SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #6

January 21, 2011

National High School Cyber Competition Starts Today The Cyber Foundations competition opened today for all high school students in six states. A grant makes participation free for California, Maryland, Texas and Rhode Island students. Corporate sponsorship enables Delaware and Minnesota kids to play free as well. Several other states are lining up corporate sponsorships and kids in states without state-level sponsorship may compete in all three competitions for a fee of $75 per student or $300 per school (unlimited number of students may compete) or $100 per school, if five or more in the state sign up. The program includes online video and text tutorials as well as the tests themselves. The prep period officially starts February 18, but the kids can start now by reviewing sample material. Online competitions are scheduled for March 4, March 18, and April 8. Prizes include gift certificates and awards, written recognition that will help with college applications, recognition at statewide events hosted by leading politicians, and eligibility for scholarships including several full four-year college scholarships.

Help your kids get started today: sans.org/cyber-foundations To sponsor a school or a statewide program contact Renee Mclaughlin at renee.mclaughlin@cisecurity.org
[Overheard yesterday during a discussion of Cyber Foundations in the office of the Chairman of a key US House of Representatives Committee: "This competition could make cyber geeks as cool as sports stars."]

Alan

---

TOP OF THE NEWS

Client Attorney Privilege Does Not Apply if Client Communicates Through Work eMail
Verizon Files Lawsuit Challenging FCC's Net Neutrality Authority
Company Claims WikiLeaks Used P2P Networks to Find Documents

THE REST OF THE WEEK'S NEWS

FERC to Hold Rulemaking Workshop on Security Standards For the Power Grid
Roadmap to Secure Energy Delivery Systems
Bohu Trojan Blocks Cloud Antivirus
Hull and East Yorkshire NHS Trust Apologizes for Data Breach
Michigan ACH Theft Cast Goes to Trial
ACH Thieves Turn to Job Postings
Greenhouse Gas Emission Permits Stolen and Resold Online
Two Charged in iPad Customer Data Theft
Boonana Trojan Flaws Let Other Cyber Criminals Take Charge

---

*********************** Sponsored By SANS 2011 *************************

The nation's largest security training conference - 26 full-week immersion training courses and a dozen more one and two-day courses. Major new courses in advanced pen testing techniques, advanced forensics techniques, secure coding, auditing and more. Because it is the largest, the top teacher in the nation on each topic will be your teacher at SANS 2011. Experience SANS - extraordinary teachers, providing the most up-to-date material, with a promise that you will be able to put what you learn to work as soon as you get home. In Orlando. Save $400 by registering by Feb 9.

http://www.sans.org/sans-2011//

*************************************************************************

TRAINING UPDATE

-- North American SCADA Security 2011, Lake Buena Vista, FL, February 23-March 2 With special DHS/INL and NERC workshops plus hands-on immersion training.
http://www.sans.org/north-american-scada-2011/

-- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module
http://www.sans.org/phoenix-2011/

-- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

-- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Atlanta, Bangalore, Singapore, Wellington and Barcelona all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
****************************************************************************

---

TOP OF THE NEWS

Client Attorney Privilege Does Not Apply if Client Communicates Through Work eMail (January 18, 2011)

A ruling from a California appeals court means that communications between client and attorney are not considered privileged if the client uses his or her work email account to conduct the communication. A unanimous decision by the Sacramento Third Appellate District involves a secretary who claimed her employer turned hostile after learning of her pregnancy shortly after she was hired. The company used email the secretary had sent from the workplace as evidence that she was not suffering severe emotional distress.
-http://www.wired.com/threatlevel/2011/01/email-attorney-client-privilege/
-http://technolog.msnbc.msn.com/_news/2011/01/19/5877181-attorney-client-privileg
es-dont-apply-to-work-e-mail

[Editor's Comment (Northcutt): This is a useful read. These rulings are far less about attorney-client privilege and far more about the importance of having policy on the use of corporate email and also private email from corporate systems.
(Schultz): This ruling is extremely interesting and also important in that protection of client-attorney privileged communications has so repeatedly been upheld in previous U.S. court rulings. A notable exception was the case in New Jersey several years ago in which an employee who knew she was being fired used her company's email system to communicate with her attorney, even though the company prohibited use for non-business reasons. The employer was not allowed to use the messages between her and her attorney in court because they were ruled to be client-attorney privileged.]

