SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #9

February 02, 2010

Tomorrow is the last day for large savings on SANS2010 in Orlando. 27 long courses, 11 short course, big exposition with people who actually understand their products, and great networking opportunities.

Here's what SANS students say:

"This is the way you need to learn: roll up your sleeves, dig in to the fundamentals and the nitty-gritty technical details, and then go 'hands-on' to practice and reinforce what you've been taught." - Joseph Price, DoD

More info:

https://www.sans.org/sans-2010/event.php

---

TOP OF THE NEWS

High Stakes in Covert Cyber War
Critical Infrastructure Computer Systems Under Constant Attack
MI5 Warned of Chinese Cyber Espionage More Than a Year Ago

THE REST OF THE WEEK'S NEWS

Navy Establishes US Fleet Cyber Command
Pushdo Botnet Sending Fake SSL Traffic to Websites
Health Net Reviewing Connecticut AG's Lawsuit
Iowa Casino Workers' Data Compromised
House Leaders Call for Investigation Into Defaced Websites
OPM Drops Plan to Stop Using SSNs as Government Employee Identifiers
Man Arrested for Allegedly Selling Modified Cable Modems
Maryland High School Computer System Allegedly Breached to Alter Grades

---

****************** Sponsored By Norman Data Defense Systems **************

Check out the Spring 2010 WhatWorks Poster: Top 35 Secure Development Techniques

https://www.sans.org/info/54244

Download Norman Data Defense whitepaper - Norman Network Protection

https://www.sans.org/info/54249

**************************************************************************

TRAINING UPDATE

-- SANS Phoenix, February 14 - February 20, 2010
6 courses and bonus evening presentations, including The Art of Incident Response and Advanced Forensic Techniques: Catching Hackers on the Wire
https://www.sans.org/phoenix-2010/
-- SANS 2010, Orlando, March 6 - March 15, 2010
38 courses and bonus evening presentations, including Software Security Street Fighting Style
https://www.sans.org/sans-2010/
-- SANS Northern Virginia Bootcamp 2010, April 6 - 13
Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
https://www.sans.org/reston-2010/
-- SANS Security West 2010, San Diego, May 7 - 15, 2010
23 courses. Bonus evening presentations include Killer Bee:
Exploiting ZigBee and the Kinetic World
https://www.sans.org/security-west-2010/
-- SANSFIRE 2010, Baltimore, June 6-14, 2010
38 courses
https://www.sans.org/sansfire-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand
Plus Oslo and Dublin all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

High Stakes in Covert Cyber War (January 26, 2010)

Christian Science Monitor Editor John Yemma points out that the recently disclosed long term cyber attacks against US oil companies could result in "lost jobs and higher energy prices." The attackers infiltrated the companies' networks and remained inside, quietly stealing valuable bid data, which could allow them to make bids on potentially valuable oil and gas tracts without having to invest the considerable research funds spent by the targeted companies. Evidence suggests that the attacks originated in China.
-http://www.csmonitor.com/Commentary/editors-blog/2010/0126/Why-the-China-virus-h
ack-at-US-energy-companies-is-worrisome
[Editor's Note (Pescatore): Note that the deputy chief of the operations department of China's National Computer Network Emergency Response Technical Team has recently claimed that evidence shows that China is actually the largest *target* of cyber attacks. It really does not matter where the rain comes from, it is all about avoiding leaks in the roof and fixing those you can't avoid.

(Northcutt): One sensible approach is pretty simple. We make people stand in long lines to clear customs, let's do the same thing for packets. Now before you flame me for being an idiot, I am not suggesting all packets; let's start with SMTP. If a mail message comes from a known site or country that is a major source of malicious traffic, or has a link back to such a place, force it through a series of gateways. Who pays for this? The entity that wants to deal with the US. We can call it a packet visa. Counterpoint 1: "It will never work because there are a million pathways between here and there." Ah, very true, but there are a finite number of targets, US Government including DoD, the industrial defense contractors, Fortune 500 companies, critical infrastructure, and resource brokers such as oil companies. It is the old 80/20 rule. I am betting a guy like Tom Liston can write the code in an afternoon, though it will take some DHS contractor sixty people to maintain and improve it. ]

