SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #57

July 19, 2011

TOP OF THE NEWS

Attackers Were in German Police Computers for Months
Righthaven Fined US \$5,000 for Misleading Court
Carefully Thought-Out Patching Strategy Pays Off
UK Phone Hacking Scandal

THE REST OF THE WEEK'S NEWS

Cyber Camp in California Develops Tomorrow's IT Security Pros
Toshiba Customer Data Stolen in Separate Attacks
US Cyber Challenge Camps
Australian Broadcasting Site Compromised
Apple iOS Update Circumvented Days After Release
Thomas Drake Gets Probation for Misdemeanor Charge
US and Romania Work Together to Bust Internet Fraud Ring
Dept. of Energy Lab Back Online After Attack
Skype Will Fix Cross-Site Scripting Flaw
Oracle to Issue 78 Patches

CORRECTION

Correction

---

*********** Sponsored By Raytheon Trusted Computer Solutions ***********

Managing OS security in large enterprise environments can be a daunting responsibility. Make it easy to consistently and predictably harden new or repurposed systems with Security Blanket, an automated tool for 'one click' hardening. Whether you lock down to industry guidelines or a customized profile, Security Blanket automatically hardens systems for you.

Free demo available!

http://www.sans.org/info/82404

*************************************************************************

TRAINING UPDATE

- --SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include When Prevention Fails: Extending IR and Digital Forensics Capabilities to the Corporate Network; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

- --SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

- --SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

- --SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
http://www.sans.org/network-security-2011/

- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

- --Looking for training in your own community?
http:sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Tokyo, Delhi, London and Baltimore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

Attackers Were in German Police Computers for Months (July 17 & 18, 2011)

Officials said that computer security professionals had found cyber intruders were inside German police and customs service computers for months before their presence was detected. Germany's federal agency for cyber security was quoted in a newspaper as saying that attackers infiltrated federal police computers in September 2010, but the attack was not detected until early 2011. The group claiming responsibility for the attacks has published some classified information from the customs service systems and says they have more sensitive information that they will disclose if any member of their group is arrested. Federal Police have reportedly arrested a man believed to be a member of that group, which calls itself "No Name Crew."
-http://www.monstersandcritics.com/news/europe/news/article_1651622.php/Officials
-hackers-were-in-German-police-computers-for-months
-http://www.h-online.com/security/news/item/One-arrest-and-further-threats-in-the
-German-police-hacker-case-1280885.html
-http://www.thelocal.de/sci-tech/20110718-36375.html
[Editor's Note (Murray): Even the NSA now assumes that there are compromised systems on their networks. That must now be the guiding assumption for all large networks. Behave accordingly.
(Paller) And for US government agencies, the Information Assurance Division of the NSA published a great document summarizing Guidelines for Operating on a Compromised Network." Your agency CISO should have a copy if you need it.
(Honan): The H-Online article provides an excellent insight into this attack and highlights that how deploying systems, in this case an Apache server, with default settings can be exploited by attackers. There are valuable resources such as the Center for Internet Security
-http://www.cisecurity.org/index.cfm
which provide you with the details on how not to make the same mistakes. ]

Righthaven Fined US \$5,000 for Misleading Court

US District Judge Roger Hunt of Nevada has fined Righthaven US $5,000 for deliberately misleading the court about who would benefit monetarily from the results of the lawsuits it was filing. Righthaven may appeal the sanction. Also in Nevada, Judge Kent Dawson, threw out a case Righthaven had brought against a blogger because the firm had no standing to sue for copyright violations. Righthaven had tried to argue that an amendment to its agreement with Stephens Media was retroactive, allowing it to file the suit. The judge did not agree.
-http://www.wired.com/threatlevel/2011/07/judge-fines-righthaven-5000/
-http://www.vegasinc.com/news/2011/jul/14/judge-fines-righthaven-5000-misleading-
court-over-/
-http://www.techdirt.com/articles/20110715/02122715100/another-day-another-smackd
own-righthaven-told-to-pay-up-misleading-court.shtml
-http://arstechnica.com/tech-policy/news/2011/07/lessons-in-retroactivity-rightha
ven-cant-change-the-facts-after-it-suesrighthaven-learning-it-cant-change-the-fa
cts-after-it-sues.ars

Carefully Thought-Out Patching Strategy Pays Off (June 15, 2011)

