SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #83

October 19, 2010

TOP OF THE NEWS

DOE Report Offers Smart Grid Privacy Recommendations
Facebook Faces Another Privacy Breach
UK Government States Cyber Attacks Are Amongst Biggest Emerging Threats
US Government Using Social Networks for Spying

THE REST OF THE WEEK'S NEWS

ZeuS's Latest Targets Include Schwab Investment Accounts and US Taxpayers
NERC Requires Bulk Power Providers to Address Aurora Vulnerability
Univ. of North Florida Notifies Students of Data Breach
Survey Reveals That Data Theft is Biggest Loss for Businesses
Cold War Doctrines Need for Cyber Warfare
ID Theft Costs UK US $4.3 Billion A Year

---

************************ Sponsored By SANS ***************************** The SANS WhatWorks Incident Detection and Log Management Summit, chaired by Mike Poor, is being held in Washington DC on December 8 and 9 and offers two full days of content in a single track, consisting of expert keynotes, professional briefings and dynamic panels. It will concentrate on network-centric and host-centric methods to detect intruders that work in the real world. http://www.sans.org/info/66073 ************************************************************************* TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php

-- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments and Future Trends in Network Security
http://www.sans.org/security-east-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Sydney, Geneva, Tokyo, Manama and Muscat all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *************************************************************************

---

TOP OF THE NEWS

DOE Report Offers Smart Grid Privacy Recommendations (October 15, 2010)

A report from the US Department of Energy (DOE) says that legislators need to address data privacy issues associated with smart grid technologies. The household energy consumption data collected by the technologies could be used "to help consumers significantly reduce energy consumption," but lawmakers need to be aware of and address the need for controls to prevent its use and sharing in ways that violate people's privacy rights. The information could be used to paint a picture of customers' daily schedules and activities and to identify certain types of devices in the home. DOE says that consumers need to be able to decide to what extent the collected information is shared with third parties.
-http://www.computerworld.com/s/article/9191220/Energy_Department_warns_over_smar
t_grid_privacy?taxonomyId=84
-http://www.gc.energy.gov/documents/Broadband_Report_Data_Privacy_10_5.pdf

Facebook Faces Another Privacy Breach (October 18th)

The privacy of many users on Facebook has been compromised by a number of popular applications, or apps, used on the social networking site. An investigation by the Wall Street Journal identified a number of apps that access Facebook members' personal details, even if their privacy settings were set to the most restrictive allowed within the social network. According to the report, up to 25 advertising and data gathering firms were exploiting the issue to enable them access the name of the persons using certain apps, and in some cases the names of those persons' friends. One company, Rapleaf, was also found to have combined the user data accessed in Facebook with its own database of internet users. Rapleaf admitted that some of this information was also transmitted to other third parties, but claimed that this transmission was accidental. Facebook has responded by saying it will implement a solution to prevent this type of access to user data.
-http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html
-http://www.theregister.co.uk/2010/10/18/facebook_apps_privacy_breach
-http://www.bbc.co.uk/newsbeat/11565948
-http://www.net-security.org/secworld.php?id=10005

UK Government States Cyber Attacks Are Amongst Biggest Emerging Threats (October 18th)

In its new national security strategy the UK government has identified that attacks on computer networks are amongst the biggest emerging threats to the security of the United Kingdom. Citing that cyber warfare is "one of the highest priority national security risks to the UK", the UK government promised it will develop a programme to address threats "from states, criminals and terrorists". Stating that the Beijing Olympics held in China received over 12 million cyber attacks each day, the document highlighted the 2012 London Olympics as being a "huge vulnerability" and that it was at serious risk of cyber attacks from those attempting to "defraud and possibly disrupt". To deal with this emerging threat the UK government will be allocating a budget of GBP 500 million (US $799 million) and the strategy will be managed by the recently appointed Office of Cyber Security.
-http://www.bbc.co.uk/news/uk-11562969
-http://www.independent.co.uk/news/uk/home-news/cyberattacks-are-key-threat-to-uk
-security-2109628.html
-http://www.computerworlduk.com/news/security/3244646/government-allocates-500m-t
o-fighting-cyber-attacks/
[Editor's Note (Honan): It is a sign of the times and how serious the cyber threat is being taken by the UK government when we see such an increase in the cyber security budget, while at the same time the UK is planning its biggest cuts in the traditional defence budget since the cold war.
-http://www.ft.com/cms/s/0/80eff352-daa6-11df-81b0-00144feabdc0.html]