Critical Infrastructure Computer Systems Under Constant Attack (January 28 & 29, 2010)

According to a report from The Center for Strategic and International Studies, utility companies' and other critical infrastructure components' computer systems are constantly under attack worldwide. The report, which was commissioned by McAfee, compiles information gathered from 600 IT and security executives at companies around the world. More than half of respondents believe that their countries' laws are not effective in deterring cyber attacks, and nearly half believe that their countries do not have the ability to prevent cyber attacks.
-http://darkreading.com/security/attacks/showArticle.jhtml?articleID=222600355&am
p;subSection=Attacks/breaches
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=222600462
-http://www.nytimes.com/2010/02/02/us/29cyber.html
-http://www.dailytech.com/Power+Plants+Report+Increase+of+ForeignBased+Attacks/ar
ticle17550.htm
-http://www.smh.com.au/technology/enterprise/computers-under-constant-attack-2010
0128-n1s0.html
[Editor's Note (Pescatore): Everything connected to the Internet is under constant attack, just as every house is under constant attack by storms, termites, burglars, etc. The critical infrastructure systems are largely subject to the same things that have been hitting every other connected system.

(Schultz): The skeptics are correct in saying that their countries do not have the ability to prevent cyber attacks, despite all the financial expenditure and rhetoric to the contrary in some countries. What is so worrisome is that countries around the world experience one serious incident after another, yet they do not make the changes necessary to effectively mitigate the cybersecurity risks that they face. ]

MI5 Warned of Chinese Cyber Espionage More Than a Year Ago (January 31 & February 1, 2010)

More than a year ago, British security service MI5 warned companies doing business with China that Chinese intelligence organizations were attempting to break into corporate computers across Britain. The warning was prepared in 2008 and distributed to British financial organizations and other businesses. British businesspeople at trade shows had reportedly been approached by Chinese officers of the People's Liberation Army and Ministry of Public Security who offered them camera and memory sticks that contained malware that allowed remote access to the targets' computers.
-http://www.nytimes.com/2010/02/01/world/europe/01spy.html?partner=rss&emc=rs
s
-http://www.theregister.co.uk/2010/02/01/chinese_honey_trap_attacks/

---

************************ SPONSORED LINK *************************

1) Replace Cisco CS-MARS from the MARS creators. Upgrade to AccelOps at your current MARS maintenance fee and receive a full year of maintenance & support.

https://www.sans.org/info/54254

*******************************************************************

---

THE REST OF THE WEEK'S NEWS

Navy Establishes US Fleet Cyber Command (January 29, 30 & February 1, 2010)

The US Navy has established the US Fleet Cyber Command to defend naval IT systems against attacks and to use those systems to further military objectives. The Air Force and Marine Corps have already set up their own arms of the US Cyber Command, which was created by Defense Secretary Robert M. Gates in June 2009.
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=222600639
-http://www.navytimes.com/news/2010/01/navy_fleet_cyber_command_013010/
-http://defensesystems.com/articles/2010/01/29/navy-cyber-command.aspx

Pushdo Botnet Sending Fake SSL Traffic to Websites (January 29 & February 1, 2010)

The Pushdo botnet is inundating more than 300 websites, including those of the FBI, Twitter and eBay, with bogus SSL connections. The reasons for the anomalous traffic are still under investigation. The traffic is most likely decoy traffic rather than a DoS attack.. Pushdo, which has been used to send spam, is capable of receiving other instructions as well; the computers infected have recently been instructed to make SSL connections to websites and then disconnect from those sites.
-http://www.computerworld.com/s/article/9150380/Botnet_targets_major_Web_sites_wi
th_junk_SSL_connection?source=CTWNLE_nlt_pm_2010-02-01
-http://news.cnet.com/8301-27080_3-10445337-245.html?tag=newsLatestHeadlinesArea.
0
-http://www.theregister.co.uk/2010/01/29/strange_ssl_web_attack/
-http://www.informationweek.com/news/infrastructure/management/showArticle.jhtml?
articleID=222600704

