SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #4

January 14, 2011

Good news on building a better pipeline for US cyber talent. The
CyberPatriot program announced that twelve high schools made it to the
finals (see story under REST OF THE WEEK'S NEWS below). At the same
time, several more Congressional delegations have agreed to support the
high school Cyber Foundations competition that starts in February. Kids
can play by themselves; they don't need to be part of a team, but many
schools are setting up coaching programs to help their kids succeed. The
Congressional sponsorship means more high school kids can play for free.
Think of it like a new sport, but a sport for kids who are a little more
focused and intense about computers. And for parents of girls, Delaware
has shown that girls appear to be just as good as the boys. Furthermore
scholarships are showing up for kids who do well in cyber competitions,
including the Navy's full four-year all costs paid scholarships. If you
know any kids who could be good candidates, get them to explore the
Cyber Foundations site: www.sans.org/cyber-foundations

In addition college competitions are running across the nation through
the CCDC program (for teams) and through the Security Treasure Hunt
program for individuals. School winners were named in the DC3 forensics
competition and will be recognized at a national conference late this
month. Kids who do well in any of these competitions will be invited to
attend super regional cyber camps this summer with some of America's
best cyber experts teaching them how to excel in advanced topics in
cyber security.
More information: http://www.uscyberchallenge.org/
Alan

PS. The UK has a similar program and Italy is planning one.
UK: https://cybersecuritychallenge.org.uk/

---

TOP OF THE NEWS

FERC Lacks Smart Grid Security Enforcement Authority
IPv6 Global Trial Slated for June 8

THE REST OF THE WEEK'S NEWS

Twelve High Schools Star in CyberPatriot Competition
David Kernell to Serve Sentence in Minimum Security Prison Camp
API Allows Users to Delete Flash Cookies More Easily
Exploit Code Published for Flaw in Chinese SCADA Software
Vodafone Fires Employees After Security Breach
Disgruntled Former TSA Employee Draws Prison Sentence for Logic Bomb
Two Sentenced in Gas Pump Skimming Scheme
Intruders Accessed Laptops on Bank and Credit Union Network
Microsoft Releases Patches for Three Vulnerabilities

---

************** Sponsored By SANS Log Management *************************
Take the 7th Annual Log Management Survey and be entered to win a $250 American Express Gift card. This comprehensive survey has become a leading indicator of how well log management and automation helps organizations with their security and compliance needs. To take our survey, follow this link: http://www.sans.org/info/68843

The results will be released in early May during a short series of live webcasts with Jerry Shenk and Dave Shackleford. ************************************************************************* TRAINING UPDATE
New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security
http://www.sans.org/security-east-2011/

- -- North American SCADA 2011, Lake Buena Vista, FL, February 23-March 2, 2011
http://www.sans.org/north-american-scada-2011/

- -- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module
http://www.sans.org/phoenix-2011/

- -- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

- -- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

- -- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Atlanta, Bangalore, Singapore, Barcelona and Bali all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ****************************************************************************

---

TOP OF THE NEWS

FERC Lacks Smart Grid Security Enforcement Authority (January 13, 2011)

A study from the Government Accountability Office (GAO) says that despite the ongoing development of energy grid security standards, the organization that regulates the electrical system lacks the power to enforce those standards. The Federal Energy Regulatory Commission (FERC) has the authority to adopt security standards under the Energy Independence and Security Act of 2007 (EISA). GAO recommends that FERC work with other regulators to monitor the voluntary adoption of smart grid standards. The standards are being developed and coordinated by the National Institute of Standards and Technology (NIST).
-http://gcn.com/articles/2011/01/13/smart-grid-security.aspx?admgarea=TC_SECURITY
-http://www.gao.gov/new.items/d11117.pdf
[Editor's Note (Schultz): From what I have seen, voluntary security standards for the most part simply do not work. They are optional, but they nevertheless require monetary and other resources, resources that can be allocated to addressing mandatory and other more ostensibly pressing issues. ]

IPv6 Global Trial Slated for June 8 (January 12 & 13, 2011)

