SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #35

May 04, 2010

The window is closing on eligibility for this year's NAVY cyber ROTC scholarships and for places in the three cyber camps this summer. These are INCREDIBLE opportunities for young people who are talented in cyber security. The camps will give college kids visibility and opportunity. The scholarships will give people who are accepted to university, or who are already freshmen or sophomores, full scholarships and jobs. The first year of any program is always the easiest to get in, so if you know cyber-security talented college kids (or those heading for college in the fall) tell them to go visit uscyberchallenge.org so they don't miss this opportunity.

Alan

---

TOP OF THE NEWS

Treasury Department Web Sites Redirect Visitors to Malicious Sites
Chinese Government Requires Disclosure of Encryption Keys Prior to Product Purchase
Appeals Court Upholds Ruling Allowing Disclosure of Suspected Copyright Violators' Identities
USAF eMail Security Exercise has Unforeseen Consequences

THE REST OF THE WEEK'S NEWS

Opera Updates Browser to Fix Severe Vulnerability
Summit Aims to Foster International Discussion on Cyber Threats
Kernell Guilty on Two of Four Charges in Palin eMail Intrusion Case
Wiretaps Up 26 Percent in 2009
US Has Highest Data Breach Costs
Contractor Gets Five Years for Automated Clearing House Credit Union Thefts
Microsoft Suggests Workaround for SharePoint XSS Vulnerability
FEEDBACK ON HEALTH DATA SECURITY

---

**************** Sponsored By Trusted Computer Solutions ****************
Is your IT organization struggling to keep your enterprise servers compliant with DISA STIGs or other security policies? Could your organization pass a surprise security audit today? Security Blanket(r) performs fast, consistent, and repeatable operating system hardening to industry security settings in minutes, not days. Audit ready, all the time! Try Security Blanket for FREE.

http://www.sans.org/info/58673
*************************************************************************

TRAINING UPDATE
- -- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

- -- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

- -- SANS Secure Europe Amsterdam 2010, June 21-July 3, 2010 8 courses.
http://www.sans.org/secure-amsterdam-2010/

- -- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

- -- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/

- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 39 courses.
http://www.sans.org/network-security-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Geneva, Toronto, Singapore and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

---

TOP OF THE NEWS

Treasury Department Web Sites Redirect Visitors to Malicious Sites (May 3, 2010)

Several US Treasury Department web sites are redirecting visitors to other sites that try to install malware on their computers. The attack uses an embedded iframe in three Treasury web sites that invokes scripts from another site. The malware affects only computers that have not previously visited Treasury web sites. Evidence suggests that the attacks are related to the infections several weeks ago of sites hosted by Network Solutions. The affected treasury sites are all hosted by Network Solutions, and the owner of record of the malicious sites used in the attack is the same as the owner of record for the sites used in the previous attacks.
-http://www.theregister.co.uk/2010/05/03/treasury_websites_attack/
[Editor's Note (Pescatore): Government websites tend to have a higher than average level of security, but it is mainly because there are very few government web sites doing any kind of complex commerce or any actual transactions at all. They are mostly information publishing sites, where vulnerabilities are relatively easy to discover - if you are looking for them.
(Paller): The agency was directly following NIST guidance. Two and a half years after PCI required application security testing, and more than a year after a DHS web site tried to infect visitors' machines, NIST added the relevant control to 800-53. However, without explanation, NIST told agencies they did not have to apply that control for low risk systems. It is low risk systems at DHS and now Treasury that are infecting visitors' computers. This error reflects a fundamental lack of understanding of cyber threat at NIST. Only NSA, DHS, and the NIC-JTF have that knowledge. That the US House Science Committee in Congress continues to demand that NIST write security regulations for areas it doesn't understand demonstrates a level of disregard for national security that is breathtaking. ]

Chinese Government Requires Disclosure of Encryption Keys Prior to Product Purchase (April 29 & 30, 2010)

As of May 1, vendors of certain products who wish to continue doing business with government agencies in China are required to disclose specifics of the encryption technologies their products use. The requirements affect 13 technologies, including firewalls, routers, smartcards, database security tools, anti-spam products and intrusion detection products. Before these products can be sold to the Chinese government, they must be tested and certified by the country's Certification and Accreditation Administration (CNCA). There are concerns that the requirement would allow proprietary information to be leaked to Chinese competitors and that other countries may be wary of doing business with companies that disclose this sort of information to the Chinese government.
-http://www.nytimes.com/2010/05/01/business/global/01yuan.html?src=busln
-http://www.computerworld.com/s/article/9176138/New_China_encryption_rule_could_p
ose_headaches_for_U.S._vendors?taxonomyId=145
-http://www.theregister.co.uk/2010/04/29/china_security_know_how_rules/
[Editor's Note (Pescatore): Of course, the US Federal Government and many EU governments have requirements that certain products have to be certified under the National Infrastructure Assurance Program or Common Criteria evaluation regime, and standards like FIPS 140-2 for crypto code, and vendors have to give the testing labs all kinds of sensitive information and actual code to go through the testing. Now, under the Common Criteria evaluation scheme the labs are private firms but they are certified by government agencies. The real difference is that most of the rest of the world agreed to a *Common Criteria* evaluation regime with a lot of transparency. China is going in the exact opposite direction and vendors will face a lot of risk. ]