Health Net Reviewing Connecticut AG's Lawsuit (February 1, 2010)

Health Net is in the process of reviewing a lawsuit filed against the company by Connecticut State Attorney General Richard Blumenthal. The lawsuit filed last month alleges that Health Net did not adequately protect customer data that were on a disk drive reported missing last spring; the data were not encrypted. Approximately 446,000 customers are believed to be affected. The lawsuit also notes that Health Net waited six months after learning of the device's loss to notify customers. Health Net maintains that there is no evidence that the data on the device have been misused.
-http://www.informationweek.com/news/healthcare/security-privacy/showArticle.jhtm
l?articleID=222600681

Iowa Casino Workers' Data Compromised (January 30 & February 1, 2010)

The Iowa Gaming and Racing Commission has acknowledged that one of their servers was breached, compromising the security of personally identifiable information of approximately 80,000 casino employees. The compromised data include information was that required for issuing occupational licenses such as names and Social Security numbers (SSNs). According to the commission's website, "the compromise took place January 26 (2010) when the state firewall functionality was circumvented due to network routing changes and a licensing database was breached."
-http://www.chicagotribune.com/news/chi-ap-ia-statecomputerhack,0,6534348.story
-http://www.scmagazineuk.com/us-gaming-commission-confirms-80000-personal-details
-exposed-after-outside-attack-on-server/article/162775/
-http://www.iowa.gov/irgc/Breach.htm
[Editor's Note (Honan): One the most effective defences against security self inflicted wounds like this one is to have an effective change management process in place. ]

House Leaders Call for Investigation Into Defaced Websites (January 29, 2010)

US legislators are calling for a review to determine how 49 US House member and House committee websites were defaced following president Obama's State of the union address last week. All of the sites are operated by GovTrends. Eighteen House sites fell prey to similar attacks last August. Speaker of the House Nancy Pelosi (D-Calif.) and House Republican Leader John Boehner (R-Ohio) have requested that the House Chief Administrative Officer (CAO) investigate the attacks.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/01/28/AR2010012803562.
html
-http://darkreading.com/security/attacks/showArticle.jhtml?articleID=222600508&am
p;subSection=Attacks/breaches
-http://darkreading.com/security/attacks/showArticle.jhtml?articleID=222600404&am
p;subSection=Attacks/breaches

OPM Drops Plan to Stop Using SSNs as Government Employee Identifiers (January 29, 2010)

The US Office of Personnel Management (OPM) is dropping a plan to stop using SSNs as unique identifiers. The plan was introduced to help prevent identity fraud, but OPM Director John Berry said that abandoning SSNs as identifiers would require assigning alternative identifiers to all government workers. The original plan would have prohibited government agencies from using SSNs as primary employee identification in data processing systems.
-http://www.nextgov.com/nextgov/ng_20100129_9750.php?oref=topstory

Man Arrested for Allegedly Selling Modified Cable Modems (January 29, 2010)

US federal authorities have arrested Matthew Delorey and charged him with conspiracy and wire fraud. Delorey allegedly operated a web site that sold hacked modems that allowed users to get free Internet access or make it appear that a different modem was accessing the Internet. The modems offered for sale on the site had their Media Access Control (MAC) addresses hacked. Delorey allegedly sold two modified modems to an undercover FBI agent.
-http://www.cio.com/article/527216/FBI_Arrests_Alleged_Cable_Modem_Hacker

Maryland High School Computer System Allegedly Breached to Alter Grades (January 29 & February 1, 2010)

Officials are investigating an alleged hacking incident at a Potomac, Maryland high school. Students allegedly gained access to Churchill High School's computer system through a password obtained with keystroke logging software. Once inside the system, the intruders allegedly changed an unknown number of grades. Teachers have been asked to compare their own records with the grades on the computer system; however, many teachers do not keep paper records of their students' grades. As many as 50 students may have been involved in the scheme, which allegedly involved the exchange of money for raising grades. Officials have interviewed several students.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/01/28/AR2010012803494.
html
-http://www.nbcwashington.com/news/local-beat/Students-May-Have-Changed-Grades-fo
r-Money-83148222.html

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/