The first "global scale trial" of IPv6 is scheduled to take place on June 8, 2011. The event is being coordinated by the Internet Society. For a 24-hour period, participants, including Facebook, Google and Akamai, will make their pages available via IPv6. Companies are being encouraged to switch to IPv6, as it is estimated that IPv4 addresses will run out by the end of this year. The event is aimed at raising awareness of the necessity of the shift from IPv4 to IPv6 and will also allow participants to identify and address problems. Internet users do not need to do anything special for the switch and are unlikely to experience problems, although a small fraction of users may encounter issues with misconfigured or misbehaving home network devices.
-http://www.bbc.co.uk/news/technology-12183098
-http://isoc.org/wp/newsletter/?p=2902

---

************************ Sponsored Links: ***************************

1) Find out how to prevent control systems cyber-attacks at the Asia Pacific SCADA and Process Control Summit, http://www.sans.org/info/68848 March 31 - April 7 in Sydney, Australia.
2) New SANS Analyst Whitepaper: Enabling Social Networking, by Dr. Eric Cole. http://www.sans.org/info/68853
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Twelve High Schools Star in CyberPatriot Competition

The Air Force Association announced that twelve high schools advanced to the final round of the CyberPatriot competition. Hundreds of schools competed online in the first two rounds. These high schools will compete in a live competition outside Washington DC at the end of March. The competition is supported by Northrop Grumman and SAIC. California (5) LAUSD/ Franklin High School Open 1 - Fernandez-Los Angeles LAUSD/ Locke High School - Open 1 - Taylor-Torrance Palos Verdes Peninsula High School-Rolling Hills Estates Poway High School Robotics Club-Poway Westview High School-San Diego Oklahoma (2) Great Plains Technology Center-Lawton Lakewood Christian School-McAlester Colorado (1) Rangeview High School -Berger-Aurora Indiana (1) Park Tudor School-Indianapolis New Jersey (1) Red Bank Regional High School-Little Silver Texas (1) Alamo Academies - Matuszek-San Antonio Washington (1) John R. Rogers-Spokane
-http://www.uscyberpatriot.org/Pages/default.aspx

David Kernell to Serve Sentence in Minimum Security Prison Camp (January 13, 2011)

David Kernell, the Tennessee college student convicted of breaking into vice presidential candidate Sarah Palin's Yahoo mail account has started serving his sentence of one year and one day at a federal prison. The judge in the case had recommended that Kernell serve his sentence at a halfway house, but government officials objected and he is now serving his sentence at a minimum security facility in Kentucky.
-http://www.washingtonpost.com/wp-dyn/content/article/2011/01/13/AR2011011302963.
html
-http://www.bbc.co.uk/news/technology-12176463
[Editor's Comment (Northcutt): The Wikipedia account is accurate and balanced. I think one of the key lessons is that he was able to research the answers to the security questions for the "forgot your password" facility from online sources. Never use accurate information for online security questions, if they ask you the name of your pet, answer "Horace" and write it down or create a system. Don't use your accurate birthday except on financial sites like banks or stock trading.
-http://en.wikipedia.org/wiki/Sarah_Palin_email_hack]

API Allows Users to Delete Flash Cookies More Easily (January 13, 2011)

Adobe has introduced technology that makes it easier for users to delete local shared objects (LSOs), known as Flash cookies. LSOs store user preferences, but some websites have been using the LSOs to restore user cookies even after users have manually deleted them. Working with Mozilla, Google and Apple, Adobe has developed an application programming interface (API) known as NPAPI ClearSiteData that lets users delete LSOs from the settings panels of certain browsers.
-http://news.cnet.com/8301-30685_3-20028397-264.html
-http://www.h-online.com/security/news/item/Adobe-plans-to-make-it-easier-to-dele
te-Flash-cookies-in-web-browsers-1169011.html
-http://www.theregister.co.uk/2011/01/13/deleting_flash_cookies/
[Editor's Comment (Northcutt) Harder than it sounds, @Ihackbanme (Itzhak Avraham) tossed me the following information since Eric Huber observed they are not always where they should be: Flash cookies have a .SOL extension, and should only be at C:Users
[Your Profile ]
AppDataRoamingMacromediaFlash Player#SharedObjects
[Random Name ]

[Web Site Path ]

Exploit Code Published for Flaw in Chinese SCADA Software (January 13, 2011)

