SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #94

November 30, 2010

TOP OF THE NEWS

Iran's President Acknowledges Cyber Sabotage of Uranium Enrichment Equipment
WikiLeaks Document Release Prompts White House Order to Review Data Protection Measures
Supreme Court Will Not Hear Whitney Harper RIAA Case

THE REST OF THE WEEK'S NEWS

Piracy and Counterfeit Goods Sites Seized
WikiLeaks Targeted by DDoS Attack Just Before Release of Diplomatic Cables
Swedish Appeals Court Upholds Pirate Bay Guilty Verdicts
Zero-Day Vulnerability in Windows Kernel
Suspended Sentence for Man Who Broke Into University Students' Accounts
Indian Police Make Film Piracy Arrests
Woman Admits Helping Sell Counterfeit Computer Chips
Former Missouri College Students Indicted for Alleged Data Theft
Former Ford Employee Pleads Guilty in Industrial Secrets Theft

---

************************* Sponsored By IBM ***************************** In today's security landscape, it is vital to move from security as an afterthought to an IT infrastructure that is designed, created, and operated with security in mind. Watch Steve Robinson, General Manager, IBM Security Solutions, discuss the four elements of Secure by Design, a philosophy that helps organizations create an agile, innovative security environment. Link: http://www.sans.org/info/67333 ************************************************************************* TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Washington DC in December or in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics; and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

- -- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

- -- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security
http://www.sans.org/security-east-2011/

- -- North American SCADA 2011, Lake Buena Vista, FL, February 23-March 2, 2011
http://www.sans.org/north-american-scada-2011/

- -- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Los Angeles, Atlanta, San Francisco and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ****************************************************************************

---

TOP OF THE NEWS

Iran's President Acknowledges Cyber Sabotage of Uranium Enrichment Equipment (November 29, 2010)

Iranian president Mahmoud Ahmadinejad has acknowledged that some centrifuges used to enrich uranium in his country were sabotaged by "enemies" with "software ... installed in electronic devices," but the problem was limited. While Ahmadinejad did not specify what software he meant, it is likely that Stuxnet is responsible for the problems. He added that "experts have discovered the origins of the problems," and have taken steps to ensure that there will not be a recurrence.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/11/29/AR2010112903468.
html
-http://www.wired.com/threatlevel/2010/11/stuxnet-sabotage-centrifuges/
-http://www.bbc.co.uk/news/world-middle-east-11868596
[Editor's Note (Skoudis): The additional information trickling out about Stuxnet over the past few weeks is stunning. It's like malware from 5 years in the future was beamed down for us to examine now. And, because malware is a trickle-down technology, the ideas of Stuxnet will likely propagate to other malware soon. One very worrying thought is how a Stuxnet-like specimen would impact critical infrastructure in a developed country. Or, what if we seen one or two items like Stuxnet per year? Not to be an alarmist, but I just don't think we're ready for it. ]

WikiLeaks Document Release Prompts White House Order to Review Data Protection Measures (November 29, 2010)

The White House Office of Management and Budget (OMB) has ordered all federal agencies to review their procedures for protecting sensitive information in the wake of the release of tens of thousands of confidential State Department documents on WikiLeaks. The directive requires that the agencies examine what measures they have in place to restrict access to classified systems, and requires agency directors to implement measures to ensure that employees access only the information they need for their jobs. The directive does not provide deadlines for the reviews of the implementation of new security measures.
-http://www.govexec.com/dailyfed/1110/112910rb1.htm
-http://www.computerworld.com/s/article/9198358/White_House_orders_security_revie
w_in_wake_of_WikiLeaks_disclosure_?taxonomyId=17
-http://www.informationweek.com/news/security/management/showArticle.jhtml?articl
eID=228400135
Memo:
-http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-06.pdf
[Editor's Note (Ranum): I remember when the end of "need to know" was announced and "need to publish" was said to take priority. Apparently that translated to sticking classified material on big servers and letting any newbie intelligence analyst have at the lot. ]

Supreme Court Will Not Hear Whitney Harper RIAA Case (November 29, 2010)

The US Supreme Court has declined to hear a case involving a high school student sued by the Recording Industry Association of America (RIAA) for illegally downloading 37 copyrighted songs. Whitney Harper, who is now a Texas college student, maintained that she did not know at the time she downloaded the music that what she was doing was illegal. Under the innocent infringer defense, Harper claimed her damages should be US $200 for each song, or $7,400. The judge in her initial trial agreed, but the ruling was reversed by the Fifth US Circuit Court of Appeals, which said the record companies had included copyright notices on CD covers and disallowed her innocent infringer status. Harper's defense team argued that because she was downloading the music from the internet and did not have the CD covers, the warnings did not provide actual notice. In a dissent, Justice Samuel Alito wrote that he would grant review to Harper's appeal to look more closely at the Fifth Circuit's interpretation of the innocent infringer provision.
-http://www.csmonitor.com/USA/Justice/2010/1129/Supreme-Court-rejects-case-on-fin
es-for-illegal-Internet-music-downloads
-http://www.cnn.com/2010/CRIME/11/29/scotus.music.downloads/
-http://www.wired.com/threatlevel/2010/11/innocent/