Verizon Files Lawsuit Challenging FCC's Net Neutrality Authority (January 20, 2011)

Verizon Communications has filed a lawsuit in the US Court of Appeals for the District of Columbia Circuit challenging the US Federal Communications Commission's (FCC's) authority to enforce net neutrality rules. Last month, the FCC approved rules that prohibit broadband providers from selectively throttling traffic on their networks. Verizon believes that the FCC's "assertion of authority goes well beyond any authority provided by Congress, and creates uncertainty for the communications industry, innovators, investors and consumers."
-http://voices.washingtonpost.com/posttech/2011/01/verizon_challenges_fcc_rules_o
.html
-http://money.cnn.com/2011/01/20/technology/verizon_fcc/index.htm
-http://www.computerworld.com/s/article/9205663/Verizon_files_lawsuit_over_FCC_ne
t_neutrality_order?taxonomyId=17

[Editor's Note (Ranum): They do have a point! The interesting question is whether consumers will care - most of them are concerned about usage-based billing more than 'net neutrality'. ]

Company Claims WikiLeaks Used P2P Networks to Find Documents (January 19 & 20, 2011)

A US peer-to-peer (P2P) investigation company says it has evidence that WikiLeaks obtained some of the documents published in its website through file-sharing networks. Pennsylvania-based Tiversa maintains that on February 7, 2009, it monitored targeted searches by IP addresses based in Sweden as they searched for certain types of documents, some of which later appeared on WikiLeaks. One of Assange's attorneys has called the allegations "completely wrong in every regard." WikiLeaks maintains that the documents it published are obtained from anonymous sources. Tiversa did not specify how it determined that WikiLeaks took the documents.
-http://www.wired.com/threatlevel/2011/01/wikileaks-and-p2p/
-http://www.bloomberg.com/news/2011-01-20/wikileaks-may-have-exploited-music-phot
o-networks-to-get-classified-data.html
-http://www.computerworld.com/s/article/9205699/WikiLeaks_obtains_much_secret_dat
a_from_P2P_nets_not_leaks_firm_claims
-http://www.theregister.co.uk/2011/01/20/wikileaks_p2p_scavenger_claims/

---

*************************** Sponsored Links: *****************************
1) Security of industrial control systems is the #2 national security issue in cyber security! Learn to prevent attacks and what can find the attackers who have gotten through at the North American SCADA conference http://www.sans.org/info/69118 in Lake Buena Vista, Florida, February 23 - March 2, 2011. Register by February 23 and save $200

2) Take the 7th Annual Log Management Survey and be entered to win a $250 American Express Gift card. This comprehensive survey has become a leading indicator of how well log management and automation helps organizations with their security and compliance needs. To take our survey, follow this link: http://www.sans.org/info/69113

3) How can you create more secure applications? Attend SANS AppSec 2011 http://www.sans.org/info/69123 March 7-14, 2011 in San Francisco, California!
************************************************************************************

---

THE REST OF THE WEEK'S NEWS

FERC to Hold Rulemaking Workshop on Security Standards For the Power Grid

The Federal Energy Regulatory Commission is inviting key stakeholders to a workshop That is central to FERC's rulemaking process. The event, to be held in Washington on January 31, will determine the direction that smart grid follows (either smart grid requires standards that incorporate adequate cyber security or smart grid doesn't require standards that incorporate adequate cyber security.) The end result of this conference could be the release of a rule adopting the standards (basically endorsing and encouraging utilities to implement these standards for their smart grid systems).
-http://www.ferc.gov/EventCalendar/Files/20110114074853-1-31-11-agenda.pdf

Roadmap to Secure Energy Delivery Systems (January 20, 2011)

The US Department of Energy is soliciting input for a roadmap to ensure the security of control systems. The Energy Sector Control Systems Working Group (ESCSWG) posted a draft of the roadmap and is asking for input by Wednesday, January 26.
-http://www.controlsystemsroadmap.net

Bohu Trojan Blocks Cloud Antivirus (January 20, 2011)

The Bohu Trojan horse program blocks connections between Windows machines and certain cloud antivirus services. Bohu disguises itself as a video codec. Once it has infected a system, Bohu creates and installs files, installs a Network Driver Interface Specification (NDIS) filter and modifies the registry to cloak its presence on the machine.
-http://www.securecomputing.net.au/News/245426,trojan-built-to-disable-cloud-anti
virus.aspx
-http://www.eweek.com/c/a/Security/Trojan-Blocks-Cloud-Antivirus-Security-Technol
ogy-784022/
-http://www.theregister.co.uk/2011/01/20/chinese_cloud_busting_trojan/

[Editor's Comment (Northcutt): You can check for this registry key to see if your system is infected: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinSock2speednet_sph" PathName" = "%System%netplayonenetplayone.dll"
-http://spywareremovalguides.com/trojan-bohu-removal-steps.html
-http://blog.teesupport.com/how-to-guide-remove-trojan-bohu-virus-trojan-bohu-rem
oval-guide/]

Hull and East Yorkshire NHS Trust Apologizes for Data Breach (January 18, 19 & 20, 2011)

The Hull and East Yorkshire Hospitals NHS Trust has sent letters of apology to 1,147 orthopedic patients after learning that a laptop stolen from a doctor's home contained unencrypted confidential patient information. The compromised information includes names and treatment notes. Although the Trust has implemented steps to prevent patient data from being downloaded, it has not implemented effective measures preventing the information from being emailed, which is what happened in this case. The doctor violated NHS policy by bringing the unencrypted data home. He was temporarily suspended and is facing a disciplinary hearing.
-http://www.scmagazineuk.com/doctor-loses-patient-data-on-laptop-after-breaking-p
olicy-to-take-it-home/article/194577/
-http://www.theregister.co.uk/2011/01/19/hull_hospital_data_breach_flap/
-http://www.bbc.co.uk/news/uk-england-humber-12219652

