SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #17

March 01, 2011

College students with cyber skills - register today for the first
national Cyber Quest competition sponsored by the US Cyber Challenge.
This on-line competition features a target website with numerous
vulnerabilities where your job is to find the vulnerabilities and
application configuration and implementation flaws. Top scorers earn
cash prizes. There is no cost for this first round, and it will give you
practice for the all-important late-April Cyber Quest that qualifies you
for invitations to the national US Cyber Camps. Registration opened at
8 AM on Tuesday March 1. The competition runs March 16-23, but don't try
to register at the last moment. Register at http://uscc.cyberquests.org/

The Leading Edge: The NCIC (National Cybersecurity Innovation
Conference) in Washington features users who have found surprisingly
effective solutions to three of the most difficult current cybersecurity
challenges: (1) rapidly isolating advanced persistent threat infections
inside major networks, (2) securing private clouds, and (3) measuring
and reducing cyber risk with continuous monitoring. Information at:
http://www.sans.org/cyber-security-innovations-2011/

Alan

---

TOP OF THE NEWS

Morgan Stanley Was Victim of Aurora Attacks
Malware on London Stock Exchange Site
Legislator Calls for Secure Default Web Pages
HHS Stepping Up HIPAA Privacy Rules Enforcement

THE REST OF THE WEEK'S NEWS

Burglary at Vodafone Facility Caused Service Outage
US Immigration Computer System Vulnerable to Insider Threats
Google Investigating Problem That Reset 150,000 Gmail accounts
Erasing Data on SSDs Proves Difficult
Modified Android App Sends Surreptitious Text Messages to Premium Numbers
Irish Police Arrest Man in ATM Skimming Case
Trojan Modified to Target Macs
US House Committee hears testimony on Cyber Threat Faced by US
SANS Technology Institute Paper of the Month: Assessing Privacy Risks from Flash Cookies

---

*************************************************************************
TRAINING UPDATE
-- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

-- SANS 2011, Orlando, FL, March 26-April 4, 2011 40 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
http://www.sans.org/cyber-security-innovations-2011/

-- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

-- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

-- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
https://www.sans.org/cyber-security-innovations-2011/

-- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Singapore, Wellington, Barcelona, Amsterdam and Brisbane all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ********************* Sponsored by Clearwell Systems *************************
REGISTER NOW for the upcoming March 2, 2011 Webcast: Internal Investigation Best Practices: How Automated Analysis Streamlines Digital Investigations FEATURING: Matthew Nelson, Esq. Senior E-Discovery Counsel, Clearwell Systems Go to: http://www.sans.org/info/71773 Start Time: 1:00 PM EST (1800 UTC/GMT)
****************************************************************************

---

TOP OF THE NEWS

Morgan Stanley Was Victim of Aurora Attacks (February 28, 2011)

The same group of attackers that broke into Google's computer systems also attacked systems at Morgan Stanley. The Aurora attacks, as they came to be known, started in June 2009 and continued for about six months and targeted more than 200 companies. The attacks were conducted through servers based in China. Information about the attack was discovered in email messages stolen from HBGary and leaked to the Internet. Morgan Stanley hired HBGary to help with suspected cyber security breaches that aimed to steal sensitive internal information. While looking into those attacks, HB Gary discovered that Morgan Stanley had been the victim of the Aurora attacks as well.
-http://www.businessweek.com/news/2011-02-28/morgan-stanley-attacked-by-china-bas
ed-hackers-who-hit-google.html

Malware on London Stock Exchange Site (February 28, 2011)

The website of the London Stock Exchange (LSE) was infected with malware that appears to have come from third-party advertisements. The malware urged site visitors to download useless security software products and in some cases, merely visiting the site was enough to compromise people's computers. More than 360 pages on the site have reportedly hosted malware over the last three months. LSE has disabled the advertisements responsible for the malware.
-http://www.bbc.co.uk/news/technology-12597819
-http://www.scmagazineuk.com/london-stock-exchange-website-hit-by-malware-scare/a
rticle/197150/

Legislator Calls for Secure Default Web Pages (February 28, 2011)

Senator Charles Schumer (D-NY) is calling on online companies to switch their default pages from HTTP to HTTPS to help protect users who connect to the Internet through public Wi-Fi hot spots. The advent of programs like Firesheep makes it easy for people with little or no technical skill to steal sensitive information, including login credentials and financial account information.
-http://news.cnet.com/8301-1009_3-20037253-83.html

[Editor's Note (Pescatore): This is why good politicians don't make good security system engineers. Not that SSL as the default is necessarily a bad thing, but the very first dollar of web security improvement funds should go to all those online companies vastly improving the security of their web sites. WiFi snooping requires physical proximity, hacking into web sites for direct attacks or establishing botnet infector sites is a much, much higher risk. ]