US Government Using Social Networks for Spying (October 15th)

The privacy watchdog the Electronic Frontier Foundation (EFF) has highlighted that a number of documents obtained from various US government agencies demonstrates that those agencies are actively using various social networking sites to spy on people. Some of the agencies involved include the U.S. Citizenship and Immigration Services which monitored the activity of people who applied for U.S. citizenship and the Department of Homeland Security which monitored commentary on various social networks during President Obama's inauguration. The EFF highlighted that while the DHS attempted to ensure its monitoring of social networks was appropriate, the EFF had a number of concerns, "While it is laudable to see DHS discussing the Fair Information Practice Principles as part of the design for such a project, the breadth of sites targeted is concerning".
-http://www.v3.co.uk/v3/news/2271580/dhs-running-social-network
-http://www.net-security.org/secworld.php?id=9998

---

************************* Sponsored Links ************************
1) REGISTER NOW! Securing Services at the Network Edge - Combining Security Enforcement and Governance WHEN: Wednesday, October 27, 2010 at 1:00 PM EDT (1700 UTC/GMT) FEATURING: Sachin Gadre and Blake Dournaee http://www.sans.org/info/66078
(2) October 2010 marks the seventh annual National Cybersecurity Awareness Month sponsored by the Department of Homeland Security., and Internet Storm Center is using its handler diaries throughout the month to conduct a deep dive into various security issues. A complete list the diaries can be found here: https://isc.sans.edu/tag.html?tag=2010%20cyber%20security%20awareness%20month **********************************************************************

---

THE REST OF THE WEEK'S NEWS

ZeuS's Latest Targets Include Schwab Investment Accounts and US Taxpayers (October 15 & 16, 2010)

Despite more than 100 arrests of people involved in using the ZeuS Trojan horse program, other groups are still actively using the malware. One group has turned to Schwab investment accounts, while another has targeted entities that pay quarterly US federal taxes online.
-http://www.computerworld.com/s/article/9191479/Zeus_botnet_gang_targets_Charles_
Schwab_accounts?taxonomyId=17
-http://darkreading.com/smb-security/security/attacks/showArticle.jhtml?articleID
=227900050&subSection=Attacks/breaches
[Editor's Note (Pescatore): Early in the movie "Social Network" someone says "When you write something on the Internet it is in pen, not pencil." Threat code and toolkits don't get erased when the original author(s) get arrested.
(Multiple): Microsoft's free Malicious Software Removal Tool is updated with each monthly patch update, but it doesn't work if you don't install it. IT has laredy removed Zeus 281,000 times.
-http://www.scmagazineus.com/microsoft-tool-removes-zeus-281000-times-in-five-day
s/article/181192/?DCMP=EMC-SCUS_Newswire
(Northcutt): ZeuS can steal your money even if you have two factor authentication, because it does it after you authenticate. Even so, a token takes password stealing off the table for other malware. This problem is only going to get worse, so here are a few common sense things to do. Many online brokerages are also banks. Consider using brokerages for securities and banks for banking. That way if you do get hit, they can't suck down everything you have worked all these years for because the same authentication opens up both. Also, consider making things as easy as possible for fraud detection software. For instance, I have a bank account that I ONLY use to receive my paycheck. I ONLY transfer money from it in the same amount every time and always by check. It does NOT have a debit card. The main "customer" of this account of course is the account at another bank where I do all of my online bill paying. I try to keep enough money to pay bills, but not much more. Finally, little banks are less likely to have fraud detection software, or worse, have it but not use it, than big banks. ]

NERC Requires Bulk Power Providers to Address Aurora Vulnerability (October 15, 2010)

The North American Electric Reliability Corporation (NERC) has issued a "recommendation" requiring bulk power system owners to evaluate information about the Aurora cyber threat and take steps to protect their systems if they are deemed vulnerable. The Aurora vulnerability was demonstrated in 2007 in a Department of Homeland Security (DHS) video showing a generator exploding as a result of a simulated cyber attack. Over the last three years, a NERC team focused on this problem has compiled a technical library with information about the vulnerability and how to mitigate the risk it poses. The system owners have until December 12, 2010 to submit reports of their efforts to address the issue.
-http://www.scmagazineus.com/nerc-requiring-power-companies-to-mitigate-aurora-fl
aw/article/181078/
[Editor's Note (Pescatore): I think they would be better off doing a lessons learned from Stuxnet, as that not only specifically targeted programmable logic controllers and process control HMI software, but it also went after systems that are pretending to be completely isolated from general networks, but really aren't - like many power system provider networks. ]

