SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #1

January 04, 2011

TOP OF THE NEWS

State Department System That Held Leaked Cables Lacked Certain Security Features
Monitoring Software Catches Employee Trafficking in Pirated Games
DoD and Industry to Trade IT Experts Temporarily

THE REST OF THE WEEK'S NEWS

"White House" eCard Carries Malware
Leaked Zero-Day IE Flaw Raises Issue of Responsible Disclosure Again
France Stepping Up Anti-Piracy Efforts
Authorities Gather Evidence in Attacks on PayPal, Visa and MasterCard
Honda Customer Database Security Breach
University Will Not Take Down Chip-and-Pin Vulnerability Thesis

---

********** Sponsored By SANS Application Security 2011 *****************
Do you know the most current information on web hacking techniques and how you can guard against them? If not, register for SANS AppSec 2011 taking place March 7-14, 2011 in San Francisco. Register by 1/26 and save $400. http://www.sans.org/info/68493 *************************************************************************
TRAINING UPDATE
New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security
http://www.sans.org/security-east-2011/

-- North American SCADA 2011, Lake Buena Vista, FL, February 23-March 2, 2011
http://www.sans.org/north-american-scada-2011/

-- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module
http://www.sans.org/phoenix-2011/

-- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

-- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Atlanta, Bangalore, Singapore and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ****************************************************************************

---

TOP OF THE NEWS

State Department System That Held Leaked Cables Lacked Certain Security Features (December 31, 2010)

US Lawmakers have indicated their intent to re-introduce cyber security legislation in the current Congress. Among the bills being reconsidered is one that gives the President what some have dubbed the Internet kill switch. It would not authorize the President to shut down the Internet, but would grant the authority to demand that certain elements of critical national infrastructure be disconnected from the Internet in the event of an emergency. For example, if a cyber attack appeared imminent, the President could order the system that controls floodgates at the Hoover dam to disconnect from the Internet. The idea has met with opposition from civil liberties groups. Questions include how the government would know a cyber attack is imminent. The proposed legislation has raised concerns in light of Egyptian President Hosni Mubarak's recent move to sever Internet connections across his entire country in an attempt to quell protests and dissent.
-http://thehill.com/blogs/hillicon-valley/technology/141081-democrats-reopen-cybe
rsecurity-debate
-http://www.wired.com/threatlevel/2011/01/kill-switch-legislation/
-http://www.msnbc.msn.com/id/41311880/ns/technology_and_science-security/
-http://www.scmagazineuk.com/egypt-severs-internet-connectivity-to-leave-it-in-a-
black-hole/article/195160/
[Editor's Note (Schultz): Internet connectivity has in many ways become a critical national infrastructure security issue. Whether we like it or not, someone needs the authority to make decisions concerning continuing or severing Internet connectivity. My chief concern is that much of the public's opinion concerning who has the power to make such decisions seems to depend more upon preference of political party than anything else.

[Editor's Comment (Northcutt): Not sure I think connecting the Hoover dam floodgates to the Internet is all that good of an idea. In terms of Egypt, I thought the SayNow/Google Speak2Tweet application was nifty, hearing people in Egypt share what is on their hearts was very powerful:
-http://googleblog.blogspot.com/2011/01/some-weekend-work-that-will-hopefully.htm
l]

Monitoring Software Catches Employee Trafficking in Pirated Games (December 29 & 30, 2010)

A Nationwide Insurance employee has been sentenced to two-and-a-half years in prison for pirating and selling copies of computer games. Qiang Bi, who goes by Michael Bi, pleaded guilty to charges of mail fraud, copyright infringement and aggravated identity theft. Nationwide discovered Bi's illegal activity thanks to recently deployed monitoring software that detected a suspicious spreadsheet sent from his personal email account to his work email account. The spreadsheet contained details of PayPal and eBay accounts under phony names. An investigation determined that Bi has sold more than 35,000 pirated copies of computer games with retail value of US $700,000.
-http://www.dispatch.com/live/content/local_news/stories/2010/12/30/nationwide-em
ployee-sentenced-to-212-years.html?sid=101
-http://cincinnati.fbi.gov/dojpressrel/pressrel10/ci122910.htm
[Editor's Note (Schultz): What occurred in this news item once again provides an excellent real world example of the value of data loss prevention technology. ]

