SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #39

May 18, 2010

If you want to know how good you (or your people) are in cyber forensics, sign up for the 2010 DC3 (Defense Cyber Crime Center) Digital Forensics Challenge. Great rewards in recognition and free travel to the national cyber crime conference.

Register at: http://www.dc3.mil/challenge/2010/

---

TOP OF THE NEWS

Google Admits Error in Collecting Wi-Fi Data and Fixes the Problem
Judge Orders Gizmodo Warrant Docs Unsealed
Researchers to Present Paper on Security Issues in Cars' Computer Systems

THE REST OF THE WEEK'S NEWS

Browsers Provide Information that Helps Identify Users
School District Must Notify Students Whose Pictures Were Taken with Surveillance Software
Federal Employees Using Unsecure File Transfer Methods
Malware-Harboring ISP Taken Offline
Former Security Guard Admits to Cyber Intrusions at Dallas Medical Facility
Latvian Government Salary Whistleblower Identified
Indian Police Arrest Man in Connection with Gonzalez's Payment Card Theft Ring
Chinese Man Convicted on Encryption Equipment Smuggling Charges

---

*********************** Sponsored By zScaler ****************************
ALERT: THE HIDDEN DANGERS BEHIND YOUR FAVORITE SEARCH ENGINE. Hackers are exploiting search engines to infect your PCs and smart phones - do not let your company become the next victim. Join us for an EDUCATIONAL WEBCAST on May 26 - keynote by Peter Firstbrook, GARTNER.

Register here: http://www.sans.org/info/59283
*************************************************************************

TRAINING UPDATE - -- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

- -- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

- -- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/

- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 39 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Singapore, Amsterdam, Canberra and Portland all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

---

TOP OF THE NEWS

Google Admits Error in Collecting Wi-Fi Data and Fixes the Problem (May 14, 15 & 17, 2010)

Google has admitted that when Street View cars drove through neighborhoods, they also inadvertently recorded data transmissions on wireless networks in the area. The cars routinely collect Wi-Fi SSIDs and MAC addresses, but in some cases, they also recorded "payload data from open Wi-Fi points." A Google executive called the recording, which has been going on since 2006, "a mistake." Google Street View cars have been removed from service until the code responsible for the recording has been removed. European officials are angry about what appears to be a violation of privacy laws in some countries. (The Street View cars are used to compile composite images for street-level maps.)
-http://www.securecomputing.net.au/News/174894,google-admits-harvesting-wifi-data
-with-street-view-cars.aspx
-http://www.nytimes.com/2010/05/16/technology/16google.html?partner=rss&emc=r
ss
-http://www.wired.com/threatlevel/2010/05/google-street-view-cams/
-http://news.bbc.co.uk/2/hi/technology/8684110.stm
-http://money.cnn.com/2010/05/14/technology/Google_mistaken_wifi_collection/index
.htm?cnn=yes
[Editor's Note (Schultz): I fear that privacy advocates and the European Union are fighting what will ultimately be a losing battle. In this Information Age a plethora of information, much about individuals, is now routinely generated all the time. Someone can collect information about individuals while driving down the street, or in the air, or just about anywhere, and people constantly and inadvertently compromise their own privacy through email, IM, chat, social networks, wireless networks, and other avenues. In a nutshell, there is simply too much information about individuals being generated and transmitted.
(Ranum): That kind of "mistake" just doesn't happen, because it involves considerable increases to data-rates and retention and one would expect it to be pretty easy to notice during system testing. I suspect that what Google may mean is that "it's a mistake we got caught." ]

Judge Orders Gizmodo Warrant Docs Unsealed (May 14 & 17, 2010)

San Mateo County (California) Superior Court Judge Clifford V. Cretan has ordered that the documents related to a search warrant served on the home of Gizmodo editor Jason Chen be unsealed. The unsealing was sought by a group of news outlets. Normally, California law dictates that search warrant records are made public ten days after the warrant is issued. Plaintiffs in the case argued that unsealing the affidavit would expose information crucial to the ongoing investigation, including divulging the identity of a confidential informant. Judge Cretan said there was no information about a confidential informant in the affidavit and ordered the documents unsealed. No charges have been filed against Chen or against Brian Hogan, the man who found the phone in a Redwood City bar and sold it to Chen for US $5,000. Gizmodo published pictures and an analysis of the device. Apple maintains that the publication of information about an iPhone prototype is "immensely damaging" and is responsible for a "huge" financial loss for the company.
-http://www.wired.com/threatlevel/2010/05/gizmodo-unsealed/
-http://www.computerworld.com/s/article/9176818/Apple_claims_huge_loss_over_iPhon
e_leak?taxonomyId=17
-http://www.msnbc.msn.com/id/37159681/ns/technology_and_science-tech_and_gadgets/
-http://i.i.com.com/cnwk.1d/i/ne/pdfs/Order.pdf

Researchers to Present Paper on Security Issues in Cars' Computer Systems (May 13 & 14, 2010)

