SANS NewsBites - Volume: XI, Issue: 53


Boston in August, San Diego and Washington DC in September, and Chicago in October all host major SANS security training events. http://www.sans.org


*************************************************************************
SANS NewsBites                     July 07, 2009                    Volume: XI, Issue: 53
*************************************************************************
TOP OF THE NEWS

  Revised Rockefeller-Snowe Cybersecurity Bill To Move Forward in July

THE REST OF THE WEEK'S NEWS

  ARRESTS, INDICTMENTS & SENTENCES
   Former Employee Arrested for Alleged Code Theft
   Woman Sentenced for Identity Fraud
  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
   MI6 Chief's Information Exposed on Wife's Facebook Page
  DISASTER RECOVERY
   Seattle Data Center Fire Hobbles Bing's Travel Section and Other Sites
  UPDATES AND PATCHES
   Microsoft No Longer Supporting Java Virtual Machine
  DATA LOSS & EXPOSURE
   Bord Gais Data Breach Affects more Than 100,000 Customers
  ATTACKS & ACTIVE EXPLOITS
   Microsoft Warns of Unpatched Flaw in Video Access Control
   Twitter Increasingly Used for Questionable Purposes
   Cold Fusion Attacks
   Malware Targets Latin American Best Buy Website Customers
   Online Game Bank Manager Stole Billions
  MISCELLANEOUS
   BT Puts Phorm On Hold
   Older Versions of McAfee Virus Scan Generate False Positives


******************* Sponsored By Catbird & McAfee, Inc. *******************

Top Security Mistakes in Virtualization (and How to Avoid Them)
Sponsored by Catbird and McAfee
Failure to separate duties, securely segment networks, and to recognize where the virtual meets the physical network are but some of the security mistakes organizations make when deploying virtual machine technology. Senior SANS Analyst, Jim D. Hietala, describes how to avoid these and other security mistakes in order to prevent security incidents and exposures.
http://www.sans.org/info/45453

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition http://www.sans.org/ns2009
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - The Forensics Summit starts on July 9, and has four courses http://www.sans.org/forensics09_summit/event.php:
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days http://www.sans.org/info/43118
Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************



TOP OF THE NEWS

Revised Rockefeller-Snowe Cybersecurity Bill To Move Forward in July (June 26, 2009)
The most far-reaching US legislative proposal on Cybersecurity is being modified to eliminate problematic language (such as the language that gave the government the right to "shut-off the Internet" during a national emergency) and will be moving ahead during July with a major rewrite and an additional hearing followed by a full-committee vote. Among many other far-reaching provisions, the Rockefeller-Snowe bill extends federal cyber security regulatory reach to federal contractors and grantees and calls for licensing of cyber security professionals.
-http://www.nextgov.com/nextgov/ng_20090626_2244.php
[Editor's Note (Paller): The White House has a sound plan for cyber security and the President gave a great speech five weeks ago, but the White House does not appear to be acting fast enough, and Congress will step in. Once the Senate Intelligence Committee approves the redrafted Rockefeller-Snowe legislation in July, look for a coming together of Senators Carper (author of the draft 'FISMA 2.0' bill and chairman on the key Senate Subcommittee on cyber security in government), Senators Lieberman and Collins (chairman and ranking member of the Senate Homeland Security and Government Affairs Committee), and Senators Rockefeller and Snowe (chairman and ranking member of the Senate Intelligence Committee). If they all reach agreement on the contentious issue of the White House cyber coordinator's role, they could launch a reshaping of US cyber security policy. ]




*************************** Sponsored Link: *****************************

1) InstantSecurityPolicy.com - Professional IT Security Policies, created and delivered online with innovative wizard, free samples available. http://www.sans.org/info/45458