---

************************* SPONSORED LINKS ***************************
1) InstantSecurityPolicy.com - Quick, Custom IT Security Policy Templates, Delivered Online - Comprehensive, Complete and 100% Guaranteed http://www.sans.org/info/67338
2) REGISTER NOW! Please join us for the SANS Analyst Webcast: Taming the Social Networking Beast on December 7, 1PM EST sponsored by Palo Alto Networks. Featuring SANS Fellow Eric Cole, PhD. Go to: http://www.sans.org/info/67343 **********************************************************************

---

THE REST OF THE WEEK'S NEWS

Piracy and Counterfeit Goods Sites Seized (November 26 & 29, 2010)

US authorities have seized 82 websites linked to piracy. All the sites shut down either offer or provide means to find pirated content or sell counterfeit merchandise on the Internet. Some of the sites have already begun conducting business through alternate addresses. The seizure orders were issued by US District Courts across the country. Agents from the Department of Homeland Security's (DHS) Immigrations and Customs Enforcement (ICE) division seized the sites. Attorney General Eric Holder said the operation was deliberately timed to coincide with the holiday shopping season.
-http://www.nytimes.com/2010/11/27/technology/27torrent.html?scp=2&sq=file%20
sharing&st=Search
-http://www.washingtonpost.com/wp-dyn/content/article/2010/11/29/AR2010112902410.
html
-http://www.computerworld.com/s/article/9198338/Courts_shut_down_82_sites_for_all
eged_copyright_violations?taxonomyId=144
-http://www.wired.com/threatlevel/2010/11/us-website-takedowns/
-http://thehill.com/blogs/hillicon-valley/technology/130907-dhs-crackdown-was-tim
ed-to-thwart-cyber-monday-crimes
-http://www.bbc.co.uk/news/technology-11863288
-http://www.businessinsider.com/homeland-security-is-seizing-internet-domains-lef
t-and-right-2010-11

WikiLeaks Targeted by DDoS Attack Just Before Release of Diplomatic Cables (November 28 & 29, 2010)

The whistle-blowing website WikiLeaks has come under a distributed denial-of-service (DDoS) attack shortly before its planned release more than 250,000 confidential American diplomatic cables. Through its Twitter feed, WikiLeaks said that it has released some of the documents to certain newspapers. According to the US State Department, the release of this batch of documents puts lives at risk. As of Monday afternoon EST, WikiLeaks was being hosted by Amazon servers in the US and Ireland.
-http://www.computerworld.com/s/article/9198418/WikiLeaks_moves_to_Amazon_servers
_after_DoS_attacks?taxonomyId=17
-http://www.wired.com/threatlevel/2010/11/wikileaks-attack/
-http://www.bbc.co.uk/news/world-us-canada-11858637
-http://www.nytimes.com/2010/11/29/world/29cables.html?hp

Swedish Appeals Court Upholds Pirate Bay Guilty Verdicts (November 26 & 29, 2010)

The Svea court of appeals has upheld a lower court ruling that sentenced the founders of The Pirate Bay to jail and fined them 30 million kronor (US $4.3 million). The court reduced the jail sentence but increased the fine to 46 million kronor (US $6.6 million). The defendants claim The Pirate Bay did not directly host pirated content. The failure of the founders' appeal appears to be the impetus behind more distributed denial-of-service (DDoS) attacks from Anonymous. The ruling affects three of The Pirate Bay's four founders: Pater Sunde, Fredrik Neij and Carl Lundstrom. The fourth, Gottfrid Svartholm Warg, was ill and unable to be in court; he will face trial at a later date. All four were found guilty of assisting copyright infringement in an April 2009 decision.
-http://www.bbc.co.uk/news/technology-11847200
-http://www.theregister.co.uk/2010/11/29/pirate_bay_revenge_ddos/
-http://www.computerworld.com/s/article/9198098/Swedish_judge_confirms_Pirate_Bay
_convictions_on_appeal?taxonomyId=17
-http://www.wired.com/threatlevel/2010/11/appeals-court-pirate-bay-admins-still-g
uilty-now-with-higher-fines/

Zero-Day Vulnerability in Windows Kernel (November 24, 25 & 27, 2010)