Researchers from the University of Washington and the University of California, San Diego, plan to present a paper in which they describe how computer programs used in automobiles can be manipulated by hackers to take control of braking and other critical systems in cars. The researchers created a tool called CarShark that "can sniff and inject packets on the" Controller Area Network (CAN) system, the diagnostic tool used for all US cars built in 2008 and later. The cyber attackers would need access to a standard diagnostic computer port in the targeted car. In a demonstration last year, the researchers connected a laptop to the targeted car and controlled that car's computer system wirelessly with another laptop in a car close by. The researchers are not trying to scare people, but to drive home the point to automobile manufacturers that they must bake security into the computer systems that accompany new cars. The paper is scheduled to be presented at the IEEE Symposium on Security and Privacy on Wednesday, May 19.
-http://www.nytimes.com/2010/05/14/science/14hack.html
-http://www.theregister.co.uk/2010/05/14/car_security_risks/
-http://www.pcworld.com/businesscenter/article/196293/car_hackers_can_kill_brakes
_engine_and_more.html
-http://news.cnet.com/8301-27080_3-20005047-245.html?tag=mncol;title

---

************************ Sponsored Links: ******************************
1) Measuring network performance, security and stability under hostile conditions - Take our SANS Network Security Survey and be entered into a drawing to win a $250 American Express Gift Certificate.
http://www.sans.org/info/59288

2) REGISTER NOW for the upcoming webcast: Improved Database Threat Management with Oracle Audit Vault and ArcSight Enterprise Security Manager
http://www.sans.org/info/59293
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Browsers Provide Information that Helps Identify Users (May 18, 2010)

Research conducted by the Electronic Frontier Foundation (EFF) shows that Web browsers such as Firefox and the Internet Explorer provide Web sites with information needed to build a unique profile of whoever visits these sites. Information about browser configuration, including the type of browser, the plugins that have been installed, the operating system on which the browser runs, fonts available, and more can enable individuals who are able to harvest this information to distinguish one user from another approximately 94 percent of the time, although the specific identities of users cannot be determined on the basis of this information alone. This research shows that cookies do not comprise the only threat to Web surfing anonymity.
-http://www.computerworld.com/s/article/9176904/EFF_Forget_cookies_your_browser_h
as_fingerprints?source=CTWNLE_nlt_dailyam_2010-05-18

School District Must Notify Students Whose Pictures Were Taken with Surveillance Software (May 17, 2010)

The Pennsylvania school district that made recent headlines for the questionable use of a video surveillance program on laptops used by students has been ordered to notify all students whose pictures were taken with the software. In all, the LANrev TheftTrack software on the Macbooks took tens of thousands of pictures of students in their homes. The tracking software was intended to be used to locate missing or stolen computers, but was activated in at least one case when a family had not paid an insurance fee for the computer's use. In addition, once the program was activated on the computers, it continued to take pictures even after the computers were located or other problems resolved. The district stopped using the TheftTrack software in February after one student's parents complained. Magistrate Judge Thomas J. Rueter of the Eastern District of Pennsylvania ordered Lower Merion School District to provide student names; mailing addresses; the dates on which tracking software was activated and deactivated; the number of webcam pictures taken; and the number of screenshots taken.
-http://www.wired.com/threatlevel/2010/05/webcamscandal-parents/
Court Order:
-http://www.wired.com/images_blogs/threatlevel/2010/05/lower-merion.pdf
[Editor's Note (Ranum): This story is going to have to continue to play itself out, because things still don't line up with reality. "Activated in one case" here and there doesn't result in "tens of thousands of pictures" and there are the associated questions of storage and backup. I'm willing to bet that there's a lot of scrambling going on to lose evidence - all of which is going to be ferretted out during discovery and examination. There are a lot more pieces of the puzzle that haven't come to light, yet. ]

Federal Employees Using Unsecure File Transfer Methods (May 17, 2010)

More than half of the respondents in a survey of 200 government IT and information security professionals said employees at their agencies use unsecure methods to transfer information. Fifty-two percent said employees transfer files through personal email both within the agency and when transmitting to other agencies. Two-thirds of the respondents said employees use USB drives, DVDs and other physical media to transfer files and 60 percent said their employees use the File Transfer Protocol (FTP). A significant problem seems to be that government agencies are lagging behind private industry in the use of encryption tools and the establishment of secure file transfer policies. Some agencies are faring better than others. For instance, the Internal Revenue Service (IRS) logs access to taxpayer information, uses an encrypted WAN, and all files transfers both within and outside the IRS are encrypted.
-http://www.computerworld.com/s/article/9176889/Survey_Gov_t_agencies_use_unsafe_
methods_to_transfer_files?taxonomyId=17
[Editor's Note (Northcutt): I agree that too many people use insecure means to move data; disagree the root cause is no access to encryption. A lot of people have access to encryption for email at work and yet consistently send data in the clear. We discuss this in the class I author and teach, and I think we as a community are becoming numb to the dangers we face from the Internet. Pretty Good Privacy (PGP) has been around almost 20 years now. In the early days, when you went to conferences, they had PGP signing parties and almost all the security professionals I interacted with had PGP and a key. Now, almost nobody seems to use it outside of FIRST, AV Research and similar enclaves. I am not sure awareness training is the best answer. The "Click it or Ticket" program for seatbelts is probably more effective than towing wrecked cars to high schools and showing gory video in driver's education. So perhaps fining the Pub owner in the UK whose wireless access point was used by others to steal music makes sense. Since we are talking about use in the work place, this may be an example of "Moral Hazard", why not take risks, it is the employer's computer and information. If you have any pointers to research on why we are not careful on the Internet, I would appreciate it if you would send them to me (stephen@sans.edu).
-http://www.sans.org/security-training/security-leadership-essentials-managers-kn
owledge-compression-62-mid
-http://www.techdirt.com/articles/20091128/1454517098.shtml
-http://www.suite101.com/article.cfm/economics_of_human_behavior/13899/1]