*************************************************************************


THE REST OF THE WEEK'S NEWS

Former Employee Arrested for Alleged Code Theft (July 6, 2009)
A former Goldman Sachs employee has been arrested for allegedly stealing code from the company. Sergey Aleynikov worked for the company from 2007 until 2009; his responsibilities included "the development of a real time co-located high frequency trading platform." An affidavit alleges that after Aleynikov gave notice at Goldman Sachs, he copied, compressed and encrypted 32 MB of data and moved them to a server in Germany. Aleynikov maintains he intended to copy only open source files that he had worked on, but included the proprietary information by mistake. The affidavit alleges that his use of encryption and the fact that he deleted the software used to perform the tasks suggest his motives were less than honorable. Aleynikov is being held pending his posting of US $750,000 bail; he has also been ordered to surrender his passport.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/07/06/AR2009070601654.
html

-http://www.h-online.com/security/Ex-Goldman-Sachs-developer-arrested-for-code-th
eft--/news/113691

-http://static.reuters.com/resources/media/editorial/20090706/Complaint%20--%20Al
eynikov.pdf

-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9135216

-http://www.wired.com/threatlevel/2009/07/aleynikov/
[Editor's Note (Ranum): The age of internet news makes "innocent until proven guilty" rather pointless, doesn't it? From now on, if someone Googles "Sergey Aleynikov" they will get allegations of a crime, regardless of whether or not he is subsequently acquitted. I predict that there will eventually be some very interesting lawsuits over this kind of thing. The US Department of Justice, for example, settled with Stephen Hatfill and Wen-Ho Lee to the tune of millions of dollars, for declaring Hatfill a "person of interest" and ruining his life, and implying that Lee was a Chinese Government spy and failing to present evidence for any of fifty nine indictments except for one: a trivial instance of mishandling classified material. Every case where an alleged criminal's name is leaked to the press is a multimillion dollar lawsuit waiting to happen if the alleged criminal is actually innocent. Wen Ho Lee's suit included 5 major media outlets and, at $1.6+ million in settlements, it's not over yet. Perhaps SANS NewsBites should not publish names of "alleged" wrongdoers until/if they are convicted? ]



Woman Sentenced for Identity Fraud (July 6, 2009)
Labiska Gibbs has been sentenced to two-and-a-half years in prison for her role in an identity fraud scam that compromised personal information of Library of Congress employees and defrauded Target and other retailers of US $30,000. Gibbs asked her cousin, William Sinclair Jr., who worked at the Library of Congress, to obtain the names, birth dates and Social Security numbers (SSNs) of the employees; she then used the information to purchase gift cards. Sinclair was sentenced to three years probation for his participation in the scheme.
-http://www.nextgov.com/nextgov/ng_20090706_4406.php


MI6 Chief's Information Exposed on Wife's Facebook Page (July 5 & 6, 2009)
Personal information about Sir John Sawers posted on his wife's Facebook account does not constitute a security breach, according to Foreign Secretary David Miliband. Sir Sawers is poised to assume his new role as head of MI6 in November. Lady Sawers's Facebook page was protected by lax security measures; any Facebook member in the London network could view photographs of her family and information about the location of their London home, the whereabouts of their children, and information about their friends and relatives. The content has been removed from the Internet.
-http://www.theregister.co.uk/2009/07/06/mi6_facebook_doh/
-http://technology.timesonline.co.uk/tol/news/tech_and_web/article6644199.ece
-http://www.cnn.com/2009/WORLD/europe/07/05/uk.spy.chief.facebook/index.html
-http://www.dailymail.co.uk/news/article-1197562/MI6-chief-blows-cover-wifes-Face
book-account-reveals-family-holidays-showbiz-friends-links-David-Irving.html

-http://www.v3.co.uk/v3/news/2245492/spies-should-stay-away-social
-http://news.bbc.co.uk/2/hi/uk_news/8135070.stm
[Editor's Note (Pescatore): Back in the day, watching the Dominos pizza delivery office closest to the White House in Washington DC was an information leakage path. Social network sites are the same thing - lots of worry in the military about loss of Operations Security because of all the tweeting and Facebook posting going on by active military and their families. ]