Univ. of North Florida Notifies Students of Data Breach (October 15 & 16, 2010)

The University of North Florida (UNF) and the FBI are investigating a cyber intrusion that compromised the personal information of 107,000 UNF students, applicants and employees. Authorities were alerted to the breach in September, but affected individuals were not notified until October 15. The compromised information includes names, dates of birth and Social Security numbers (SSNs). The attack appears to have originated outside the US.
-http://staugustine.com/news/local-news/2010-10-16/fbi-unf-investigating-breach-c
onfidential-student-data
-http://www.computerworld.com/s/article/9191458/University_of_North_Florida_breac
h_exposes_data_on_107_000_individuals

Survey Reveals That Data Theft is Biggest Loss for Businesses. (October 18th)

According to the latest edition of the Kroll Annual Global Fraud Report theft of data assets has risen by more than 50% in the past year to surpass physical property losses for the first time. Of the companies surveyed 27.3% stated that they had suffered losses due to theft of information or assets, which is an increase from 18% in 2009. In contrast the report highlighted that theft of physical assets or stock dropped from 28% in 2009 to 27.2% in 2010. The theft of computers, information being stolen via portable storage devices and attacks by cyber criminals using stolen login credentials were the most common causes for loss. The report also highlighted that despite the increase in fraud only 48% of the companies surveyed plan to increase their information security budget over the next 12 months, down from 51% in the previous year.
-http://www.ft.com/cms/s/2/3c0c9998-da1a-11df-bdd7-00144feabdc0.html
-http://www.computerweekly.com/Articles/2010/10/18/243378/Data-theft-by-cybercrim
inals-biggest-loss-for-businesses-survey.htm

Cold War Doctrines Needed for Cyber Warfare (October 15th)

At the recent RSA Europe conference held in London, former US Homeland Security secretary Michael Chertoff has called on countries to develop doctrines to deal with cyber warfare in the same way cold war doctrines were developed for nuclear conflict. He told delegates at the conference that over 100 countries are now actively involved in cyber espionage and cyber attacks and that clear rules of engagement need to be defined. While stating that countries should be able to respond to cyber attacks "with overwhelming force," he added countries need not "respond to virtual attacks with real attacks but I do think it's important to define when and how it might be appropriate to respond. Everyone needs to understand to rules of the game." Acknowledging that attribution of attacks is difficult Mr Chertoff posited that countries that are victims of persistent attacks against their critical infrastructure should be permitted to incapacitate the platform used as the source of the attack, regardless of who is controlling the attack.
-http://www.v3.co.uk/v3/news/2271571/doctrine-needed-coordinate
-http://www.theregister.co.uk/2010/10/15/cyberwar_attack_soctrines/
[Editor's Note (Schultz): I agree with Chertoff when it comes to information warfare involving countries. At the same time, however, I fear that governmental policy permitting or requiring counterattacks against nations that have launched attacks will embolden system and security managers to strike back when their systems have been attacked, thereby violating the law and professional ethics codes. ]

ID Theft Costs UK US $4.3 Billion A Year (October 18th)

A study released by the United Kingdom's National Fraud Authority highlights that ID Fraud affect 1.8 million Britons each year at a cost of GBP 2.7 Billion (US $4.3 Billion). The study was released to coincide with the UK's Identity Fraud Prevention Week and reveals that fraudsters were able to defraud more than GBP 1,000, or US $1,600, from each stolen identity. The Chief Executive of the National Fraud Authority, Dr Bernard Herdan, said "Stolen and false identities are a significant enabler of crime and this issue demands a co-ordinated response across government and the private sector." The study also shows that victims can face up to 200 hours of effort in order to repair any damage caused to their credit rating due to identity theft.
-http://www.theregister.co.uk/2010/10/18/nfa_id_fraud_survey/
-http://www.bbc.co.uk/news/business-11553199

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/