DoD and Industry to Trade IT Experts Temporarily (January 3, 2011)

The US Department of Defense (DoD) will pilot a program in which cyber security experts and IT personnel from DoD will temporarily switch places with industry counterparts. The goal is "to enhance skills and competencies." Among the DoD agencies participating in the swap are the Defense Information Systems Agency, the Defense Advanced Research Projects Agency, the Office of Naval Research and the Pentagon's Chief Information Officer. Some have expressed concern that the program could jeopardize national security. The trade periods will last from three months to two years. The number of participants would be limited to 10 at a time. DoD employees would remain federal employees and their salaries would be paid by the government while private sector employees would be paid by their companies.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/12/30/AR2010123003292.
html
-http://www.infosecurity-us.com/view/14872/pentagon-industry-to-swap-cybersecurit
y-experts/

---

********************** Sponsored Links: *****************************

1) Security of industrial control systems is the #2 national security issue in cyber security! Learn to prevent attacks at the North American SCADA conference ( http://www.sans.org/info/68498 ) in Lake Buena Vista, Florida, February 23 - March 2, 2011. Register by February 23 and save $200.

2) New SANS Analyst Whitepaper: Enabling Social Networking, by Dr. Eric Cole. http://www.sans.org/info/68503 ***********************************************************************

---

THE REST OF THE WEEK'S NEWS

"White House" eCard Carries Malware (January 3, 2011)

An email Christmas card that appeared to come from The White House actually contained malware that succeeded in stealing sensitive documents from recipients, some of whom are government employees and contractors working on cyber security issues. The malicious ecard offered links that infected users' computers with a variant of the ZeuS malware. This version steals information and sends it back to a server that appears to be in Belarus.
-http://krebsonsecurity.com/2011/01/white-house-ecard-dupes-dot-gov-geeks/

Leaked Zero-Day IE Flaw Raises Issue of Responsible Disclosure Again (January 3, 2011)

Google security researcher Michal Zalewski has used his cross_fuzz browser fuzzing tool to find more than 100 browser vulnerabilities. Details of one flaw in Internet Explorer (IE) were stored on a server that had been indexed by Google accidentally; the information made its way into the hands of Chinese hackers. Microsoft has said that the leak has increased the risk to IE users. Microsoft prefers to work with researchers who discover vulnerabilities to have fixes ready for the flaws before they are disclosed to the public. Zalewski said that because information about the vulnerability is now in the hands of potential attackers, he decided to disclose the flaw. Microsoft is investigating the reported IE flaw, which is not the same one that Microsoft confirmed on December 21.
-http://www.theregister.co.uk/2011/01/03/ie_0day_leaked/
-http://www.computerworld.com/s/article/9202959/Chinese_hackers_dig_into_new_IE_b
ug_says_Google_researcher?taxonomyId=17
-http://www.eweek.com/c/a/Security/Microsoft-Google-Researcher-Tangle-Again-on-Se
curity-Disclosure-486754/
[Editor's Comment (Northcutt): I think this is a bit of a tempest in a teapot. My IE version 8 crashes all the time on my 64 bit Windows 7. Maybe this will help get that fixed. And as I understand it, Michal believes that someone independently discovered the flaw. If true, this is less about responsible disclosure and more about when a fuzzing tool is released, get it, run it exhaustively on your own products ASAP:
-http://lcamtuf.coredump.cx/cross_fuzz/known_vuln.txt]

France Stepping Up Anti-Piracy Efforts (December 31, 2010)

