SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #32

April 23, 2010

If you work in the federal cyber security space, or in any organization subject to FISMA regulation, the first story in Top of the News reports the most sweeping changes in FISMA regulation since the law was written. Huge opportunities for contractors who get on board fast. End of the road for contractors who try to keep producing paper reports.

The two most important meetings on pen testing are both happening in June in the Baltimore area. If you have a security clearance and you are actively using pen testing for the military, try to get a seat at NSA's ReBl [Red Blue] symposium. NSA is the most respected government knowledge source for penetration testing and vulnerability assessment, and they have done a great job of sharing that knowledge. At ReBl the top government researchers share what they are learning. In the same city (Baltimore) on June 14-15 (just before ReBl) is the workshop where the most advanced new techniques are discussed in an unclassified setting. It's called the Pen Testing Summit. See: http://www.sans.org/pen-testing-summit-2010/

A preview webcast (free) for the Summit will be offered on Monday April 26 at 1 PM (EDT) when Josh Wright and Ed Skoudis will provide some of the coolest new data on how crypto is being used in advanced pen testing. Register at https://www.sans.org/webcasts/pen-test-vuln-assessment-summit-preview-essential-
crypto-pen-testers-math-required-93428

Alan

---

TOP OF THE NEWS

OMB Memo Describes New Direction for Federal Cyber Security
Google Attackers Reportedly Stole Single Sign-On Source Code
Researchers' GSM Network Exploits Pull Sensitive Information on Cell Phone Users

THE REST OF THE WEEK'S NEWS

McAfee Anti-Virus Update False Positive Causes Endless Boot Loop for XP SP3 Users
Microsoft Working on Third Fix for Cross-Site Scripting Filter
20 Critical Security Controls Informs State Dept's Successful Security Risk Reduction Program
Google Looking Into Increased Pharmaceutical Spam Through Gmail
Mozilla Disabling Java Development Toolkit to Protect Users From Attacks
Former Analyst/Trader Arrested for Alleged Trading Code Thefts
Two Arrested In Connection with Fraud-Enabling Site
Discarded Copiers Hold Sensitive Data on Hard Drives

---

**************** Sponsored By Trusted Computer Solutions ****************
Are your IT systems exposed because your operating systems are not sufficiently locked down? Let Security Blanket create a secure foundation by ensuring systems are automatically and consistently hardened to industry standards such as DISA STIGs, and SANS CAG Top 20 Critical Controls. Security Blanket has got you covered. Try it out for FREE today!
http://www.sans.org/info/58318
*************************************************************************

TRAINING UPDATE
-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

-- SANS Secure Europe Amsterdam 2010, June 21-July 3, 2010 8 courses.
http://www.sans.org/secure-amsterdam-2010/

-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Toronto, Singapore and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

---

TOP OF THE NEWS

OMB Memo Describes New Direction for Federal Cyber Security (April 21, 2010)

The White House is taking bold steps to improve cyber security requirements for government agencies while legislators and the National Institute of Standards and Technology (NIST) ponder changes to the Federal Information Security Management Act (FISMA) that has proven to be a financial drain - costing as much as US $1,400 a page for the paperwork necessary for compliance. Guidance in a memo from the Office of Management and Budget (OMB) says that government agencies will be required to feed real-time data to a web-based gateway called CyberScope, maintained by the Department of Homeland Security. The White House will meet with agencies on May 7 to begin training. Data feeds are expected to begin as soon as June 2010.
-http://www.nextgov.com/nextgov/ng_20100421_5175.php?oref=topstory
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=224500173&subSection=News
OMB Memo:
-http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-15.pdf
[Editor's Note (Skoudis): It's good to see efforts to move to more of a real-time feed of actionable knowledge, rather than a paper-based exercise with far less value. ]

Google Attackers Reportedly Stole Single Sign-On Source Code (April 19 & 21, 2010)

The cyber attacks on Google's corporate systems disclosed in January apparently targeted a password system, according to an unidentified person with knowledge of the internal investigation. The system, code-named Gaia, controls users' access to the majority of Google's web services. The Single Sign-On system, as it is now known, allows users to sign in once to access many services. The attackers appear to have been after the software, not user passwords. Google has been bolstering the security of its systems in the wake of the attacks. The attackers appear to have made their initial foothold in Google systems through an employee in China using Microsoft Messenger. From there, the intruders maneuvered their way into a Google software repository used by the company's development team. The theft could spell long-term liability problems for Google.
-http://www.nytimes.com/2010/04/20/technology/20google.html?src=me&ref=techno
logy
-http://content.usatoday.com/communities/technologylive/post/2010/04/liability-is
sues-raised-over-google-gaia-system-hack-/1

Researchers' GSM Network Exploits Pull Sensitive Information on Cell Phone Users (April 22, 2010)

