SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #91

November 16, 2010

Top National Cyber Security Award Announced (Washington, DC) The U.S. National Cyber Security Leadership Award was announced this morning at the Washington D.C. Convention Center, with three people sharing the 2010 award: US Senator Tom Carper (DE), US CIO Vivek Kundra, and US State Department CISO John Streufert. The award announcement recognized their transformation of federal cyber security, stopping the billion dollars in waste on certification and accreditation reporting and on the unimportant aspects of annual and quarterly FISMA reporting. They radically changed national priorities and US government policy, and they acted to replace the wasted effort with continuous security monitoring (automated so updates are generated no less often than every 72 hours) and accompanying day-by-day, system-by-system accountability, so measurement is immediately converted into action. Their impact goes far beyond government; hundreds of commercial organizations and other nations' government agencies are already following their lead. See award announcement at https://www.sans.org/cyber-security-leadership/2010/ Alan

---

TOP OF THE NEWS

Stuxnet Appears to Target Frequency Converter Drives
Cyber Security Bills Could Stall in Congressional Lame Duck Session

THE REST OF THE WEEK'S NEWS

Verizon Launches Anonymous Breach Reporting Site
Former Hospital Employee Allegedly Stole and Sold Patient Data
Koobface Report Provides Insight; Command-and-Control Servers Taken Offline
White House Considering Privacy Watchdog Position
Active Hyperlinks Blocked in Live Messenger 2009 to Prevent Worm Spreading
Kernell Sentenced to 366 Days in Custody for Breaking Into Palin's Yahoo eMail
Three Arrested in Phishing Scheme
Albert Gonzalez

---

********************** Sponsored By Palo Alto Networks ******************* Please join us for a SANS Analyst Webcast: "Taming the Social Networking Beast" on December 7, 1PM EST sponsored by Palo Alto Networks. In this webcast, learn the risks social networking brings to enterprises and how to enable social networking while protecting against risks. Featuring SANS Fellow Eric Cole, PhD. Register for this webcast to receive an advance copy of a special SANS accompanying whitepaper on the same topic. Go to: http://www.sans.org/info/66943 ************************************************************************* TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics; and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security
http://www.sans.org/security-east-2011/

-- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Sydney, Tokyo and San Francisco all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ******************** SPONSORED LINK *******************
1) InstantSecurityPolicy.com - Quick, Custom IT Security Policy Templates, Delivered Online - Comprehensive, Complete and 100% Guaranteed http://www.sans.org/info/66948 *********************************************************

---

TOP OF THE NEWS

Stuxnet Appears to Target Frequency Converter Drives (November 15, 2010)

Continuing analysis of the Stuxnet worm by Symantec suggests that it may have been created with the intent of sabotaging Iranian uranium enrichment efforts. The worm appears to target industrial systems that control certain frequency converter drives, high speed motors like those used to spin gas centrifuges. In particular, it targets drives with outputs of 600Hz and greater. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=9934
-http://www.wired.com/threatlevel/2010/11/stuxnet-clues/
-http://www.computerworld.com/s/article/9196458/New_Stuxnet_clues_suggest_sabotag
e_of_Iran_s_uranium_enrichment_program?taxonomyId=17
-http://www.eweek.com/c/a/Security/New-Stuxnet-Details-May-Shed-Light-on-True-Tar
get-709839/
-http://www.theregister.co.uk/2010/11/15/stuxnet_jigsaw_completed/
-http://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
[Editors Note (Northcutt): This is a MUST READ. Very well researched, lots of interviews, one of the best views into the cyber criminal underground. Plan to invest at least an hour, look up some of the leads, and you'll learn what we are up against. (Schultz): I fear that Stuxnet is just the beginning of much worse things to come. Worms with payloads that target specific technologies are perfectly suited for certain kinds of information warfare attacks. ]

Cyber Security Bills Could Stall in Congressional Lame Duck Session (November 15, 2010)

Cyber security legislation is likely to stall in the Congress according to Chair of the Homeland Security Subcommittee on Emerging Threats, Cybersecurity, Science and Technology Representative Yvette D. Clarke (D-NY). Three bills are under consideration: the Grid Reliability and Infrastructure Defense; Cybersecurity; and Protecting Cyberspace as a National Asset bills are not likely to move forward during the lame duck session of Congress. Others have voiced similar opinions.
-http://www.nextgov.com/nextgov/ng_20101115_4848.php
-http://www.govinfosecurity.com/articles.php?art_id=3102

---

THE REST OF THE WEEK'S NEWS

Verizon Launches Anonymous Breach Reporting Site (November 11, 12 & 15, 2010)

A new Verizon Business website called VERIS allows people to post information about data breaches at their companies without revealing either the company's or their own identity. VERIS users are urged to submit information through a trusted browser and to consider using Tor or a public Wi-Fi connection. The goal of the website is to gain a wider picture of breach trends. The application generates a report comparing the reported incident to others.
-http://www.securecomputing.net.au/News/238591,verizon-launches-hackileaks.aspx
-http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?arti
cleID=228200715
-http://www.infosecurity-us.com/view/13943/verizon-launches-website-to-collect-in
formation-on-data-breaches/
-https://www2.icsalabs.com/veris/
[Editor's Note (Honan): Our biggest weapon in defeating the criminals and protecting our systems is to share information. Well done to Verizon for this initiative and I urge you to take the time to share whatever details you can about incidents within your own organisation so that we can all benefit. ]

Former Hospital Employee Allegedly Stole and Sold Patient Data (November 11 & 15, 2010)