Appeals Court Upholds Ruling Allowing Disclosure of Suspected Copyright Violators' Identities (April 29, 2010)

The 2nd US Circuit Court of Appeals has upheld a ruling that allows the recording industry and other digital entertainment copyright holders to uncover the identities of users believed to be violating copyright law by sharing content through peer-to-peer (P2P) networks. The suit was brought by a student at the State University of New York (SUNY) at Albany seeking to stop a judge's order that his identity be turned over to the Recording Industry Association of America (RIAA) after the organization claimed it detected illegal filesharing activity on an IP address associated with the student.
-http://www.wired.com/threatlevel/2010/04/unmasking-copyright-scofflaws/

USAF eMail Security Exercise has Unforeseen Consequences (April 29, 2010)

As part of a planned security test examining how they would respond to phishing messages, airmen at Andersen Air Force Base in Guam received email messages telling them that Transformers 3 would be filming at the base. The messages said that the production was seeking airmen to serve as extras on the shoot and provided a link to a site that asked them for personal information. Many of the message recipients supplied the information to the website. Some airmen were excited enough about the prospect of being an extra in the film that they posted the information on the Internet. The news spread and caught the attention of local media, forcing the security testers to send out clarification that the messages had been part of a test.
-http://www.computerworld.com/s/article/9176155/US_Air_Force_phishing_test_transf
orms_into_a_problem
[Editor's Comment (Northcutt): This is a hard problem. It is pretty clear that security awareness alone is not effective. So you try inoculation, actually phishing, but in a controlled way. However, this is not the only time this has gone awry. In one company, they just ignored subsequent emails from the security department. Very clever phish though, I am sure people were excited about the opportunity to work around Megan Fox/ Mikaela Banes. Turns out the bloggers were picking up the post from "Supershaggy" to ComicBookMovies.com pretty fast.
-http://www.comicbookmovie.com/fansites/scoops/news/?a=17457]

---

**************************** Sponsored Links: **************************
1) SIEM 2.0 - VIEW Demo of SC Magazine's Best Buy and Innovator of the Year. http://www.sans.org/info/58683

2) Register for the SANS Penetration Testing & Vulnerability Assessment Summit before May, 5 2010 and save $350. http://www.sans.org/info/58688

3) Save $350 on the SANS Forensics and Incident Response Summit when you book by May, 26 2010. http://www.sans.org/info/58693
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Opera Updates Browser to Fix Severe Vulnerability (April 30 & May 3, 2010)

Opera has released an update to address an "extremely severe" vulnerability in the Mac and Windows versions of its browser. The flaw lies in a script that handles document files and could be exploited to inject and run code on vulnerable computers. Users need only visit specially crafted web pages for the exploit to be effective. Users are urged to update to Opera version 10.53.
-http://www.h-online.com/security/news/item/Opera-closes-extremely-severe-hole-99
1217.html
-http://www.securecomputing.net.au/News/173549,opera-posts-security-update-for-ap
ple-and-windows.aspx

Summit Aims to Foster International Discussion on Cyber Threats (May 2 & 3, 2010)

This week welcomes more than 400 government officials and executives from countries around the world who will meet in Dallas for the Worldwide Cybersecurity Summit. One of the goals of the meeting is to encourage officials to talk to each other about how to fight common cyber threats and develop ways to work together across geo-political borders. The event is organized by the EastWest Institute think tank.
-http://www.businessweek.com/ap/financialnews/D9FFB5G80.htm
-http://www.msnbc.msn.com/id/36903710/ns/technology_and_science-security/
-http://www.dallasnews.com/sharedcontent/dws/bus/stories/050210dnbuscybersecurity
.470ad32.html

Kernell Guilty on Two of Four Charges in Palin eMail Intrusion Case (April 30, 2010)

Former University of Tennessee student David Kernell has been found guilty on two of four counts in a case regarding his having broken into Sarah Palin's Yahoo mail account. The jury deliberated for four days before finding Kernell guilty of obstruction of justice and misdemeanor computer intrusion. Kernell was acquitted of a fraud charge and the jury was deadlocked on a charge of identity theft, for which he could be retried. Using publicly available information, Kernell broke into Palin's Yahoo mail account during the former Alaska governor's vice-presidential candidacy. Kernell was convicted of the obstruction of justice felony charge because he deleted evidence from his hard drive. Kernell could face up to 20 years in prison.
-http://www.wired.com/threatlevel/2010/04/kernell-guilty/
-http://news.bbc.co.uk/2/hi/americas/8655569.stm
-http://www.theregister.co.uk/2010/04/30/palin_jury_convicts/
-http://www.computerworld.com/s/article/9176183/Jury_convicts_Palin_e_mail_hacker
?taxonomyId=17