Seattle Data Center Fire Hobbles Bing's Travel Section and Other Sites (July 6, 2009)
Hundreds of websites were unavailable for as long as 36 hours over the US holiday weekend after an electrical fire damaged a Seattle data center late last week. The fire took out the center's backup generator. The outage affected the Travel section of Microsoft's Bing search engine and Authorize.net, a credit card transaction processing site.
-http://www.techweb.com/article/showArticle?articleID=218400512&section=News
-http://seattletimes.nwsource.com/html/microsoftpri0/2009425303_seattledatacenter
fireknockedoutbingtravelatmicrosoft.html

-http://www.eweek.com/c/a/Windows/Microsoft-Bing-Travel-Back-Online-After-Fire-54
3751/



Microsoft No Longer Supporting Java Virtual Machine (July 1 & 6, 2009)
Microsoft has ended support for Microsoft Java Virtual Machine (MSJVM) as of June 30, 2009. Ten patches have been removed from the Microsoft website; all of the patches addressed vulnerabilities in older operating systems and browsers, including Internet Explorer 5 and Windows 95. The most recent of the patches was released in 2003. "Customers are urged to take proactive measures to stay informed about obsolete software and move away from the MSJVM in a timely fashion." Microsoft's site suggests several alternative Java technology options.
-http://www.h-online.com/security/Microsoft-ends-support-for-Java-Virtual-Machine
--/news/113692

-http://www.microsoft.com/mscorp/java/default.mspx


Bord Gais Data Breach Affects more Than 100,000 Customers (July 5, 2009)
The laptop stolen from a Bord Gais office in Dublin affects more customers than was first believed. According to a report from the Data Protection Commissioner, the security breach affects the personal information of more than 100,000 customers; when the incident was first disclosed, the number of affected customers was estimated to be 75,000. In all, four laptops were stolen in early June; at least one contained unencrypted data, including bank account information, of people who had switched to the Bord Gais electricity supply service in recent months.
-http://www.sbpost.ie/post/pages/p/story.aspx-qqqt=IRELAND-qqqm=news-qqqid=42906-
qqqx=1.asp



Microsoft Warns of Unpatched Flaw in Video Access Control (July 6, 2009)
Microsoft is warning of a vulnerability for which no patch is currently available that can be exploited to take control of users' machines. Users can become infected simply by visiting a website that has been seeded with malware. The flaw affects customers using Internet Explorer (IE) on machines running Windows XP or Windows Server 2003. The flaw has been actively exploited for about a week; thousands of sites have been hacked. Users are directed to these sites by clicking on links in spam email. The flaw lies in the way Microsoft Video ActiveX Control interacts with IE. Until a patch is made available, users are urged to take steps, described in Microsoft's security advisory, to prevent Microsoft Video Access Control from running in IE.
Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=6733
-http://isc.sans.org/diary.html?storyid=6739
-http://www.msnbc.msn.com/id/31766751/ns/technology_and_science-security/
-http://www.securityfocus.com/brief/984
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9135210

-http://voices.washingtonpost.com/securityfix/2009/07/microsoft_internet_explorer
_ex.html

-http://www.microsoft.com/technet/security/advisory/972890.mspx


Twitter Increasingly Used for Questionable Purposes (July 6, 2009)
Twitter is being used increasingly as a vector of attack, owing to the ease with which accounts are obtainable. For the time being, Twitter is being used to redirect users to sites that are selling typical spam items - pornography, pharmaceuticals, and phony anti-virus subscription. Of particular concern is Twitter's use of shortened URLs, which can disguise the site to which a user is being taken.
-http://www.usatoday.com/tech/news/2009-07-05-hackers-internet-twitter_N.htm
[Editor's Note (Pescatore): I'm trying to think of any technology that *hasn't* been "increasingly used for questionable purposes." Maybe marshmallow Peeps? ]