A recently issued report underscores problems inherent in the way most organizations handle security patches. According to "The Secunia Half Year Report 2011," organizations that implement a well-thought out patching strategy lower their vulnerability risks by as much as 80 percent. The number of plug-ins and other programs on endpoints makes the problem even more intractable. A company that patches all of the Windows flaws will still have more than three-quarters of their flaws unpatched. Secunia found that patching the most popular programs reduced risk by 31 percent, but patching the most critical programs reduced risk by 71 percent. "The analysis reveals that timely patching of the software portfolio of any organization is like chasing a continually moving target."
-http://www.scmagazineus.com/report-says-firms-must-rethink-patching-strategy/art
icle/207478/
-http://secunia.com/blog/238
[Editor's Comment (Northcutt): If anyone would know, Secunia would. If you have a PC and have not tried their PSI free patching tool, try it today! I find that piece of software to be very useful, especially when I get busy and put off updates:
-http://secunia.com/vulnerability_scanning/personal]

[Editor's Note (Murray): And the Verizon DBR stresses that patching broadly is more effective than patching early.
(Honan): This report makes for a good read and highlights some interesting issues, such as 26% of all advisories issued last year still remain unpatched. It also highlights that by not patching our systems cyber-criminals do not need to invest time and/or money in 0-day exploits. ]

UK Phone Hacking Scandal (July 15, 16 & 17, 2011)

The phone hacking scandal in the UK has spawned two new investigations and resulted in numerous high-profile individuals resigning their positions at various organizations. Detectives from Scotland Yard's Specialist Crime directorate have launched a separate investigation into allegations that private detectives working for News International used Trojan horse programs to gain access to computers and steal information. In the US, the FBI and other government agencies are investigation allegations that employees of News Corp tried to buy access to the mobile phones of victims of the September 11 attacks. Rebekah Brooks, who resigned last week as CEO of News International, has been arrested. The Metropolitan Police Authority's chief, Sir Paul Stephenson, has resigned his post as has Scotland Yard Assistant Commissioner John Yates.
-http://www.telegraph.co.uk/news/uknews/phone-hacking/8642649/Police-investigate-
new-computer-hacking-claims-linked-to-News-International.html
-http://www.morningstaronline.co.uk/news/content/view/full/107129
-http://www.guardian.co.uk/media/2011/jul/17/rebekah-brooks-arrested-phone-hackin
g-allegations
-http://www.theregister.co.uk/2011/07/18/assistant_commissioner_john_yates_quits_
scotland_yard/
Recent updates: Recent updates to this story are that Sean Hoare, the News of the World journalist who first exposed the illegal activities at the paper, has been found dead,
-http://www.bbc.co.uk/news/uk-14199171.
Police are also examining the contents of a bag found near the home of Rebekah Brooks which contained paperwork, a phone and a computer
-http://www.guardian.co.uk/media/2011/jul/18/mystery-bag-bin-
rebekah-brooks. Meanwhile, Lulzsec has come out of its retirement and hacked the website for The Sun Newspaper where they posted a fake news story on the death of Rupert Murdoch. They also claim they have accessed the email archives for News International
-http://www.telegraph.co.uk/technology/news/8647138/News-International-
faces-threats-over-hacked-emails.html. The UK Prime Minister David Cameron has had to cut short a trip to Africa to return to the UK in order to deal with the scandal
-http://www.bbc.co.uk/news/uk-politics-14195259.

[Editor's Note (Murray): Outsiders damage the brand; insiders bring down the business. Management and professionals are most often the culprits when business fails. The use of private detectives as a means of obtaining "plausible deniability" is tempting, even popular, but less effective than one might hope. ]

---

*************************** SPONSORED LINKS ******************************

1) Trade in your current NAC solution for ForeScout CounterACT Virtual Appliance today! Limited time promotional offer. http://www.sans.org/info/82409

2) SANS Baking Security into Applications and Networks Workshop, Washington DC, August 29 -30, http://www.sans.org/info/82414

3) Sign up Now for SANS WhatWorks Webcast with Alan Paller and Waqas Akkawi. Go to: http://www.sans.org/info/82419

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Cyber Camp in California Develops Tomorrow's IT Security Pros (July 18, 2011)

A series of cyber camps sponsored by the U.S. Cyber Challenge, began last week at Cal Poly Pomona in southen California, with more than 30 campers spending four days in intensive classes taught by America's top cyber instructors and then finished with a capture-the-flag competition. Participants had to compete against hundreds of their peers just to win a place at the very competitive camp. Those who do best earn scholarships, recognition from state and national leaders, and follow-on opportunities for rapid skills advancement. According to Dan Manson, the Cal Poly faculty member who organized the California Camp, "The nation needs individuals who know what really sophisticated, bad hackers are doing. The only way we get there is by providing opportunities to go up the chain enabling talented young people to develop in-depth hands-on skills." Other camps are scheduled in Missouri, Virginia, Delaware and Maryland.
-http://www.govtech.com/security/Cyber-Camp-Develops-Tomorrows-IT-Security-Pros.h
tml