A reported zero-day vulnerability in the Windows kernel has the potential to be exploited to elevate privileges. Proof of concept code has also been released. Exploiting the vulnerability requires local access. The vulnerability allows attackers to circumvent the User account Control (UAC) feature in Windows Vista and Windows 7. The problem lies in the win32k.sys file in the kernel and affects all versions of Windows. Microsoft is investigating the issue.
-http://www.computerworld.com/s/article/9198158/_Nightmare_kernel_bug_lets_attack
ers_evade_Windows_UAC_security?taxonomyId=17
-http://www.h-online.com/security/news/item/Another-zero-day-vulnerability-in-the
-Windows-kernel-1142264.html
-http://www.theregister.co.uk/2010/11/24/windows_0day_report/
[Editor's Note (Skoudis): This looks like another really useful bug for bad guys to exploit in an environment where client-side software is executed without admin privileges. Earlier this year, the vulnerabilities patched by MS10-015 (and the subsequent MS10-021) were _really_ useful to attackers looking to escalate privilege, and this one holds similar promise. Also, Microsoft categorizes local privilege escalation as merely IMPORTANT (and not CRITICAL), which makes most organizations deploy patches for such flaws very slowly (in 6 months to a year for some organizations), leaving ample opportunity for bad guys to take advantage of such flaws. We use exploits for MS10-015 all the time in penetration tests to mimic what real-world bad guys do.
(Northcutt): I hate to make suggestions I have not tried, but I do not have a scratch box handy right now. You might be able to make a partial work around by installing TeaTimer from Spybot Search and Destroy. I skipped installing it because I had, go figure, the User Account Control. This is also where endpoint whitelist security tools like Bit9, Coretrace Bouncer, McAfee Application control or Savant Protection are worth their weight in gold.]

Suspended Sentence for Man Who Broke Into University Students' Accounts (November 25, 2010)

Daniel Woo has been ordered to pay GBP 21,000 (US $32,650) in costs and compensation and perform 200 hours of community service for installing keystroke-logging software on computers at the University of London's School of Oriental and African Studies. Woo, who was not a student, used the software to break into students' accounts and access their bank accounts. The Court gave Woo a 36-month suspended sentence for violations of the Computer Misuse Act
-http://www.theregister.co.uk/2010/11/25/fake_student_hacker_scam/
-http://www.bbc.co.uk/news/uk-england-london-11840480
-http://cms.met.police.uk/news/convictions/computer_hacker_who_posed_as_student_s
entenced

Indian Police Make Film Piracy Arrests (November 23 & 25, 2010)

Police in Hyderabad, India have arrested four people in connection with illegally uploaded digital content. The four allegedly operated a business involving making illegal copies of CDs and DVDs and uploading them to Torrentrockerz. The site focused primarily on Bollywood films.
-http://www.theregister.co.uk/2010/11/25/india_movie_piracy_arrests/
-http://www.medianama.com/2010/11/223-hyderabad-police-arrests-torrent-uploaders/

Woman Admits Helping Sell Counterfeit Computer Chips (November 23, 2010)

Stephanie McCloskey has admitted to helping her employer sell counterfeit computer chips to the US military. She has pleaded guilty to one count of conspiracy. The company for which she worked, Visiontech, allegedly spruced up and sold phony integrated circuits that came from Hong Kong and China. The company's employees scuffed labels so customers could not tell if the codes on the devices matched those on the boxes. The chips were sold to a variety of companies, including several subcontractors working with defense contractors. The company sold counterfeit versions of chips that claimed to be from Intel, Texas Instruments, Motorola, NEC, National Semiconductor and other well-known companies.
-http://www.pcworld.com/businesscenter/article/211428/woman_helped_sell_fake_chip
s_to_us_military.html
-http://www.channelregister.co.uk/2010/11/24/counterfeit_chips_guilty_plea/
[Editor's Note (Pescatore): This is one element of supply chain integrity. The harder one to deal with is chips from legitimate suppliers that have built hidden capabilities into the firmware or software. What were called "Easter Eggs" back in the day were non-malicious examples, but there are plenty of backdoors and code bomb examples, too. ]

Former Missouri College Students Indicted for Alleged Data Theft (November 23 & 24, 2010)

Joseph A. Camp and Daniel J. Fowler, both former University of Central Missouri (UCM) students, have been indicted on charges of computer intrusion, intercepting electronic communication and aggravated identity theft. The pair allegedly broke into UCM databases and stole personal information of 90,000 students, faculty, staff members and alumni and attempted to sell the data. The malware was allegedly spread through USB drives and email attachments; it allowed them to monitor infected systems and even turn on webcams.
-http://www.net-security.org/secworld.php?id=10209
-http://www.computerworld.com/s/article/9197884/Two_former_students_charged_in_un
iversity_hack_in_Mo.?taxonomyId=17

Former Ford Employee Pleads Guilty in Industrial Secrets Theft (November 23, 2010)

Xiang Dong (Mike) Yu faces a prison sentence of five or more years and a US $150,000 fine for stealing industrial secrets from his former employer, Ford, and giving the information to a Chinese competitor. Yu was employed at Ford as a product engineer from 1997 until 2007. He admitted copying spec designs to an external hard drive in December 2006, just after accepting a position at another company. He pleaded guilty to stealing trade secrets; sentencing is scheduled for February 23, 2011.
-http://www.theregister.co.uk/2010/11/23/ford_trade_secrets_thief_jailed/
[Editor's Note (Ranum): Organizations concerned with intellectual property leakage should audit accesses to data by departing or about-to-depart employees. ]

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/