SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #8

January 29, 2010

TOP OF THE NEWS

How The Chinese Attacks Actually Work
Malware on Infected Web Pages is Becoming More Sophisticated

THE REST OF THE WEEK'S NEWS

NARA Data Loss Affects Clinton-Era White House Staff and Visitors
Flaws Found In 3D Secure Credit Card Scheme
Thomas-Rasset Rejects RIAA's Settlement Offer
Google Issues Chrome Update
Bank Suing Cyber Theft Victim
Attack on IE Exposes Users' Entire System Drives
BlueCross BlueShield of Tennessee Breach is Proving to be Costly
Zimuse Worm May Have Started as a Prank
Second Man Pleads Guilty in Scientology DDoS Case
Study Shows That Consumer Awareness of Online Threats is Growing

---

**************************************************************************

TRAINING UPDATE

- -- SANS AppSec 2010, San Francisco, January 29-February 5, 2010 8 courses and bonus evening presentations, including Social Zombies:
Your Friends Want to Eat Your Brains
https://www.sans.org/appsec-2010/
- -- SANS Phoenix, February 14 - February 20, 2010
6 courses and bonus evening presentations, including The Art of Incident Response and Advanced Forensic Techniques: Catching Hackers on the Wire
https://www.sans.org/phoenix-2010/
- -- SANS 2010, Orlando, March 6 - March 15, 2010
38 courses and bonus evening presentations, including Software Security Street Fighting Style
https://www.sans.org/sans-2010/
- -- SANS Northern Virginia Bootcamp 2010, April 6-13
Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
https://www.sans.org/reston-2010/
- -- SANS Security West 2010, San Diego, May 7-15, 2010
23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
https://www.sans.org/security-west-2010/
- -- SANSFIRE 2010, Baltimore, June 6-14, 2010
38 courses
https://www.sans.org/sansfire-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
Plus Tokyo, Bangalore, Oslo and Dublin all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

How The Chinese Attacks Actually Work (January 27, 2010)

A report from Mandiant describes how cyber criminals launch sophisticated attacks that penetrate government and corporate computer networks and remain undetected to steal information and monitor activity over lengthy periods of time. The advanced persistent threat (APT) model described in the report is drawn from cases involving real attacks that Mandiant has researched over the last seven years. The company did not say if it is involved in investigating the recent attacks on Google, Adobe and other US companies. The report indicates that the majority of APT attacks have ties to China. Security software was able to detect just 24 percent of the malware used in the attacks. The report describes the seven stages of APT attacks: reconnaissance; intrusion into the network; establishing a backdoor; obtaining user credentials; installing multiple utilities; privilege escalation, lateral movement, and data exfiltration; and maintaining persistence.
-http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?
articleID=222600139

Malware on Infected Web Pages is Becoming More Sophisticated (January 26, 2010)

According to data compiled by Dasient, 5.5 million web pages on 560,000 websites were infected with malware in the last quarter of 2009. In the previous quarter, 5.8 million web pages on 640,000 websites were infected. The attackers appear to be becoming more efficient; two years ago, infected web pages would infect users' computers with an average of at least a dozen pieces of malware; the most recent figures have that number falling to just 2.8. A smaller number of malicious programs means that users are less likely to notice an attack.
-http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?
articleID=222500206

---

************************ SPONSORED LINK *************************

1) Participation is needed! Be a part of this years 2010 SANS Log Management Report by completing the survey and have a chance to win a $250 AMEX Card.