A security flaw in a popular Chinese supervisory control and data acquisition (SCADA) application could be exploited to take control of vulnerable systems. The process heap overflow issue in KingView 6.53 was disclosed after the researcher who discovered it contacted both the software vendor and China's Computer Emergency Response Team (CERT), but received no response after several months. He also published proof-of-concept exploit code. The software is used throughout China in defense, aerospace, energy and manufacturing.
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=229000631&subSection=Security
-http://www.eweek.com/c/a/Security/StuxnetLike-Trojans-Can-Exploit-Critical-Flaw-
in-Chinese-Industrial-Software-296674/
[Editor's Note (Honan): It appears that the Chinese CERT overlooked the email notifying them of the vulnerability which led to their lack of response.
-http://threatpost.com/en_us/blogs/china-cert-we-missed-report-scada-hole-011311.
The oversight was put down to human error due to the volume of emails the Chinese CERT receives. This highlights why certain elements of security operations should have automation to support the human element in processing large amounts of information and exemplifies the maxim that good security involves People, Process and Technology. ]

Vodafone Fires Employees After Security Breach (January 13, 2011)

An unspecified number of Vodafone employees in Australia have been fired in the wake of a data security breach that exposed the personal information of as many as four million customers. There have been allegations that access to the customer database was sold to criminals. Vodafone has also said that it is taking steps to improve data security. The Australian Privacy Commissioner plans to investigate the incident.
-http://www.zdnet.com.au/vodafone-sacks-staff-over-data-breach-339308574.htm
-http://www.itnews.com.au/News/244672,vodafone-sacks-staff-over-alleged-security-
breach.aspx

Disgruntled Former TSA Employee Draws Prison Sentence for Logic Bomb (January 12, 2011)

Former Transportation Security Administration (TSA) employee Douglas James Duchak has been sentenced to two years in prison for planting a logic bomb in a TSA screening system. Duchak had been employed as a data analyst for TSA since 2004. Duchak placed the malware on the system in late 2009, shortly after being informed that his job was being eliminated. The malware was discovered by other workers before it caused any damage.
-http://www.wired.com/threatlevel/2011/01/tsa-worker-malware/
-http://www.theregister.co.uk/2011/01/12/tsa_employee_sabotage_attempt/

Two Sentenced in Gas Pump Skimming Scheme (January 12, 2011)

Two men have been sentenced to prison for their roles in a skimming scheme involving gas pumps at stations around the US. The scheme began to unravel when a convenience store clerk in California noticed a skimming device inside one of the store's gas pumps. Authorities were notified, and they placed a clone inside the pump and waited for the crooks to return and retrieve the device. David Karapetyan and Zhirayr Zamanyan were arrested and charged with felonies. Karapetyan received a seven year sentence, while Zamanyan received a five year sentence. Two additional accomplices, Edwin Hamazaspyan and Naum Mints, are scheduled to appear in court in February.
-http://www.theregister.co.uk/2011/01/12/atm_skimming_prison_senteces/

Intruders Accessed Laptops on Bank and Credit Union Network (January 11 & 12, 2011)

Sovereign Bank and Pentagon Federal Credit Union (PenFed) have both recently reported that intruders broke into laptops connected to their networks. Employees noticed a computer on the network connecting to an atypical IP address; an investigation revealed a keystroke logging program on a company laptop. At PenFed, it was discovered that someone had gained access to a laptop on the financial institution's network and used that connection to access a database containing sensitive customer information, including credit card and Social Security numbers.
-http://www.pcworld.com/businesscenter/article/216576/hacked_laptops_lead_banks_t
o_warn_of_data_breaches.html
-http://www.depositaccounts.com/blog/2011/01/malware-on-laptop-caused-security-br
each-at-penfed.html
-http://www.msnbc.msn.com/id/41059570/ns/technology_and_science-security/

Microsoft Releases Patches for Three Vulnerabilities (January 11, 2011)

Microsoft's security update for January fixes three vulnerabilities in Windows. One of the security bulletins, rated critical, addresses flaws that affect all currently supported versions of Windows. The second bulletin addresses a flaw in the Windows backup tool and affects machines running Windows Vista. There are a handful of known vulnerabilities with exploit code publicly available that Microsoft chose not to fix in this go-round.
-http://krebsonsecurity.com/2011/01/microsoft-plugs-three-windows-security-holes/
-http://www.h-online.com/security/news/item/Microsoft-s-January-Patch-Tuesday-3-f
ixes-but-5-holes-unpatched-1168034.html
-http://www.microsoft.com/technet/security/Bulletin/MS11-jan.mspx

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/