SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XII - Issue #4
January 15, 2010
Invitations are being distributed to IG and audit staff, CIOs and CISOs, for selection of attendees at the workshop on auditing and automating the 20 critical security controls. The workshop shows how the most advanced organizations have radically improved security while meeting FISMA and other compliance rules. It is scheduled in late February in Washington, DC. If you have security auditing responsibility or a FISMA management or consulting role, email 20CC@sans.org to request an invitation. Please include, name, title, organization, and relevant responsibility.
Alan
TOP OF THE NEWS
Google Considering Leaving ChinaZero-Day IE Flaw Used in Attacks on Google, Adobe and Others
UK ICO Will Have Authority to Levy Fines Up to GBP 500,000 (US $817,000)
THE REST OF THE WEEK'S NEWS
Connecticut AG Sues Health Net for HIPAA ViolationsDarkMarket Member Sentenced to Prison
Google to Enable HTTPS on All Gmail Traffic by Default
Chinese Search Engine Baidu Attacked
US Army Website Vulnerable to SQL Injection Attack
Microsoft, Adobe and Oracle Release Security Updates
Intruders Steal Bank Login Data
*************************************************************************
TRAINING UPDATE
- -- SANS AppSec 2010, San Francisco, January 29-February 5, 2010 8 courses and bonus evening presentations, including Social Zombies:
Your Friends Want to Eat Your Brains
https://www.sans.org/appsec-2010/
- -- SANS Phoenix, February 14 - February 20, 2010
6 courses and bonus evening presentations, including The Art of Incident Response and Advanced Forensic Techniques: Catching Hackers on the Wire
https://www.sans.org/phoenix-2010/
- -- SANS 2010, Orlando, March 6 - March 15, 2010
38 courses and bonus evening presentations, including Software Security Street Fighting Style
https://www.sans.org/sans-2010/
- -- SANS Northern Virginia Bootcamp 2010, April 6-13
https://www.sans.org/reston-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
Plus Tokyo, Bangalore, Oslo and Dublin all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org *************************************************************************
TOP OF THE NEWS
Google Considering Leaving China (January 12, 2010)
In the wake of the attacks on Google and other companies, Google has indicated that it may no longer cooperate with Chinese censorship rules and that it may consider pulling out of China altogether. When Google opened operations in China in 2006, it operated under an agreement with the Chinese government that it would remove banned subject matter from search results.-http://www.nytimes.com/2010/01/13/world/asia/13beijing.html?hp
-http://www.computerworld.com/s/article/9144138/Update_Google_may_pull_out_of_Chi
na_because_of_cyberattacks?taxonomyId=17
Storm Center:
-http://isc.sans.org/diary.html?storyid=7969
Editor's Note (Pescatore): The source of the attacks is getting all the headlines but as usual the attack vector is more important. Five years ago the source of many attacks against US companies was traced to Russia, now it is China; but failing to protect your systems results in the same expensive damage to you and your customers regardless of who launched the attack. Similar targeted attacks have been going on for quite some time and many companies have kept their systems safe.
Zero-Day IE Flaw Used in Attacks on Google, Adobe and Others (January 14, 2010)
Attackers exploited a zero-day vulnerability in Internet Explorer (IE) to launch attacks on Adobe, Google and about 30 other US companies. The flaw reportedly affects all versions of IE. Microsoft became aware of the vulnerability on January 13 and plans to issued an advisory on January 14. The memory corruption vulnerability allows attackers to inject malware onto users' computers. So far, the flaw has been exploited only in targeted attacks. While there have been reports that the attackers also used maliciously crafted PDF files to launch their attacks against the companies, now it is believed that only the IE flaw was used in the attacks.-http://www.wired.com/threatlevel/2010/01/hack-of-adob
-http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/
-http://www.computerworld.com/s/article/9144844/Hackers_used_IE_zero_day_not_PDF_
in_China_Google_attacks?source=rss_security
Microsoft advisory:
-http://www.microsoft.com/technet/security/advisory/979267.mspx
Storm Center:
-http://isc.sans.org/diary.html?storyid=7993
[Editor's Note (Skoudis): The news this week about Google, China, and advanced persistent threats illuminates an important change in security. The threatscape has been shifting from cyber crime to more insidious attacks over the past couple of years, but in a way that didn't garner a lot of attention. Until now. I think it's a good thing to see folks finally waking up to this issue, rather than pretending it doesn't exist.
(Honan): This vulnerability when exploited uses the same user levels as the logged on user; maybe it is time to convince your management and users that they do not need local administrator access. ]
UK ICO Will Have Authority to Levy Fines Up to GBP 500,000 (US $817,000) (January 14, 2010)
As of April 6, 2010, the UK Information Commissioner's Office (ICO) will have the authority to fine organizations up to GBP 500,000 (US $817,000) for violations of the Data Protection Act. The level of the fine in each case will be determined by the seriousness of the breach as assessed by the ICO. Factors that will be taken into account will include whether the breach was deliberate or accidental, how much distress the exposure of information caused, and what measures the organization had in place to prevent the breach.-http://news.bbc.co.uk/2/hi/technology/8455123.stm
-http://www.v3.co.uk/v3/news/2256099/ico-set-fine-breachers-500
******************** SPONSORED LINKS ****************************
1) Participation is needed! Be a part of this years 2010 SANS Log Management Report by completing the survey and have a chance to win a $250 AMEX Card.
