SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #12

February 11, 2011

TOP OF THE NEWS

Cyber Attack Targeted Multinational Oil and Gas Companies
EFF and ACLU Challenge Government's Demand for WikiLeaks-Related Twitter Data
Tweets Not Private, says British Press Complaints Commission

THE REST OF THE WEEK'S NEWS

Irish Job Site Breach
Security Update for Chrome 9
Adobe Fixes 42 Flaws in Reader and Flash
Sony Accidentally Tweets PS3 Jailbreak Code
LG Complaint Alleges PS3 Blu-Ray Patent Infringements
Judge Says ACS:Law May Not Withdraw Lawsuits
ICO Imposes Hefty Fines for Failure to Encrypt Laptops Containing Patient Info
Microsoft Patches 22 Flaws and Disables AutoRun

---

*** Sponsored by SANS Technology Institute Courses at SANS Phoenix ****

If it's on your schedule to get authoritative training this quarter, why not choose the spectacular Arizona desert and come to SANS Phoenix 2011 the end of this month for immersion style skills-based training by some of the nation's leading experts?
Added Bonus: The temperature is in the 70s. http://www.sans.org/info/69694
*************************************************************************

TRAINING UPDATE
- -- North American SCADA Security 2011, Lake Buena Vista, FL, February 23-March 2 With special DHS/INL and NERC workshops plus hands-on immersion training.
http://www.sans.org/north-american-scada-2011/

- -- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module
http://www.sans.org/phoenix-2011/

- -- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

- -- SANS 2011, Orlando, FL, March 26-April 4, 2011 40 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

- -- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

- -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

- - - -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, Singapore, Wellington and Barcelona all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
****************************************************************************

---

TOP OF THE NEWS

Cyber Attack Targeted Multinational Oil and Gas Companies (February 10, 2011)

A report from McAfee says that at least five large oil and gas companies were targeted by a series of cyber attacks it has dubbed "Night Dragon." "The motive of the attacks appear to be corporate espionage and are similar to the attacks launched against Google in 2009, though not as sophisticated. The cyber intruders appear to be operating from within China. They established control servers in the US and the Netherlands and used them to help gain access to computer systems in Kazakhstan, Taiwan, Greece and the US. The attacks appeared to be attempting to gather information about gas and oil field production systems , financial documents related to field exploration, oil and gas lease bids and industrial control systems. McAfee says it has fixed the vulnerabilities at the companies, but will not identify them in accordance with non-disclosure agreements signed prior to the work. The attacks date back to at least late 2009 and may have started as long as four years ago. There is evidence that seven additional energy companies were also targeted by the attacks. The Christian Science Monitor reported a year ago that Marathon Oil, ExxonMobil and ConocoPhillips suffered breaches that compromised bid data; the cyber attacks occurred in 2008, but the companies did not become aware of them until the FBI contacted them in 2008 and 2009 to let them know that sensitive company information has been flowing out of their systems.
-http://www.nytimes.com/2011/02/10/business/global/10hack.html
-http://www.scmagazineuk.com/mcafee-cto-warns-of-new-combined-threat-named-night-
dragon/article/196043/
-http://latimesblogs.latimes.com/technology/2011/02/chinese-hackers-targeted-oil-
companies-in-cyberattack-mcafee-says.html
-http://news.cnet.com/8301-30685_3-20031291-264.html
-http://www.theregister.co.uk/2011/02/10/night_dragon_cyberespionage/
Christian Science monitor story from January 2010:
-http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-C
hina-involved

[Editor's Note (Schultz): The fact that organizations, including organizations that have claimed to have implemented so-called "best practices," are often terribly slow in detecting major, sustained attacks against them never ceases to amaze me. ]

EFF and ACLU Challenge Government's Demand for WikiLeaks-Related Twitter Data (February 8 & 9, 2011)

Two civil liberties groups acting on behalf of Birgitta Jonsdottir are challenging the US government's demand for Twitter to surrender information about whom she communicated with through the social networking site. Jonsdottir, who is a member of Icelandic Parliament, is also a former WikiLeaks associate. The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) are also seeking to prevent to release of the same information about two other people associated with WikiLeaks, Jacob Appelbaum and Rop Gonggrijp.
-http://www.wired.com/threatlevel/2011/02/groups-challenge-twitter-probe/
-http://www.msnbc.msn.com/id/41491606/ns/technology_and_science-security/