Malware-Harboring ISP Taken Offline (May 14 & 17, 2010)

The Russian Internet host PROXIEZ-NET has been taken offline after service to its upstream provider was severed. PROXIEZ is notorious for being a cyber crime friendly provider; it had advertised itself as being immune to takedown attempts. It hosted 13 Zeus command and control channels as well as keylogging software. The cyber criminals are likely to seek new homes for their command and control channels.
-http://news.bbc.co.uk/2/hi/technology/10119562.stm
-http://www.theregister.co.uk/2010/05/14/zeus_friendly_proxiez_mia/

Former Security Guard Admits to Cyber Intrusions at Dallas Medical Facility (May 14, 2010)

A former night-shift security guard at a Dallas hospital has pleaded guilty to two counts of transmitting malicious code. Jesse William McGraw broke into at least 14 computers at the North Central Medical Plaza and installed botnet code. McGraw was a member of a hacking group at the time; his intent was to use the infected machines to launch a distributed denial-of-service (DDoS) attack against a rival group. He was arrested last summer shortly before the planned attack. McGraw faces up to 10 years in prison for each count; his sentencing is scheduled for September 16.
-http://www.computerworld.com/s/article/9176811/Security_guard_pleads_guilty_to_h
acking_his_employer?taxonomyId=17
-http://www.star-telegram.com/2010/05/14/2190429/arlington-man-pleads-guilty-to.h
tml

Latvian Government Salary Whistleblower Identified (May 13 & 14, 2010)

Latvian police have identified the man believed to be responsible for stealing information about the salaries of government officials and making that information public through Twitter. Ilmars Poikans was questioned and released last week. The case will be sent to prosecutors who will decide whether or not to prosecute. The database that Poikans allegedly accessed was not protected and the information was slated to be made public at a later date. The Latvian government is experiencing financial problems and is making cutbacks, but officials still appear to be drawing sizeable salaries.
-http://www.computerworld.com/s/article/9176781/Latvian_police_decline_to_hold_da
tabase_hacker?taxonomyId=82
-http://www.theregister.co.uk/2010/05/14/latvian_hacker_whistleblower/
-http://www.allheadlinenews.com/articles/7018686988

Indian Police Arrest Man in Connection with Gonzalez's Payment Card Theft Ring (May 13 & 14, 2010)

Police in India have arrested a Ukrainian man in connection with the massive data breach that compromised payment card information at US major retailers, including TJX, Office Max and DSW. Sergey Valeryevich Storchark was charged with conspiracy to traffic in unauthorized access devices in August 2008; US authorities have requested his extradition. Storchark allegedly resold the stolen payment card information. The operation's mastermind, Albert Gonzalez, received a 20-year sentence in March.
-http://www.computerworld.com/s/article/9176779/Ukrainian_arrested_in_India_on_TJ
X_data_theft_charges?taxonomyId=82
-http://www.theregister.co.uk/2010/05/14/tjx_hacking_suspect_arrested/
-http://www.darkreading.com/database_security/security/cybercrime/showArticle.jht
ml?articleID=224701874&cid=RSSfeed

Chinese Man Convicted on Encryption Equipment Smuggling Charges (May 13, 2010)

Chi Tong Kuok has been convicted of conspiracy to export defense articles without a license, smuggling, money laundering and other charges. A Chinese national, Kuok admitted to attempting to obtain encryption equipment and other technology that would enable the Chinese government to monitor US military and government communications. The investigation that led to Kuok's arrest and conviction began in December 2006, when a contact in the US defense industry put Kuok in touch with an undercover federal agent posing as an individual willing to sell the technology Kuok sought. Kuok repeatedly expressed his suspicion that he might be communicating with US intelligence agents, but proceeded in his pursuit of devices and technology. He was arrested at an airport in Atlanta last year.
-http://www.wired.com/threatlevel/2010/05/kuok/
Kuok Indictment (February 2009):
-http://www.wired.com/images_blogs/threatlevel/2009/07/kuok_indictment.pdf

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/