Click here to complete the survey an be automatically registered.

https://www.sans.org/info/53864

*******************************************************************

---

THE REST OF THE WEEK'S NEWS

NARA Data Loss Affects Clinton-Era White House Staff and Visitors (January 27, 2010)

The US National Archives and Records Administration (NARA) has sent letters to 250,000 Clinton administration staff and White House staff members and visitors, informing them that their personally identifiable information has been compromised. A hard drive containing the information was reported missing last March. The data include Social Security numbers (SSNs). The NARA had initially sent notification letters to 26,000 people before it learned the actual scope of the breach.
-http://www.foxnews.com/politics/2010/01/27/national-archives-warns-clinton-staff
-visitors-major-data-breach/?test=latestnews
-http://www.wired.com/threatlevel/2010/01/national-archives-data-breach/
[Editor's Note (Skoudis): This case highlights an important fact about breaches: stolen data might have long-lasting effects. A breach today may involve PII from a transaction a decade ago. Similarly, bad guys hold onto data from long-ago breaches. There is really a lifecycle to the data stolen in a breach, and it is a lot longer than many people think. ]

Flaws Found In 3D Secure Credit Card Scheme (January 28, 2010)

University fo Cambridge researchers say 3D Secure (3DS) better known as Verified by Visa and MasterCard SecureCode is fraught with security problems. The systems require a person to enter a password or portions of a password to complete an on-line purchase. Merchants who implement 3DS are stuck with fewer chargebacks. But the researchers say that banks such as the Royal Bank of Scotland are now holding consumers to a higher level of liability
-http://www.pcworld.idg.com.au/article/334105

Thomas-Rasset Rejects RIAA's Settlement Offer (January 27, 2010)

Just days after a judge reduced the penalties levied against Jammie Thomas-Rasset for illegal file sharing from US $1.92 million to US $54,000, the Minnesota mother of four has rejected an offer from the Recording Industry Association of America (RIAA) to settle the case out of court for US $25,000. US District Judge Michael Davis reduced the penalty because he said it bore no "relation to the actual damages." One of Thomas-Rasset's attorneys, Joe Sibley, said his client rejected the RIAA's settlement offer because the amount was still "exorbitant" and the RIAA was using the case to make an example of his client and "scare people into doing what they (the RIAA) want." The offer from the RIAA was also contingent upon Thomas-Rasset asking Judge Davis to vacate his decision to reduce the penalty.
-http://www.wired.com/threatlevel/2010/01/settlement-rejected-in-shocking-riaa-fi
le-sharing-verdict/
-http://news.cnet.com/8301-31001_3-10442482-261.html

Google Issues Chrome Update (January 26, 2010)

Google has released an update for its Chrome browser that addresses 13 vulnerabilities that could be exploited to execute arbitrary code on unprotected computers, steal data, create denial-of service conditions, or bypass security restrictions. The new version of the browser, Chrome 4.0.249.78, also supports Strict Transport Security, which requires the browser to access certain websites through secure HTTPS connections. In addition, it includes a cross-site scripting (XSS) filter that checks to see if scripts about to run on web pages are malicious.
-http://www.scmagazineus.com/chrome-40-released-addresses-several-security-vulner
abilities/article/162354/
-http://googlechromereleases.blogspot.com/2010/01/stable-channel-update_25.html

Bank Suing Cyber Theft Victim (January 26, 2010)

A bank in Lubbock, Texas is suing one of its customers, Hillary Machinery Inc., after cyber thieves attempted to steal US $800,000 from that company's account. PlainsCapital was able to recover about US $600,000 of the stolen funds. Neither PlainsCapital nor Hillary Machinery Inc. disputes the fact of the attempted cyber theft. The bank's lawsuit cites a letter in which Hillary Machinery demands that it repay the US $200,000 it was unable to recover and alleges that the bank has not established adequate security measures to protect the company's funds. The bank's suit wants the US District Court for the Eastern District of Texas to certify that it did have adequate security measures in place at the time of the fraudulent transfers and that it processed those transactions in good faith because they were initiated with valid authentication credentials.
-http://www.krebsonsecurity.com/2010/01/texas-bank-sues-customer-hit-by-800000-cy
ber-heist/
-http://www.computerworld.com/s/article/9149218/Bank_sues_victim_of_800_000_cyber
theft?taxonomyId=17&pageNumber=2
[Editor's Note (Northcutt): And of course it is just a matter of time until someone fakes the cyber theft, sprinkle some malware, pays his own mules to receive the money, and then blames the bank.]