HHS Stepping Up HIPAA Privacy Rules Enforcement (February 23 & 25, 2011)

The US Department of Health and Human Services (HHS) appears to be getting serious about enforcing Health Insurance Portability and Accountability Act (HIPAA) privacy rules. HHS has imposed enforcement actions against two organizations for HIPAA privacy violations. Cignet Health was charged a civil monetary penalty of US $4.3 million for failing to provide patients access to their own medical records and failing to cooperate with an HHS investigation into the matter. When Cignet finally sent boxes of records to the US Justice Department, they included records for the 41 individuals who had requested their records as well as records of 4,500 other people. Massachusetts General Hospital will pay HHS US $1 million for the exposure of personal information of 192 patients when documents were left on a subway in March 2009. HHS appears to be getting serious about enforcing HIPAA privacy rules. Both incidents are the result of business process failures rather than technology failures.
-http://www.computerworld.com/s/article/9211359/HIPAA_privacy_actions_seen_as_war
ning?taxonomyId=84
-http://www.washingtonpost.com/wp-dyn/content/article/2011/02/22/AR2011022207094.
html
[Editor's Comment (Pescatore): August 2011 will be HIPAA's 15th birthday, or 105th in Internet years. I'd like to believe HHS is finally getting serious about enforcement but there has actually seemed to be equal, if not greater, evidence of movement in the opposite direction in order to reduce security to ease the path to electronic health records. Interesting that the biggest fine here is because Cignet *withheld* access to health records!
(Northcutt): Is it April 1? OK, I need help from an expert, my tally is this would be the 4th and 5th HIPAA organizational enforcements since 1996. Who knows? If you can provide authoritative information please drop a note to stephen@sans.edu. ]

---

*************************** Sponsored Links: *****************************
1) Sponsored by SANS Technology Institute Courses at SANS Northern Virginia The SANS promise is that on your first day back at work after a SANS training, you'll be able to put into practice the skills you learned. At SANS Northern Virginia 2011 select from among our hands-on courses with confidence, knowing you'll gain skills and learn tips and tricks for use in the workplace! http://www.sans.org/info/69743

2) Advance planning is the key to success. Add SANS Ottawa 2011 to your calendar now! http://www.sans.org/info/69713

3) This is your last chance to take the SANS Log Management Survey and be entered to Win a $250 American Express Gift Card. Go here to take the survey: http://www.sans.org/info/71778
************************************************************************************

---

THE REST OF THE WEEK'S NEWS

Burglary at Vodafone Facility Caused Service Outage (February 28, 2011)

A physical break-in at a Vodafone technical facility in Basingstoke, UK, caused thousands of customers to temporarily lose service. The thieves stole computer equipment and network hardware. Vodafone says that the security of customers' personal information was not affected by the theft. Vodafone is working to restore service to those affected by the outage. Several hundred thousand customers are believed to have been affected.
-http://www.bbc.co.uk/news/technology-12595681
-http://www.zdnet.co.uk/news/mobile-working/2011/02/28/vodafone-restores-connecti
ons-after-theft-outage-40091969/

US Immigration Computer System Vulnerable to Insider Threats (February 28, 2011)

According to a report from the Department of Homeland Security (DHS) Office of the Inspector General (OIG), the US Citizenship and Immigration Services' (USCIS) processing system is vulnerable to insider threats. The OIG brought in a third-party group from Carnegie Mellon University's software engineering institute to evaluate insider threats on systems at USCIS.
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=229219512&subSection=Security
-http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_11-33_Jan11.pdf
[Editor's Note (Pescatore): As long as casinos and gambling continue to be a huge industry, you can be sure that social engineering attacks will always succeed - people will be people. As long as people act like people and have to collaborate with other people to get the job done, there will be vulnerability to insider threats. The report seems to over-rely on awareness and education but does have good recommendations on employee screening and database activity monitoring.
(Schultz): Sorry, but it should come as no surprise that anyone or anything anywhere is subject to insider threats. I just hope that the DHS's OIG didn't have to spend too much money to reconfirm that this universally known threat exists.
(Honan): In reality every computer system is vulnerable to insider threats and not just those of the US Citizen and Immigration Service. CERT/CC has made some interesting material on countering the insider threat available at
-http://www.cert.org/insider_threat/
(Ranum): Does anyone here know of ANY computer system that is not vulnerable to insider threats? This is absurd.
(Northcutt): Recommendation 8: Consistently enforce exit procedures and Recommendation 11: enforce a requirement for individual accounts on critical systems were the ones that raised my blood pressure. ]

Google Investigating Problem That Reset 150,000 Gmail accounts (February 28, 2011)