Toshiba Customer Data Stolen in Separate Attacks (July 18, 2011)

Toshiba has acknowledged that a US-based Toshiba America Information Systems server has been breached, compromising the personal information about 7,500 customers. Toshiba believes the intruders stole information of about 700 customers. The information belongs to customers who had made purchases from Toshiba dealers. The affected data include passwords, email addresses, addresses and phone numbers. The affected server has been taken offline. A second attack on a Toshiba America server compromised usernames and passwords of about 450 customers, 20 resellers and 12 administrators.
-http://technolog.msnbc.msn.com/_news/2011/07/18/7106159-nearly-700-toshiba-custo
mers-emails-passwords-stolen?preview=true
-http://www.siliconrepublic.com/strategy/item/22709-toshiba-web-server-hacked/
-http://www.theregister.co.uk/2011/07/18/tosh_customer_hack/
-http://www.techeye.net/security/toshiba-becomes-latest-hack-victim-customers-tar
geted

US Cyber Challenge Camps (July 18, 2011)

The 2011 US Cyber Challenge Summer Camp at Cal Poly Pomona took place last week. One of five such camps planned for this summer, the event at Cal Poly Pomona brought together 35 people with a talent for cyber security to experience training in various aspects of the field. The goal of the program is to identify and cultivate a corps of 10,000 people who will form the next generation of cyber security professionals. Cal Poly Pomona professor Dan Manson, who organized the camp, said that the environment underscores the idea that "cyber security is a team sport. ... We need to do a better job sharing what we do in cyber security, and we need to develop teams that can defend our country." A teen cyber camp was also held last week; 22 students attended the event in Essex, Maryland.
-http://www.govtech.com/security/Cyber-Camp-Develops-Tomorrows-IT-Security-Pros.h
tml
-http://www.wbaltv.com/r/28563284/detail.html
-http://cba.csupomona.edu/cba/news/cyber_camp_2011.aspx

Australian Broadcasting Site Compromised (July 18, 2011)

Australia's Special Broadcasting Service (SBS) has acknowledged that its website was compromised over the weekend, possibly infecting site visitors' computers with malware that redirected visitors to malicious websites. SBS is encouraging its online readers to run a virus scan on their machines. A similar incident affected the Melbourne Herald Sun earlier this month.
-http://www.zdnet.com.au/hacked-sbs-links-to-risky-content-339318734.htm
-http://www.smh.com.au/technology/security/sbs-hack-attack-readers-told-to-scan-f
or-malware-20110718-1hksf.html
-http://www.couriermail.com.au/news/technology/hackers-break-into-sbs-website/sto
ry-e6frep1o-1226096978101

Apple iOS Update Circumvented Days After Release (July 15 & 18, 2011)

Just days after Apple released a security update for iOS to address a vulnerability exploited by a jailbreaking tool, the newest version of iOS, 4.3.4, has already been jailbroken itself. The vulnerability lies in the PDF viewer, and there are no reports that it is being actively exploited. Apple issued the update nine days after the jailbreak tool, called JailbreakMe, was released. The update fixes three flaws. Two deal with font handling in PDFs and could be exploited to allow remote code execution. The third is a flaw lies in the graphics handling code and could be exploited to gain elevated privileges.
-http://www.h-online.com/security/news/item/Apple-closes-the-Jailbreak-me-hole-Up
date-1280471.html
-http://www.computerworld.com/s/article/9218449/Apple_releases_iOS_updates_to_fix
_PDF_vulnerabilities?taxonomyId=17
-http://www.scmagazineus.com/apple-delivers-ios-patch-for-jailbreak-flaw/article/
207654/
-http://news.cnet.com/8301-13579_3-20080301-37/apples-ios-4.3.4-jailbroken/?tag=m
ncol;title
-http://securitywatch.eweek.com/apple/apples_latest_ios_firmware_jailbroken_by_th
e_weekend.html
-http://www.scmagazineuk.com/apple-jailbreak-patch-already-circumvented/article/2
07714/
[Editor's Note (Murray): Parsing input is difficult. Including a browser in the OS is dangerous. Parsing PDFs in the OS is insane. Patches will not fix this. It is time for Apple to do a fundamental fix. ]

Thomas Drake Gets Probation for Misdemeanor Charge (July 15, 2011)