Researchers Nick DePetrillo and Don Bailey have found a way to use weaknesses in GSM mobile networks to discover most US cell phone users' phone numbers, listen to their voice mail and track the location of almost any GSM-enabled devices in the world. Their technique involves tricking the GSM caller ID system into providing a virtual phone book of all cell phone numbers. The technique is not illegal, nor does it breach terms of service agreements. DePetrillo and Bailey presented their findings at a recent conference in Boston.
-http://www.theregister.co.uk/2010/04/22/gsm_info_disclosure_hack/
-http://news.cnet.com/8301-27080_3-20002986-245.html
[Editor's Note (Skoudis): This is indeed a startling flaw. The more researchers peel back the curtain on mobile phone security, the worse it looks. I was working at Bellcore when a lot of this stuff was deployed in the early and mid 1990's. I remember major security efforts then were targeted at preventing bad guys from listening to cell phone calls. But, the infrastructure was never built to stop data leakage and other attacks. ]

---

**************************** Sponsored Links: ***************************
1) Just added: 2 bonus sessions at this year's SANS Security Architecture Summit April 24th -26th in Las Vegas. http://www.sans.org/info/58323

2) The 2010 SANS What Works in Penetration Testing & Vulnerability Assessment Summit features an agenda loaded with brand-new talks from the best penetration testers and vulnerability assessment leaders in the world. http://www.sans.org/info/58328

3) Save $350 on the SANS Forensics and Incident Response Summit when you book by May, 26 2010. http://www.sans.org/info/58333
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

McAfee Anti-Virus Update False Positive Causes Endless Boot Loop for XP SP3 Users (April 21 & 22, 2010)

A recent McAfee anti-virus software update is returning false positives that are causing problems on systems running Windows XP SP3. The problem appears to be that McAfee is flagging the system file svchost.exe as malicious, misidentifying it as a virus named W32.Wecorl.a. The problem affects the antivirus update (DAT 5958) released on April 21. The resulting problem is that machines are forced into an endless boot loop. McAfee is recommending that users download an updated anti-virus signature (DAT 5959) on an unaffected computer, copy it to a USB drive, start the affected machine in safe mode with network support and install the new signature. The problem does not appear to be fixable from a central management console; each computer is estimated to take about 30 minutes to fix.
-http://krebsonsecurity.com/2010/04/mcafee-false-detection-locks-up-windows-xp/
-http://www.h-online.com/security/news/item/McAfee-signature-update-takes-down-Wi
ndows-systems-983693.html
-http://lastwatchdog.com/mcafee-error-triggers-massive-manual-pc-clean-up/#more-4
797
-http://www.computerworld.com/s/article/9175910/Few_answers_after_McAfee_antiviru
s_update_hits_Intel_others
Internet Storm Center was the first to report this:
-http://isc.sans.edu/diary.html?storyid=8671
-http://isc.sans.edu/diary.html?storyid=8656
[Editor's Note (Skoudis): We've been warning people in enterprises for years that they _must_ test AV updates in their labs before pushing them to their enterprise. Every year or two, one of the major AV vendors pushes a disastrous update. Here is another reminder.
(Schultz): It is very difficult to understand how a major AV vendor could allow such a major flaw to slip through its testing and quality assurance processes without being flagged. And--if 30 minutes per computer proves to be the actual time required to fix each computer, the amount of labor spent by organizations that use this vendor's product will be astronomical. ]

Microsoft Working on Third Fix for Cross-Site Scripting Filter (April 20 & 21, 2010)

Microsoft is working on another fix for a vulnerability in the cross-site scripting (XSS) filter in Internet Explorer 8 (IE 8). Ironically, the filter could be exploited to allow XSS attacks on sites that are not otherwise vulnerable. Microsoft has fixed the filter twice this year already, but those fixes have been shown to allow injected threats. The new fix is scheduled for June. The fact that a feature designed to protect users from attacks has been fixed twice already because it has presented additional vectors of attack raises questions about whether the feature should be removed from IE 8. Microsoft's David Ross believes that the protection offered against standard XSS attacks outweighs the dangers posed by the vulnerabilities in the filter.
-http://www.theregister.co.uk/2010/04/20/microsoft_ie_xss_fix/
-http://www.h-online.com/security/news/item/Microsoft-to-fix-further-vulnerabilit
ies-in-IE-8-XSS-filter-982864.html
[Editor's Note (Skoudis): I'm glad that Microsoft finally incorporated an XSS script filter in IE. But, I was playing with it in the lab about a month ago, sending all kinds of malicious scripts to it. I found that it was actually hard to get it to trigger on any of my malicious scripts. I wasn't even _trying_ to evade it, but it took some really blatant attacks before it actually engaged. ]