Tweets Not Private, says British Press Complaints Commission (February 8 & 9, 2011)

Twitter messages are not private, according to a ruling from the British Press Complaints Commission (PCC). The case centered on tweets from Department of Transport employee Sarah Baskerville that were quoted in two national newspapers. Ms. Baskerville's complait maintained that she had a "reasonable expectation" that the tweets would be accessible only to her 700 followers, but the PCC noted that the public nature of tweets means her potential audience was significantly larger than her pool of followers and she had not opted in to any of Twitter's privacy settings. A member of civil liberties watchdog group Big Brother Watch said that he was surprised the case went as far as it did because "it would seem fairly obvious to most people that anything posted on the Internet can be read and reposted by anyone."
-http://www.itpro.co.uk/630856/twitter-posts-not-private-pcc-says
-http://thefrontline.v3.co.uk/2011/02/twitter-posts-pcc-tweets-privacy-work-depar
tment-of-transport-ruling-n.html
-http://www.wired.com/epicenter/2011/02/uk-tweets-are-public-info/

[Editor's Comment (Northcutt): Nice to see a sensible ruling! If you have any doubt, try www.google.com/realtime]

---

*************************** Sponsored Links: *****************************
1) New SANS Analyst Whitepaper: "Compliance and Security Challenges with Remote Administration," by Dave Shackleford.
http://www.sans.org/info/70619

For more SANS analysts papers on critical technology topics, visit
http://www.sans.org/info/70624.

2) 19 days left to take advantage of $400 Early Bird savings, SANS Northern Virginia 2011
http://www.sans.org/info/69698
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Irish Job Site Breach (February 10, 2011)

A security breach at the RecruitIreland.com employment website exposed personally identifiable information of 400,000 jobs hunters. The site was taken offline for several hours and the database was shut down to prevent cyber thieves from accessing additional information. It appears that the breach was prompted by the search for names and email addresses to use for spamming. Some of those whose information was stolen have reported receiving email messages attempting to recruit them as money mules. The Irish Data Protection Commissioner and the Gardai (the Irish police force) have been notified of the incident, and both internal and external investigations are underway.
-http://www.net-security.org/secworld.php?id=10567
-http://www.theregister.co.uk/2011/02/10/job_site_breach/

Security Update for Chrome 9 (February 9 & 10, 2011)

Google has issued a security update for version 9 of its Chrome browser just days after Chrome 9 was released in its stable version. The fix addresses five vulnerabilities, three of which are rated high priority. Chrome 9.0.597.94 also includes an updated version of Adobe Flash.
-http://www.h-online.com/security/news/item/Google-releases-Chrome-9-security-upd
ate-1186749.html
-http://www.esecurityplanet.com/features/article.php/3924161/Google-Refreshes-Chr
ome-9-for-Security-and-Flash.htm

Adobe Fixes 42 Flaws in Reader and Flash (February 9, 2011)

Adobe's quarterly security update includes fixes for 29 flaws in Reader and 13 in Flash. The release marks the first update for Reader X, an upgraded version of the PDF Reader that includes a sandboxing feature in the Windows version to protect users' systems from some attacks. Most of the flaws in Reader are rated critical and two could allow cross-site scripting (XSS) attacks. The updates bring Reader to versions 8.2.6, 9.4.2 and 10.0.1 for Windows and Mac OS X. An update for Linux is expected to be available on February 28. Flash is now at version 10.2.152.26 for Windows, Mac OS X, Linux and Solaris.
-http://www.computerworld.com/s/article/9208819/Adobe_patches_42_bugs_in_Reader_F
lash?taxonomyId=17
-http://www.scmagazineus.com/adobe-issues-slew-of-patches-for-its-software/articl
e/195984/

[Editor's Note (Schultz): I'm a huge proponent of sandboxing--it's good to learn that Abode has incorporated this function in its upgraded version of the PDF Reader. ]

Sony Accidentally Tweets PS3 Jailbreak Code (February 9, 2011)

