economy Bill that would require ISPs to suspend the accounts of persistent filesharers. Livingston notes that cutting off service could penalize entire families or small businesses for the actions of one individual.
-http://news.bbc.co.uk/2/hi/technology/8559059.stm
-http://www.ft.com/cms/s/0/959fa18e-2d3c-11df-9c5b-00144feabdc0.html

Google in Talks With Chinese Government; Development Expected "Soon" (March 10, 2010)

Google CEO Eric Schmidt said his company is in talks with the Chinese government, but did not elaborate on the content of those talks beyond acknowledging that it is discussing "the basis on which we could operate an unfiltered search engine within the law, if at all." Schmidt said that "something will happen soon." He did clarify that Google's talks with the Chinese government do not involve the US government. Earlier this year, Google threatened to pull its operations out of China altogether in the wake of cyber attacks that gained access to internal company systems. Google also said it planned to stop censoring Internet search results in China.
-http://www.theregister.co.uk/2010/03/10/google_china_resolution_coming_soon/
-http://www.msnbc.msn.com/id/35804055/ns/technology_and_science-security/

Twitter Launches URL Screening Service (March 9, 10 & 11, 2010)

Twitter has launched a new service to protect users from malicious links. All links submitted to Twitter will now be sent though a screening process that checks them against a blacklist of known malicious sites. If users click on a link that Twitter has determined is risky, users will be alerted with a warning screen. The new service will let Twitter block malicious links even after they have been sent out in email notifications.
-http://www.scmagazineus.com/twitter-to-vet-links-with-goal-of-curbing-phishing-a
ttacks/article/165475/
-http://www.computerworld.com/s/article/9168378/Twitter_to_begin_screening_some_l
inks_for_phishing?taxonomyId=17
-http://www.h-online.com/security/news/item/Twitter-to-detect-intercept-and-preve
nt-bad-links-950750.html
-http://www.thetechherald.com/article.php/201010/5360/Twitter-launches-its-own-UR
L-service-as-a-security-measure
[Editor's Note (Pescatore): A good start; bit.ly did something similar last year. The true test will be when Twitter has to block links to advertisers with compromised sites. ]

Microsoft Releases Two Security Bulletins (March 9 & 10, 2010)

On Tuesday, March 9, Microsoft released two security bulletins to fix a total of eight remote code execution vulnerabilities, one in Windows Movie Maker and seven in Excel. Both updates have maximum severity ratings of important. A vulnerability that affects Windows Help and VBScript remains unpatched.
-http://www.h-online.com/security/news/item/Microsoft-closes-seven-holes-in-Excel
-950393.html
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=223300150
-http://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx
-http://isc.sans.org/diary.html?storyid=8392

Exploit Code Released for Critical IE Flaw (March 9, 10 & 11, 2010)

Microsoft has issued an advisory warning of a critical flaw in Internet Explorer (IE). The remote code execution vulnerability is already being actively exploited in targeted attacks. Exploit code for the vulnerability has been released, and antivirus companies have been reporting drive-by attacks that exploit the flaw. The flaw does not affect IE 8 or IE 5.01. Microsoft has suggested several workarounds for users to apply until a fix is available.
-http://www.computerworld.com/s/article/9169258/IE_zero_day_exploit_code_goes_pub
lic?taxonomyId=17
-http://news.zdnet.co.uk/security/0,1000000189,40082404,00.htm
-http://www.h-online.com/security/news/item/Attacks-on-newly-discovered-vulnerabi
lity-in-IE-6-and-7-950737.html
-http://www.h-online.com/security/news/item/Exploit-for-new-IE-hole-952183.html
-http://news.cnet.com/insecurity-complex/?tag=rb_content;overviewHead
-http://www.microsoft.com/technet/security/advisory/981374.mspx
-http://isc.sans.org/diary.html?storyid=8398

---

**********************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/