Wiretaps Up 26 Percent in 2009 (April 30, 2010)

Between 2008 and 2009, the number of wiretaps authorized by US state and federal judges rose 26 percent. No wiretap requests were refused. In 2009, there were 2,379 criminal wiretaps authorized, the vast majority of which were for mobile phones in drug cases. Each authorized wiretap captured communications of an average of 133 individuals; just 19 percent of the communications captured were incriminating. Each tap lasted an average of 42 days. In 2009, information gathered from the wiretaps led to 4,537 arrests and 678 convictions. Investigators came across just one instance of encrypted communications in the 2009 wiretaps, and were able to obtain plaintext versions of those messages. The statistics do not include terrorism-related wiretaps or wiretaps conducted through the National Security Agency's warrantless wiretapping program.
-http://www.wired.com/threatlevel/2010/04/wiretapping/

US Has Highest Data Breach Costs (April 30, 2010)

According to a study released by the Ponemon Institute, the cost associated with data breaches is higher in the US than in any other country. Overall, breach costs were higher in countries that have notification laws. The breach cost incurred by organizations in the US is 43 percent higher than the worldwide average. The average cost of a data breach per record is US $142 worldwide; the average cost of a data breach per record in the US is US $204. Last year, Germany passed a law that requires breach notification; costs associated with breaches there are the second highest in the world at US $177 per record. The cost per record in the UK is US $98; only public sector organizations and financial institutions are required to disclose data breaches. The highest overall cost associated with breaches was lost business. The study was sponsored by PGP.
-http://www.scmagazineus.com/us-organizations-face-the-highest-data-breach-costs/
article/169160/
[Editor's Note (Lee): The incredibly high cost of data breach incidents have backfired and resulted in many companies choosing to remain silent even though breach laws exist. In addition, victims are less willing to involve law enforcement if they intend to keep the event closely held. Even in business schools, the question of notification has been raised as a case study for future executives.
(Schultz): Why do the conclusions of this "research institute's" research so often coincide with the wishes of the sponsors' marketing organizations? ]

Contractor Gets Five Years for Automated Clearing House Credit Union Thefts (April 29 & 30, 2010)

Zeldon Thomas Morris has been sentenced to more than five years in prison for stealing US $2 million from banks while working as an IT administrator. Morris was a third-party contractor hired to help several credit unions upgrade their systems; because of his position, he was granted unrestricted local and remote access to their networks. Morris abused his position to conduct several Automated Clearing House (ACH) transactions, depositing the withdrawn funds into accounts he owned. By using phony or already used ACH "racing numbers," his activity went undetected. Morris was caught after his business partner alerted one of the credit unions of unusually large deposits being made to a joint business account. In addition to prison time, Morris was ordered to pay more than US $1.8 million in restitution and forfeit personal property.
-http://www.theregister.co.uk/2010/04/30/it_consultant_sentenced/
-http://www.computerworld.com/s/article/9176154/IT_contractor_gets_five_years_for
_2M_credit_union_theft?taxonomyId=82
[Editor's Note (Northcutt): Short sentence; he was facing 30 years.
-http://www.deseretnews.com/article/1,5143,705296414,00.html]

Microsoft Suggests Workaround for SharePoint XSS Vulnerability (April 30, 2010)

Microsoft has issued a warning about a zero-day cross-site scripting (XSS) vulnerability in SharePoint products. For the attack to work, users must be manipulated into clicking on a maliciously crafted link. The flaw can be exploited to steal information from vulnerable servers. Microsoft is suggesting that until a fix is ready, users apply an interim workaround that involves disabling the SharePoint help system. Microsoft is also recommending that users run Internet Explorer 8 (IE 8), because it contains a XSS filter. Administrators will need to change the browser's settings to turn on the filter for the Local Intranet security zone.
-http://www.h-online.com/security/news/item/Microsoft-issues-warning-about-XSS-ho
le-in-SharePoint-990812.html
-http://www.computerworld.com/s/article/9176174/Microsoft_issues_work_around_advi
ce_for_SharePoint_zero_day?taxonomyId=85s

FEEDBACK ON HEALTH DATA SECURITY

In the last edition of NewsBites Stephen Northcutt asked for insights into the state of health care medical records security. Here is a summary of what we have learned from your responses. We thank you for sharing your insights with us:

* In health care access and availability trump access control, they are in the business of saving lives * Most modern medical records system include some access control monitoring capability * The majority of the people that wrote in are concerned there are insufficient controls in place especially as records are exchanged between organizations * Two responders are considering the use of the FairWarning applicance * One responder suggests considering the work of the HITRUST Alliance * One responder suggests Iatric * One responder suggests Varonis DatVantage * One responder is considering the use of ArcSight for additional oversight

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/