Click here to complete the survey an be automatically registered.
https://www.surveymonkey.com/s/9QH9536
*******************************************************************
THE REST OF THE WEEK'S NEWS
Connecticut AG Sues Health Net for HIPAA Violations (January 14, 2010)
Connecticut Attorney General Richard Blumenthal plans to sue Health Net for failing to protect personally identifiable information of nearly 450,000 Connecticut residents. Blumenthal has the authority to sue Health Net for violations of the Health Insurance Portability and Accountability Act (HIPAA) under the Health Information Technology for Economic and Clinical Health (HITECH) Act. Blumenthal is also seeking a court order that would require Health Net to encrypt all protected health information that resides on portable electronic devices. Health Net has acknowledged that in May 2009, it learned that a portable disk drive containing the information was missing from a Shelton, Connecticut office. The unencrypted data include insurance claim forms, medical records, and Social Security and bank account numbers.-http://www.healthimaging.com/index.php?option=com_articles&view=article&
id=20197:connecticut-ag-uses-hitech-to-sue-over-patient-data-breach
[Editors Note (Northcutt): I wish there was another way to change corporate behavior other than lawsuits, but clearly lawsuits and possibly ridicule are the only tools we have. Perhaps a reality TV show could be fashioned around data breaches. ]
DarkMarket Member Sentenced to Prison (January 14, 2010)
A UK man has been sentenced to 10 years in prison for his role in the creation and operation of the DarkMarket site. Renukanth Subramaniam pleaded guilty to conspiracy to defraud and furnishing false information. According to authorities, Subramaniam joined DarkMarket upon its creation in 2005 and worked for the invitation-only underground organization that traded in stolen payment card and financial account information for about 18 months between 2005 and 2007. The site operated with a strict code of behavior for members, an ethos of honor among thieves. The site was closed down in 2008. Another DarkMarket member, John McHugh, has also pleaded guilty to conspiracy.-http://www.theregister.co.uk/2010/01/14/darkmarket_fraudster_guilty_plea/
-http://www.ft.com/cms/s/0/34040a02-014d-11df-8c54-00144feabdc0.html
-http://www.telegraph.co.uk/news/uknews/crime/6989420/Mastermind-behind-eBay-for-
criminals-is-facing-jail.html
Google to Enable HTTPS on All Gmail Traffic by Default (January 13, 2010)
Google plans to start using HTTP technology to encrypt all Gmail traffic by default. HTTPS has always been used to protect login pages, but now users' communications will have an added layer of protection as well. Prior to the change, users could choose always-on encryption in their account settings. Google says the change was not prompted by the recent Chinese attacks, but Google did note that the growing prevalence of Wi-Fi was a factor in the decision.-http://www.theregister.co.uk/2010/01/13/gmail_default_encryption/
-http://www.wired.com/threatlevel/2010/01/google-turns-on-gmail-encryption-to-pro
tect-wi-fi-users/
[Editor's Note (Pescatore): A good move in general, but WiFi reached "prevalence" in 2008, actually some decline now as 3G wireless connections get used instead of WiFi. ]
Chinese Search Engine Baidu Attacked (January 12 & 13, 2010)
A deliberate attack is suspected to be the reason China's top search engine Baidu was unavailable earlier this week. The site was defaced with an image suggesting the attack came from the "Iranian Cyber Army." The image has been removed and users were greeted by an error message later in the day. A Baidu spokesperson said the company is investigating the incident. The same group is believed to be responsible for temporarily shutting down Twitter in December.-http://www.google.com/hostednews/afp/article/ALeqM5jj17HIaCdlFsccFn51qjqlupilhg
-http://www.ft.com/cms/s/0/0ed1d424-ffe2-11de-ad8c-00144feabdc0.html
US Army Website Vulnerable to SQL Injection Attack (January 12, 2010)
A hacker has posted proof-of-concept exploit code for an SQL injection vulnerability in a US Army military housing website. The hacker claimed to have been able to "see/extract all things from databases." He claims to have been able to access more than 75 databases on the server. The site appears to have been storing weak passwords in plaintext. The same person has previously found vulnerabilities on NASA's website.-http://www.darkreading.com/database_security/security/app-security/showArticle.j
html?articleID=222300588&subSection=Application+Security
Microsoft, Adobe and Oracle Release Security Updates (January 12, 2010)
On Tuesday, January 12, Microsoft issued one security bulletin to address a critical flaw in Windows 2000; the vulnerability was rated low for other supported versions of the operating system. The Adobe update included a fix for a zero-day flaw in Acrobat and Reader that was already being actively exploited. Some experts are recommending that users give the Adobe fixes higher priority than Microsoft's this month, because they are already being exploited. Adobe also released a beta version of an automatic updater. Oracle has also released its Critical Security Update that includes 24 fixes.-http://news.cnet.com/8301-27080_3-10433404-245.html
-http://www.microsoft.com/technet/security/Bulletin/MS10-001.mspx
-http://www.adobe.com/support/security/bulletins/apsb10-02.html
-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan20
10.html
Storm Center:
-http://isc.sans.org/diary.html?storyid=7975
Two other critical vulnerabilities discussed at Storm Center:
-http://isc.sans.org/diary.html?storyid=7954
-http://isc.sans.org/diary.html?storyid=7987
Intruders Steal Bank Login Data (January 12, 2010)
Attackers gained access to a server at a small New York state bank and made off with login information for 8,600 accounts. The information was stolen over a period of six days last November; it was discovered during a security review in December. Suffolk County National Bank "isolated and rebuilt the compromised server and took other measures to ensure the security of data on the server." The bank has begun notifying affected customers by mail.-http://www.theregister.co.uk/2010/01/12/bank_server_breached/
[Editor's Note (Pescatore): Recently the American Banking Association put out guidance to small banks to only use dedicated PCs for online banking, vs. guidance on how to keep corporate PCs secure. This points out why that kind of advice is misdirected - a bit harder here to recommend avoiding fixing the root cause of the problem by using something else. To make online banking secure for business use or as a business offering requires securing the actual business processes in use, not hoping some more secure alternative will be used. ]
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/