Cold Fusion Attacks (July 2, 3 & 6, 2009)
Attackers appear to be targeting websites with old installations of certain Cold Fusion applications; a large number of websites have reportedly been compromised in the last several days. Most of the attacks exploit a vulnerable version of FCKEditor that comes installed by default with Cold Fusion 8.0.1 or Ajax file manager CKFinder. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=6730
-http://www.theregister.co.uk/2009/07/03/coldfusion_compromise/
-http://www.v3.co.uk/v3/news/2245329/hackers-aim-cold-fusion
-http://www.securecomputing.net.au/News/149160,hackers-take-aim-at-cold-fusion.as
px

-http://www.h-online.com/security/Hole-in-ColdFusion-8-threatens-web-site-securit
y--/news/113698

-http://blogs.adobe.com/psirt/2009/07/potential_coldfusion_security.html
-http://isc.sans.org/diary.html?storyid=6715


Malware Targets Latin American Best Buy Website Customers (July 3, 2009)
Latin American visitors to the Best Buy website have been targeted with malware. Site visitors are redirected to another site that uses an iFrame vulnerability to infect users' machines with the Luckysploit kit. The website used in the attacks was registered on June 4 by the same group believed to be responsible for Gumblar.
-http://www.theregister.co.uk/2009/07/03/best_buy_luckysploit_attack/


Online Game Bank Manager Stole Billions (July 3 & 6, 2009)
An Australian man who was one of the controllers of the virtual bank for the Eve Online game has admitted to stealing 200 billion credits, or eight percent of the bank's assets, and selling them for real world money. The man says he took the money to pay his son's medical bills and put a down payment on a home. The man has been kicked out of the game for violating its terms of agreement. Eve Online has approximately 300,000 players.
-http://www.theregister.co.uk/2009/07/03/eve_banker_does_a_runner/
-http://news.bbc.co.uk/2/hi/technology/8132547.stm
-http://www.geek.com/articles/games/eve-online-player-pays-real-debts-with-stolen
-virtual-cash-2009076/



BT Puts Phorm On Hold (July 6, 2009)
Shares of Phorm, the online targeted advertising company, have fallen more than 43 percent after BT announced that it did not envision using the company's technology in the immediate future. Targeted advertising technology has come under scrutiny for violating users' privacy. BT is being especially careful about employing the technology because it was criticized for running a pilot of the technology several years ago without customers' consent. BT says it is interested in targeted advertising, but "resources and priority" have placed it on the back burner. A handful of US Internet service providers (ISPs) started testing similar technology but stopped after testimony at congressional hearings made it clear that the public had some serious concerns about the practice.
-http://news.bbc.co.uk/2/hi/technology/8135850.stm
-http://bits.blogs.nytimes.com/2009/07/06/bt-backs-off-from-tracking-internet-cus
tomers/?ref=technology

-http://www.scmagazineuk.com/BT-scraps-plans-to-use-the-Phorm-Webwise-habit-track
ing-system/article/139519/

-http://business.timesonline.co.uk/tol/business/industry_sectors/telecoms/article
6649622.ece



Older Versions of McAfee Virus Scan Generate False Positives (July 3, 4 & 6, 2009)
Computer users running certain unsupported versions of McAfee's VirusScan engine found their computers crashing after downloading an update that identified legitimate files as malware and quarantined them. Users running current, supported versions of the software were not affected.
-http://www.eweek.com/c/a/Security/McAfee-Update-a-Headache-for-Enterprises-With-
Old-Software-842314/

-http://www.h-online.com/security/McAfee-update-brings-systems-down-again-Update-
-/news/113689

-http://www.v3.co.uk/v3/news/2245491/mcafee-update-glitch-causes
-http://www.theregister.co.uk/2009/07/03/mcafee_false_positive_glitch/


**********************************************************************

The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).



John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/