20 Critical Security Controls Informs State Dept's Successful Security Risk Reduction Program (April 20, 2010)

The US State Department's cyberspace monitoring strategy was designed with the 20 "Critical Controls in mind," says the department's Chief Information Security Officer John Streufert. Streufert's team analyzed 1,700 unclassified attacks from the 11 months prior to 2009 for connections to the controls and found they applied. The team then turned to penetration testing and found that 80 percent of attacks deemed successful exploited known vulnerabilities. He then automated monitoring of the key controls, highlighted every office in State that was doing well and badly, motivating them to improve security, and reduced risk by over 90% across all offices around the world.
-http://cybersecurityreport.nextgov.com/2010/04/state_dept_success_revealed.php
[Editor's Note (Paller): An interactive guide to the tools that automate the 20 Critical Security Controls can be found at
-http://www.sans.org/critical-security-controls/interactive.php
If a tool is there, it plays an important role in automating one or more of the 20 critical controls. ]

Google Looking Into Increased Pharmaceutical Spam Through Gmail (April 20, 2010)

Google is investigating reports that some Gmail accounts have been hijacked and used to send pharmaceutical-touting spam. The accounts appear to have been accessed through Gmail's mobile interface. There has been some speculation among users about a possible bug in the mobile interface, but Google says that its "investigations has not given any indication of a bug in Gmail, either in the mobile interface or otherwise." Users who believe their Gmail accounts have been compromised are urged to change their passwords and to follow advice found at
-http://www.google.com/help/security/.
The spam attack does not appear to be connected to the Gaia code attack. One woman whose entire contact list was spammed said the messages were sent from a mobile connection in Serbia.
-http://www.computerworld.com/s/article/9175857/Drug_dealing_spammers_hit_Gmail_a
ccounts?source=rss_news

Mozilla Disabling Java Deployment Toolkit to Protect Users From Attacks (April 20, 2010)

Mozilla is taking steps to protect Firefox users from a zero-day vulnerability in the Java Deployment Toolkit by disabling older versions of the plug-in. The flaw is being actively exploited and can lead to malicious code being installed on vulnerable computers. Oracle pushed out a fix for the flaw on April 15, but Mozilla developers remained concerned that the problem was not adequately addressed for all Firefox users as, in some cases, the patch from Oracle does not remove older, vulnerable versions of the plug-in.
-http://krebsonsecurity.com/2010/04/mozilla-disables-insecure-java-plugin-in-fire
fox/
[Editor's Note (Northcutt): This is a tricky one. According to CERT there may be problems with the installer. I have a few links below with more information, the first one is pretty nifty, it is Mozilla's list of pesky plugins:
-http://www.mozilla.com/en-US/blocklist/
-http://www.f-secure.com/weblog/archives/00001937.html
-http://www.kb.cert.org/vuls/id/886582
-http://kb.mozillazine.org/Plugin_scanning]

Former Analyst/Trader Arrested for Alleged Trading Code Thefts (April 19 & 20, 2010)

A former Societe Generale quantitative analyst and commodities trader has been arrested for allegedly stealing high-frequency trading software code from his former employer. Samarth Agrawal worked at the New York offices of the Paris-based bank. Less than a year ago, former Goldman Sachs computer programmer Sergey Aleynikov was arrested for stealing similar software from that company. The US Securities and Exchange Commission (SEC) is investigating the use of high-frequency trading software due to concerns that it may allow its users an unfair advantage over competitors. In any case, theft of the proprietary code is illegal.
-http://www.wired.com/threatlevel/2010/04/bankerarrested/?utm_source=feedburner&a
mp;utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%2
8Top+Stories+2%29%29
-http://www.businessweek.com/news/2010-04-19/ex-societe-generale-trader-accused-o
f-stealing-computer-code.html

Two Arrested In Connection with Fraud-Enabling Site (April 19, 2010)

Two men have been arrested in Eastern Europe in connection with a website that peddled services to aid identity thieves. Dmitry Naskovets and Sergey Semashko were both arrested on April 15 -- Naskovets in the Czech Republic and Semashko in Belarus. According to Naskovets's indictment, the two men allegedly launched the website, CallService.biz, in Lithuania in 2007. The site offered services of people who spoke fluent English and German to help people with their fraud schemes - sometime financial institutions require telephone authorizations to authorize transactions. The site allegedly helped more than 2,000 people commit more than 5,000 fraudulent transactions. The FBI has seized the website. US authorities are seeking to extradite Naskovets, and Semashko is facing charges in Belarus.
-http://www.wired.com/threatlevel/2010/04/callservicebiz/
-http://newyork.fbi.gov/dojpressrel/pressrel10/nyfo041910b.htm

Discarded Copiers Hold Sensitive Data on Hard Drives (April 15, 2010)

A CBS news investigation found that the hard drives of four digital copy machines purchased second hand at a New Jersey warehouse contained treasure troves of personally identifiable information, including police files on domestic violence and sex crimes; copies of pay stubs and checks; and sensitive medical information such as test results, prescriptions and diagnoses. Each machine cost approximately US $300. A survey conducted by Sharp two years ago indicated that 60 percent of Americans do not know that copiers store images on their hard drives.
-http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml
[Editor's Note (Northcutt): This has been the hot topic of the GIAC Advisory board for today. Anything with a hard drive can be scoured for information even if you believe the drive is damaged, it should be cleared, degaussed or destroyed. ]

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/