Attack on IE Exposes Users' Entire Hard Drives (January 26 & 27, 2010)

Microsoft is investigating reports of an attack on Internet Explorer (IE) that can reveal the entire contents of users' hard drives to attackers. The attack reportedly involves misusing a series of features in the browser, such as URL Security Zones and the IE filesharing protocol, which in and of themselves are not considered vulnerabilities, but when used together present a serious vulnerability. A security consultant plans to release proof-of-concept exploit code for the attack after Microsoft has released a patch. The attack does not allow remote code execution or hijacking users' machines.
-http://www.darkreading.com/vulnerability_management/security/client/showArticle.
jhtml?articleID=222500167&subSection=End+user/client+security
[Editor's Comment (Northcutt): Microsoft not releasing patches is becoming an increasingly important problem. It came up last week, as well. Browsers are used for online commerce; of course we need them to patch vulnerabilities. ]

BlueCross BlueShield of Tennessee Breach is Proving to be Costly (January 26, 2010)

A security breach at BlueCross BlueShield of Tennessee has already cost the company more than US $7 million. Last October, 57 hard drives were stolen from an abandoned office. The company is likely to have to spend considerably more money to determine exactly what information the drives contained and provide identity fraud protection for consumers. As many as 500,000 people are believed to be affected by the breach. The stolen drives were waiting to be sent back to the manufacturer for disposal.
-http://www.timesfreepress.com/news/2010/jan/26/bluecross-computer-theft-already-
costs-7-million/

Zimuse Worm May Have Started as a Prank (January 25 & 26, 2010)

The Zimuse.A and Zimuse.B worms are believed to have originated as a prank intended to infect computers belonging to members of a motorcycle club in Slovakia. The worm variants have spread through corporate networks, infecting computers in the US, Thailand and Spain as well as Slovakia. Zimuse can spread through removable data storage devices or through compromised websites. It overwrites the master boot record on the machines it infects and prevents users from accessing their data.
-http://securitywatch.eweek.com/malware/possible_worm_prank_no_laughing_matter.ht
ml
-http://www.theregister.co.uk/2010/01/25/slovak_biker_destructive_worm/

Second Man Pleads Guilty in Scientology DDoS Case (January 25, 26 & 27, 2010)

Brian Thomas Mettenbrink has admitted to downloading software and using it to help launch a distributed denial-of-service (DDoS) attack against the Church of Scientology's website in January 2008. Mettenbrink pleaded guilty to one count of unauthorized access to a protected computer. In October 2008, Dmitriy Guzner also pleaded guilty to charges related to his role in the attack; he was sentenced to one year in prison last November. Mettenbrink's plea agreement seeks a 12-month sentence as well, but the final decision lies with the sentencing judge.
-http://www.theregister.co.uk/2010/01/27/scientology_ddos_guilty_plea/
-http://www.computerworld.com/s/article/9148698/Nebraskan_pleads_guilty_to_2008_W
eb_attack_on_Scientologists?source=rss_security
-http://www.cybercrime.gov/mettenbrinkPlea.pdf

Study Shows That Consumer Awareness of Online Threats is Growing (January 25, 2010)

A study from RSA indicates that consumers are more aware of online security threats than they were two years ago. Despite the fact that twice as many people were aware of the dangers of phishing attacks in 2009 than in 2007, over the same two-year period, the number of people who succumbed to the attacks increased six-fold. This can be attributed in part to the increased number of phishing attacks. Two-thirds of people who belong to social networking sites are reluctant to share personal information on those sites. In 2007, 63 percent of respondents were aware of the dangers of Trojan Horse programs; that figure rose to 81 percent in 2009.
-http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=
222400407&subSection=Vulnerabilities+and+threats
[Editor's Note (Skoudis): Two-thirds of people who belong to social networking sites may claim that they are reluctant to share personal information, but they still seem to share it nonetheless. Still, at least awareness is inching up... but now we have to turn that awareness into action on users' part.

(Schultz): Interestingly, some 2009 surveys indicate that the number of phishing attacks has been declining, not increasing over recent years. ]

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/