Holy Cross Hospital in Ft. Lauderdale, Florida has notified 44,000 people who were patients at their Emergency Room between April 2009 and September 2010 that their personal information may have been compromised. Former hospital employee Natashi Orr was fired after her alleged role in the data theft came to light. She allegedly stole patient names, addresses and Social Security numbers and sold them to other people who used the information to apply for credit cards and establish bank debit accounts. Fifteen hundred patients are known to be affected by the scheme, but the hospital chose to notify all visitors to the ER during the time Orr worked there. Three other people have also been arrested in connection with the scheme.
-http://www.infosecurity-us.com/view/13963/florida-hospital-admits-to-data-breach
-affecting-1500-patients/
-http://www.tmcnet.com/usubmit/2010/11/11/5133263.htm

Koobface Report Provides Insight; Command-and-Control Servers Taken Offline (November 13, 14 & 15, 2010)

Three command-and-control servers for the Koobface botnet have been taken offline thanks to the combined efforts of security researchers, law enforcement agents and Internet service providers (ISPs). Koobface, which spreads through social networks, first appeared in May 2008. A recent report from SecDev chief researcher Nart Villeneuve details how Koobface made its operators more than US $2 million between June 2009 and June 2010.
-http://www.informationweek.com/news/security/management/showArticle.jhtml?articl
eID=228200934&subSection=News
-http://www.computerworld.com/s/article/9196398/Researchers_take_down_Koobface_se
rvers?taxonomyId=17
-http://www.nytimes.com/2010/11/15/technology/15worm.html?_r=1&ref=technology
-http://www.eweek.com/c/a/Security/How-the-Koobface-Botnet-Made-2-Million-in-a-Ye
ar-247376/
-http://www.theregister.co.uk/2010/11/15/koobface_take_down/
-http://www.infowar-monitor.net/reports/iwm-koobface.pdf

White House Considering Privacy Watchdog Position (November 12 & 15, 2010)

Reports of the Obama administration's plan to appoint a federal privacy watchdog and push for privacy legislation have met with mixed reviews. Details of the plan will be revealed in a report from the US Department of Commerce. The report lays out the Department of Commerce's privacy policy goals. Some wonder if new privacy legislation is needed.
-http://www.executivegov.com/2010/11/obama-wants-internet-privacy-watchdog/
-http://www.computerworld.com/s/article/9196340/Proposed_privacy_watchdog_gets_mi
xed_reviews?taxonomyId=17&pageNumber=1
-http://www.computerworld.com/s/article/9196328/Obama_may_toughen_Internet_privac
y_rules_report_says_?taxonomyId=17
[Editor's Note (Pescatore): The FTC seems to continually do a good job of being a privacy watchdog, hasn't needed new laws or a new czar. ]

Active Hyperlinks Blocked in Live Messenger 2009 to Prevent Worm Spreading (November 12 & 15, 2010)

Microsoft has blocked active hyperlinks in Windows Live Messenger 2009 to thwart the spread of a malicious worm. When a computer is infected, the malware inserts a link into an IM conversation with other users; if the user clicks on the link, the malicious site opens in a browser window and the worm downloads onto that computer. Users can still copy and paste links into browsers, but the deactivation of the links in Live Messenger is aimed at preventing unintentional clicks. Links have not been disabled in Messenger 2011 because of its Link Safety feature.
-http://windowsteamblog.com/windows_live/b/windowslive/archive/2010/11/12/securit
y-alert-active-links-in-messenger-2009-temporarily-turned-off-to-prevent-a-malic
ious-worm.aspx
-http://www.securitynewsdaily.com/worm-crawling-through-windows-messenger-0287/

Kernell Sentenced to 366 Days in Custody for Breaking Into Palin's Yahoo eMail (November 12, 2010)

Former Tennessee college student David Kernell has been sentenced to a year and a day in custody for breaking into then-vice-presidential candidate Sarah Palin's Yahoo email account. The judge recommended that the sentence be served in a halfway house rather than a prison, but the ultimate decision rests with the Federal Bureau of Prisons. Once his custodial sentence is complete, Kernell will serve three years of probation. In April, Kernell was convicted of misdemeanor computer intrusion and felony obstruction of justice, the latter for deleting evidence from his hard drive.
-http://www.computerworld.com/s/article/9196334/Update_Sarah_Palin_hacker_Kernell
_gets_one_year_sentence?taxonomyId=17
-http://www.wired.com/threatlevel/2010/11/palin-hacker-sentenced/
-http://www.theregister.co.uk/2010/11/12/palin_email_hacker_sentenced/

Three Arrested in Phishing Scheme (November 11, 2010)

Three men have been arrested in connection with an alleged phishing scheme. Spam sent to victims attempted to get them to divulge their credit card information. The stolen data were then used to purchase computer equipment and have it shipped to abandoned houses. Authorities were alerted to the scheme when someone noticed the UPS boxes at abandoned houses in Lake Charles, Louisiana.
-http://www.pcworld.com/businesscenter/article/210463/three_charged_with_phishing
_after_sears_investigation.html

Albert Gonzalez (November 10, 2010

An in-depth article from the New York Times magazine details Albert Gonzalez's lifelong fascination with computers and involvement in shady cyber activity. Gonzalez, who once worked with the US Secret Service to help them nab members of Shadowcrew.com, is now serving two concurrent 20-year prison sentences for masterminding theft of payment card information from a significant number of major retailers.
-http://www.nytimes.com/2010/11/14/magazine/14Hacker-t.html?ref=technology

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/