Thomas Drake, the former National Security Agency (NSA) employee who was accused of leaking information, has been sentenced to one year of probation and 240 hours of community service. Drake was facing 35 years in prison for a number of felony charges until the government dropped those charges and offered him a plea deal last month. Drake ended up pleading guilty to one count of exceeding the authorized use of a computer.
-http://www.baltimoresun.com/news/maryland/bs-md-thomas-drake-sentencing-20110715
,0,5429244,full.story
-http://www.washingtonpost.com/world/national-security/2011/07/15/gIQAoZPWHI.html

US and Romania Work Together to Bust Internet Fraud Ring (July 15, 2011)

More than 100 people have been arrested since 2010 during the course of an ongoing law enforcement operation aimed at shutting down an Internet fraud scheme. Most recently, Romanian authorities executed search warrants targeting over 100 people. The operation is a coordinated effort between authorities in the US and Romania. The scheme involved selling items on eBay, and instructing buyers to wire money to someone they were told was an escrow company employee. The items would never be delivered.
-http://www.justice.gov/opa/pr/2011/July/11-crm-926.html
-http://krebsonsecurity.com/2011/07/more-than-100-arrested-in-fake-internet-sales
/
-http://www.computerworld.com/s/article/9218444/US_Romanian_authorities_target_In
ternet_fraud_scheme?taxonomyId=17
-http://www.v3.co.uk/v3-uk/news/2094546/100-arrested-romanian-police-internet-fra
udsters

Dept. of Energy Lab Back Online After Attack (July 15, 2011)

The US Department of Energy's (DOE) Pacific Northwest National Laboratory (PNNL) now has Internet access, two weeks after a security breach prompted the lab to take itself offline. Most of the lab's public websites are also available. The sites and system are not up yet and are still having security issues addressed. A PNNL spokesperson said that no sensitive information was compromised in the breach.
-http://fcw.com/articles/2011/07/15/pnnl-back-online-after-hack.aspx

Skype Will Fix Cross-Site Scripting Flaw (July 15, 2011)

Skype says that it will address a flaw that could be exploited to change passwords on others' accounts. The cross-site scripting flaw could be exploited by a Skype user placing specially-crafted JavaScript into the mobile phone field of the profile. When a contact gets online, the attacker's profile will be updated and the JavaScript will run when the affected user logs in. The vulnerability could be exploited to take control of sessions and possibly their computers. It could also be used to change the password on a user's account. The attack only works if both the attacker and the target are friends on Skype, and only if the friend is on the frequent contacts list.
-http://www.h-online.com/security/news/item/Vulnerability-in-Skype-allows-account
s-to-be-hijacked-Update-1279864.html
-http://www.computerworld.com/s/article/9218440/Update_Researcher_finds_serious_v
ulnerability_in_Skype?taxonomyId=17
-http://www.infosecurity-magazine.com/view/19480/skype-subject-to-persistent-cros
ssite-scripting-vulnerability-/
[Editor's Note (Skoudis): This flaw shows how insidious and pervasive XSS flaws in web applications are. By changing a user's password, the attacker gets unfettered access to that user's account, letting them impersonate the user on Skype, causing significant mayhem. Further, browser technology is included in all kinds of client software besides Skype, making them susceptible to XSS attacks too. I think we're just seeing the tip of the XSS iceberg, both from a flaws and damages perspective. It's time to double-down on XSS defenses, as summarized here:
-http://software-
security.sans.org/blog/2010/02/22/top-25-series-rank-1-cross-site-scripting/ ]

Oracle to Issue 78 Patches (July 14 & 18, 2011)

Oracle's quarterly Critical Patch Update, scheduled for release on Tuesday, July 19, will comprise 78 patches for a variety of products. The update includes 13 fixes for Oracle's flagship database. Twenty-seven of the vulnerabilities to be addresses could be exploited remotely without usernames or passwords.
-http://www.eweekeurope.co.uk/news/oracle-critical-patch-update-is-a-big-debugger
-34392
-http://www.computerworld.com/s/article/9218427/Oracle_to_issue_78_bug_fixes_on_T
uesday?taxonomyId=17
-http://www.h-online.com/security/news/item/Oracle-to-patch-78-vulnerabilities-12
79960.html
-http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html
[Editor's Note (Skoudis): Seventy-Eight? Wow. The dream that we would somehow have less and less patching to do as software got more and more secure seems further away than ever. That's why the other article in this issue on a well-thought-out patching process is so important. We're stuck with exhaustive patching for the foreseeable future, so we've got to make the best of it to protect our environments. ]

---

CORRECTION

Correction: Last week's story, "Wi-Fi Hacker Gets 18 Years for Terrorizing Neighbors," occurred in Minnesota, not Wisconsin.

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/