[Editor's Note (Honan): Policies in isolation will not prevent data breaches. Those policies need to be supported by technologies, processes and procedures to ensure their effectiveness can be monitored. This story is a good demonstration of how a policy without the technology to enforce it, in this case DLP technology, will ultimately fail. ]

Michigan ACH Theft Cast Goes to Trial (January 19, 2011)

The trial involving a US $560,000 automated clearinghouse (ACH) theft from a Michigan metals shop is scheduled to begin this week. The resolution of the case could help establish clearer guidelines for what roles banks are expected to take in protecting business customers from account fraud. In early 2009, an Experi-Metal employee responded to an email that appeared to come from the company's bank, Comerica, asking that the employee log in to a website so the bank could conduct software maintenance. In fact, the message was sent by thieves who stole login credentials and used them to set up 47 fraudulent funds transfers to accounts in China, Estonia, Finland, Russia and Scotland. Experi-Metal and Comerica agree about the basics of the central events, but disagree about what took place before and after the thefts, and about which party is responsible for the losses. Experi-Metal brief:
-http://krebsonsecurity.com/wp-content/uploads/2011/01/Experi-metal-Trial-Brief.p
dfhttp://krebsonsecurity.com/2011/01/experi-metal-vs-comerica-case-heads-to-tria
l/
Comerica brief:
-http://krebsonsecurity.com/wp-content/uploads/2011/01/Comerica-Trial-Brief.pdf

ACH Thieves Turn to Job Postings (January 19, 2011)

The FBI has issued a warning about a new variant on automated clearinghouse (ACH) cyber theft schemes. Instead of tricking employees into divulging company banking log in credentials, some cyber thieves have targeted a company advertising for employees on the Internet; which resulted in that company losing US $150,000. The perpetrators sent what appeared to be a response to the job posting by email to the company containing a variant of the Bredolab Trojan horse program. The malware was then used to steal online banking login credentials. Businesses are urged to use vigilance when opening email from prospective employees.
-http://www.computerworld.com/s/article/9205562/Hackers_steal_150_000_with_malici
ous_job_application
-http://www.theregister.co.uk/2011/01/20/job_application_malware/
-http://www.ic3.gov/media/2011/110119.aspx

[Editor's Comment (Northcutt): It looks like Bredolab is coming apart, but that is not to say we don't all need to be careful:
-http://krebsonsecurity.com/2010/10/bredolab-mastermind-was-key-spamit-com-affili
ate/
-https://www.waarschuwingsdienst.nl/Risicos/Virussen+en+malware/Ontmanteling+Bred
olab.html]

Greenhouse Gas Emission Permits Stolen and Resold Online (January 19 & 21, 2011)

Trading in greenhouse gas emissions permits has been temporarily suspended in Europe in the wake of online attacks resulting in the theft of millions of euros worth of permits. Over the last two months, the security of the emission permit trading system was repeatedly breached. The European Union Emission Trading Scheme (EU ETS) is the largest operation of its kind in the world. The attackers stole the credits and resold them. The exchange will be closed for at least a week while more stringent security measures are put in place.
-http://www.nytimes.com/2011/01/20/business/global/20iht-carbon20.html?_r=1
-http://www.theregister.co.uk/2011/01/19/carbon_trading_site_shuts_after_hack_att
ack/
-http://www.businessday.com.au/business/world-business/eu-halts-emissions-trading
-after-hack-attack-20110120-19wxb.html
-http://asia.news.yahoo.com/afp/20110120/ttc-eu-climate-warming-computer-crime-0d
e2eff.html

Two Charged in iPad Customer Data Theft (January 18 & 19, 2011)

Federal prosecutors have charged two people with conspiracy to access a computer without authorization and fraud in connection with personal information for allegedly breaking into AT&T servers and stealing personal information of more than 100,000 iPad users. Daniel Spitler and Andrew Auernheimer are both believed to be associated with Goatse Security, a loosely organized group of people known to disrupt Internet service. The FBI complaint against the men alleges that the actions were intended to damage AT&T's reputation and to gain "monetary and reputation benefits" for themselves.
-http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/01/18/bloomberg1376-LF84TH
0UQVI901-4QOE6A2SP69OI0VUB4T8D1MG5D.DTL&tsp=1
-http://news.cnet.com/8301-27080_3-20028799-245.html
-http://www.msnbc.msn.com/id/41162930/ns/technology_and_science-security/

Boonana Trojan Flaws Let Other Cyber Criminals Take Charge (January 18 & 19, 2011)

The Boonana Trojan horse program is notable because it has the capability to infect Windows, Linux and Mac OS X boxes. Once it has situated itself in a computer, it allows access to all the files on that machine. Now it appears that Boonana has flaws of its own that other attackers can exploit to take control of Boonana botnets.
-http://www.net-security.org/malware_news.php?id=1592
-http://www.theregister.co.uk/2011/01/19/mac_linux_bot_vulnerabilities/

---

************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is a security professional currently involved in independent security research.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/