Google is looking into a problem with Gmail that emptied the inboxes of a small percentage of users over the weekend. Some users have had their information restored; Google engineers are working on the problem. About 150,000 accounts appear to have been reset, meaning that users cannot access their stored emails, attachments and chat logs.
-http://www.v3.co.uk/v3/news/2275005/google-gmail-email-problems
-http://money.cnn.com/2011/02/28/technology/gmail_outage/
-http://www.net-security.org/secworld.php?id=10671

Erasing Data on SSDs Proves Difficult (February 28, 2011)

A study published by researchers at the University of California at San Diego says that it is more difficult to erase data from solid state drives (SSDs) than from hard disk drives (HDDs). On some SSDs, overwriting the data several times can make it inaccessible, but some techniques proved more successful than others. Techniques for sanitizing hard drives may not work well on SSDs because their internal architecture is so different. Cryptographic erasure, which involves encrypting the device so that users must provide a password to use it, and when the device is ready to be retired, deleting the cryptographic keys on the SSD, appears to be quite effective.
-http://www.computerworld.com/s/article/9211519/Can_data_stored_on_an_SSD_be_secu
red_
-http://cseweb.ucsd.edu/users/swanson/papers/Fast2011SecErase.pdf
[Editor's Note (Honan): It should be noted that the report highlights the same issue with sanitizing data on USB keys. Yet another reason to ensure that any data copied onto USB devices are properly encrypted. ]

Modified Android App Sends Surreptitious Text Messages to Premium Numbers (February 28, 2011)

Hackers have modified an app for the Android phone operating system to include a Trojan horse backdoor function. The tweaked app, called Steamy Window, has been made available through third-party app stores. It has the capability to install other applications, tinker with the device browser's bookmarks, surf to websites and send text messages without user interaction. The text messages are sent to premium rate numbers, for which those behind the malware receive commissions. The modified app also blocks alerts telling phone users that they've exceeded their quota of texts.
-http://www.computerworld.com/s/article/9211879/Infected_Android_app_runs_up_big_
texting_bills?taxonomyId=17

Irish Police Arrest Man in ATM Skimming Case (February 28, 2011)

A Moldovan man was arrested in Limerick, Ireland for his alleged role in a scheme that stole money from private and business bank accounts. During a raid at the suspect's home, law enforcement officials discovered ATM skimming devices and equipment used to manufacture cloned payment cards. The raid and arrest follow a two-year investigation.
-http://www.net-security.org/secworld.php?id=10674
-http://www.independent.ie/national-news/skimming-mastermind-held-after-raid-on-s
uburban-house-2557065.html

Trojan Modified to Target Macs (February 25 & 28, 2011)

A Trojan horse program that targets Windows machines has been modified to infect Macs. The malware can force a shutdown of infected computers, run arbitrary shell commands and add text to desktops. It can also generate pop-up dialog boxes that request the computer's Administrator Password. The malware, known as BlackHole RAT, generates a message upon reboot that informs the user that the machine is infected, and notes that while it is currently under development, there will be additional features in the future. It is based on the darkComet Trojan for Windows.
-http://www.scmagazineus.com/blackhole-malware-in-beta-aims-for-mac-users/article
/197199/
-http://www.theregister.co.uk/2011/02/28/mac_trojan_backdoor/
-http://www.computerworld.com/s/article/9211659/Hacker_writes_easy_to_use_Mac_Tro
jan?taxonomyId=17

US House Committee hears testimony on Cyber Threat Faced by US (February 11, 2011)

In testimony before the US House Permanent Select Committee on Intelligence, CIA Director Leon Panetta and Director of National Intelligence James Clapper spoke of the increased threats the US faces from cyber attacks. Clapper said the "threat is increasing in scope and scale." Among the threats faced recently are attempted intrusions against Defense Department computers, attacks against systems of high profile companies, and the exposure of sensitive information through WikiLeaks. Panetta said that other countries are developing the capacity to bring down multiple elements of US critical infrastructure, which "could paralyze this country." He spoke of the need to develop not only defense against such attacks, but a system that would warn that such attacks were imminent.
-http://abcnews.go.com/News/cia-director-leon-panetta-warns-cyber-pearl-harbor/st
ory?id=12888905

SANS Technology Institute Paper of the Month: Assessing Privacy Risks from Flash Cookies (February 21, 2011)

This paper was developed by students Stacy Jordan and Kevin Fuller as part of the SANS Technology Institute Masters Program. It includes an analysis of flash cookies; a description of the risks of using flash cookies; and technical approaches for detecting, removing, managing and analyzing flash cookies.
-http://www.sans.org/press/assessing-privacy-risks-from-flash-cookies.php
-http://www.sans.edu/student-files/projects/assessing-privacy-risks-jordan-fuller
.pdf

---

************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/