The organization created to address Internet piracy issues in France, Hadopi, has recently sent warning emails to about 25,000 suspected illegal filesharers. According to France's version of the three-strikes model, violators who are caught again within a six-month period will receive a second warning email; a third offense will initiate a judicial process. Those found guilty face fines of 1,500 Euros (US $2,000), Internet connection suspension and possible ISP blacklisting. The alleged violators are identified by IP addresses used to participate in illegal filesharing; the information is being collected by private detective companies that have set up business for this purpose. Hadopi focuses on peer-to-peer filesharing, but many people now use direct download, an activity that is harder to detect, or content streaming, a technology that is not even covered by current French law.
-http://www.guardian.co.uk/commentisfree/2010/dec/31/french-online-piracy-hadopi
[Editor's Comment (Northcutt): We may learn a lot from France's experiment. Piracy must be addressed. I received an email today from a small business owner ( publisher ) who tried marketing a softcopy version of one of his reports. It was immediately posted on a torrent and before they could get it taken down, it was downloaded 110 times. He estimates $80k lost revenue. Here is a link to a related newspost. What I find fascinating are the comments. This certainly is a polarizing issue:
-http://www.techdirt.com/articles/20100921/14423311097/hadopi-begins-issuing-tens
-of-thousands-of-notices-for-infringement-in-france.shtml]

Authorities Gather Evidence in Attacks on PayPal, Visa and MasterCard (December 30, 2010)

Law enforcement authorities in Germany have raided Host Europe, an Internet service provider (ISP), as part of an investigation into attacks on Visa.com., PayPal and Mastercard.com. The attacks are believed to have been launched by a loosely organized hacktivist group known as Anonymous and came in response to the payment sites' refusal to conduct business that would benefit WikiLeaks after WikiLeaks released purloined US diplomatic cables. US authorities have seized hard drives from service providers in Texas and California to gather evidence about the attacks, and last month, a Dutch teenager was arrested in connection with the attacks.
-http://www.computerworld.com/s/article/9202838/FBI_raids_ISP_in_Anonymous_DDoS_i
nvestigation?taxonomyId=17
[Editor's Comment (Northcutt): Part of the affidavit is posted on The Smoking Gun:
-http://www.thesmokinggun.com/file/paypal-ddos-attack]

Honda Customer Database Security Breach (December 29, 30 & 31, 2010)

Honda Motor Company is warning millions of its customers that intruders have gained access to their email addresses, probably through an attack on Silverpop Systems, a third-party marketing services provider. The breach appears to affect two million Honda owners and three million Acura owners and also includes names and vehicle identification numbers. The compromised information could be used in phishing attacks.
-http://www.theregister.co.uk/2010/12/31/honda_data_breach/
-http://www.scmagazineus.com/honda-warns-customers-of-email-database-breach/artic
le/193491/
-http://www.msnbc.msn.com/id/40841273/ns/technology_and_science-security/

University Will Not Take Down Chip-and-Pin Vulnerability Thesis (December 29, 2010)

A UK banking lobby group is attempting to censor a student's thesis on chip and pin system vulnerabilities. In a letter to Cambridge University, The UK Cards Association asked that the thesis be removed from a website because it provides a "blueprint for building a device ... to exploit a loophole in the security of chip and pin." The thesis is an outgrowth of earlier work by Cambridge researchers that was published early last year. Cambridge University Professor of Security Engineering Ross Anderson sent a response, refusing the request, and questioning the right of the University to censor a student's published work "simply because a powerful interest finds it inconvenient." Anderson also pointed out that the publication of the earlier research last year resulted in some financial institutions improving their chip and pin systems to mitigate the vulnerabilities.
-http://www.securecomputing.net.au/News/242795,bank-lobby-warns-cambridge-over-it
-security-thesis.aspx
Professor Anderson's response:
-http://www.cl.cam.ac.uk/~rja14/Papers/ukca.pdf

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/