Someone tricked the person who manages a Sony PS3 Twitter marketing account into retweeting the very piece of information at the center of its case against George Hotz. The trickster tweeted the PS3 master signing key, which the PS3 Twitter account retweeted in its entirety. The account is managed by a Los Angeles advertising agency. The post has been removed from the PS3 Twitter account page.
-http://www.pcmag.com/article2/0,2817,2379917,00.asp
-http://www.theregister.co.uk/2011/02/09/playstation_jailbreak_key_tweeted/
-http://www.wired.com/threatlevel/2011/02/sony_code/

[Editor's Comment (Northcutt): Nifty bit of social engineering, but the cat is out of the bag, I just used Google to search for the first three octets of the key "46 DC EA" and got 84,000 hits, I am sure they are not all the key, but spot checking out to page 5 appear to all be the key.]

LG Complaint Alleges PS3 Blu-Ray Patent Infringements (February 8, 2011)

As if the gaffe above weren't trouble enough, Sony is also facing allegations that the Blu-Ray player in the PlayStation 3 gaming console breaches patents held by LG electronics. In a complaint filed with the International Trade Commission, South Korea-based LG claims violation of two patents associated with Blu-Ray data rendering. LG is seeking to block imports of the PS3 and some Sony Bravia televisions. The claim filed by LG follows a claim from Sony against LG that some of its phones violate Sony patents.
-http://www.wired.com/threatlevel/2011/02/sony-victim-or-infringer/
-http://www.pcmag.com/article2/0,2817,2379689,00.asp

Judge Says ACS:Law May Not Withdraw Lawsuits (February 8 & 9, 2011)

A British judge has told ACS:Law that it may not drop cases against alleged file sharers because its actions suggest that it is trying to "avoid public scrutiny." ACS:Law sent letters to thousands of people accusing them of illegal filesharing and demanding they pay GBP 500 (US $805) to avoid legal action. Twenty-six of the cases have proceeded, but ACS:Law's Andrew Crossley attempted to withdraw the cases in January.
-http://www.bbc.co.uk/news/technology-12396443
-http://www.theregister.co.uk/2011/02/09/acs_law_media_cat_judgment/

ICO Imposes Hefty Fines for Failure to Encrypt Laptops Containing Patient Info (February 8, 2011)

Two councils have been fined a total of GBP 150,000 (US $241,000) for failing to encrypt patient data on laptops that were later stolen from an employee's home. The breach affected 1,700 people. While there is no evidence that the information has been misused, the fines were levied by the Information Commissioner's Office (ICO) for violations of the Data Protection Act. Failure to encrypt the laptops also breached council policy.
-http://www.theregister.co.uk/2011/02/08/ico_fines_two_councils_over_unencrypted_
laptop_thefts/

Microsoft Patches 22 Flaws and Disables AutoRun (February 8 & 9, 2011)

Microsoft has addressed 22 vulnerabilities in its monthly security update for February. Three of the 12 bulletins have been given maximum severity ratings of critical, while the remaining nine have been rated important. The vulnerabilities addressed affect Windows, Internet Explorer (IE) and Office. The critical bulletins comprise a cumulative security update for IE, and fixes for a flaw in Windows shell graphics processing and the OpenType Compact Font Format driver that could allow remote code execution. Microsoft has also released an update that disables AutoRun, which has been used to propagate malware like Conficker and Stuxnet. According to Microsoft, four of the top 10 malware families of the last quarter of 2010 used AutoRun to help them spread. The same update was offered two years ago, but it was optional at the time.
-http://www.microsoft.com/technet/security/Bulletin/MS11-feb.mspx
-http://www.zdnet.co.uk/news/security-management/2011/02/09/microsoft-fixes-css-e
xploit-in-patch-tuesday-update-40091724/
-http://www.computerworld.com/s/article/9208660/Microsoft_delivers_big_month_of_p
atches_quashes_22_bugs?taxonomyId=17
-http://www.computerworld.com/s/article/9208858/Microsoft_cripples_USB_drive_worm
s_with_new_XP_Vista_update?taxonomyId=17
-http://krebsonsecurity.com/2011/02/adobe-microsoft-wordpress-issue-security-fixe
s/

[Editor's Note (Honan): Given the prevalence of viruses which spread via USB keys and other portable media, we may find by disabling AutoRun that this will be one of the most important recent patches issued by Microsoft. ]

---

************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is a security professional currently involved in independent security research.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/