SANS NewsBites - Volume: XII, Issue: 26


The Navy is offering full 4-year scholarships for kids with hacking talent and major federal agencies are offering internships. If you know of talented kids, tell them to look at uscyberchallenge.org.

Alan


*************************************************************************
SANS NewsBites                     April 02, 2010                    Volume: XII, Issue: 26
*************************************************************************
TOP OF THE NEWS

   U.S. Court Rules that Employee-Attorney E-Mails Are Private
   Court Says NSA Illegally Wiretapped Two Americans
   Journalists' Yahoo Email Accounts Hacked

THE REST OF THE WEEK'S NEWS

   U.S. Military Facing 'Increasingly Active' Cyber-Threat from China
   Stalker Jailed for Framing Man
   Microsoft Issues Emergency Bulletin for Internet Explorer
   New Attack Against PDF File Format is Discovered
   Barnet Council Loses Data Related To 9,000 Children
   Prison Inmates Hack into Phone Lines
   'Amateur' Malware Not Part of Operation Aurora Attacks Against Google


*************************** Sponsored By SANS **************************
What are the latest forensic tools and techniques used to help combat threats in organizations today? How can we look at these solutions in an EU-specific manner? Attend the 2010 European Community Digital Forensics & Incident Response Summit April 19-20 and learn the answers to these and other key Forensics & Incident Response questions. http://www.sans.org/info/57513
*************************************************************************

TRAINING UPDATE
-- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
http://www.sans.org/reston-2010/

-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

-- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, June 6-14, 2010 11 courses http://www.sans.org/boston-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Dubai, Geneva, Toronto, Singapore and Amsterdam all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

*************************************************************************


TOP OF THE NEWS

U.S. Court Rules that Employee-Attorney E-Mails Are Private (31st March 2010)
In the United States the New Jersey Supreme Court has ruled that the Loving Care Agency was wrong in retrieving emails that were sent by a former employee, Marina Stengart, to her attorney even though the emails were sent using the company's own computer systems. In 2008, Marina Stengart filed a lawsuit against the company claiming discrimination based on gender, religion and national origin. Before leaving the company Ms. Stengart exchanged a number of emails with her attorney by accessing her Yahoo email account using the company's computers. Loving Care retrieved copies of the emails from their systems and argued in court that the emails were sent in breach of company policy which states that emails "are not to be considered private or personal to any individual employee" and that the company had the right to "review, audit, intercept, access, and disclose all matters on the company's media systems and services at any time." Earlier, a trial court agreed with the company, but in a 7-0 ruling the Supreme Court overruled that decision and ordered the company to turn over all copies of the e-mails and delete any record of them.
-http://abcnews.go.com/Technology/wireStory?id=10248507
-http://www.nj.com/news/index.ssf/2010/03/nj_supreme_court_rules_employe.html
-http://www.northjersey.com/news/033010_State_court_rules_company_shouldnt_have_r
ead_ex-staffers_private_emails.html

[Editor's Note (Schultz): This is an extremely significant ruling that in effect says that client-attorney privileges supersede defeating the expectation of privacy.
(Northcutt): I tend to be a fan of privacy rights, but this just does not sound right especially since they have a policy on the subject. If anyone is making policy changes based on advice from corporate counsel, I would love a note with your new policy fragment (stephen@sans.edu) ]


Court Says NSA Illegally Wiretapped Two Americans (31 March 2010)
Federal Judge Vaughn R. Walker has ruled that the U.S. National Security Agency's program of surveillance without warrants was illegal. Under the surveillance program the National Security Agency monitored international e-mail messages and phone calls of American citizens without court approval, which is required under the Foreign Intelligence Surveillance Act, or FISA. The ruling undermined claims by President Bush's administration that the surveillance program, which President Bush secretly authorized after the terrorist attacks of September 11, 2001 using presidential wartime powers, was lawful. Judge Walker ruled that by intercepting the phone calls of the Al Haramain Islamic charity based in Oregon, and the calls of two lawyers representing the charity in 2004, the government had violated a 1978 federal statute requiring court approval for domestic surveillance. Judge Walker also declared the plaintiffs had been "subjected to unlawful surveillance," and that the government was liable to pay them damages.
-http://www.wired.com/threatlevel/2010/03/bush-spied/
-http://www.nytimes.com/2010/04/01/us/01nsa.html
-http://www.wthitv.com/dpps/news/national/west/Judge-Feds-wiretapped-without-warr
ant_3297308

[Editor's Note (Northcutt): All it takes for evil to prevail is for good men to remain silent. Somebody had to know about this and know it was wrong and remained silent. Though nothing tops the use of the Patriot act to spy on strippers in Vegas:
-http://www.boston.com/news/nation/articles/2003/11/08/patriot_act_gets_mixed_rev
iew_in_vegas/

(Schultz): Statutes and other provisions that granted the U.S. government (and in particular, law enforcement) unprecedented powers after the 9/11 attacks are slowly but surely being eroded. An equilibrium between individual and U.S. government rights is once again being achieved. ]


Journalists' Yahoo Email Accounts Hacked (31st March 2010)
A number of foreign journalists based in China are claiming their Yahoo email accounts have been hacked. The Foreign Correspondents Club of China (FCCC) has confirmed that eight journalists have had their Yahoo email accounts hacked including one that had a forwarding address added to the account. Yahoo has made no direct comment regarding the claims and says that it is "committed to protecting user security and privacy." Earlier this year the Google mail accounts of Chinese dissidents were targeted in an attack on Google. The FCCC is advising users to take care when using email, especially for sensitive issues, and warning people that "email does not appear to be secure in China, and that alternate means of arranging interviews and conducting other sensitive business are often preferable".
-http://news.bbc.co.uk/2/hi/technology/8596410.stm
-http://www.nytimes.com/2010/03/31/world/asia/31china.html
-http://www.businessweek.com/news/2010-04-01/journalists-demand-yahoo-explain-hac
ked-china-e-mails-update2-.html




*************************** Sponsored Links ***************************
1) Sign up today for SANS Webcast: Database Monitoring - Beyond Compliance to Pro-active Information Protection sponsored by NitroSecurity. Go to http://www.sans.org/info/57518
*************************************************************************


THE REST OF THE WEEK'S NEWS

U.S. Military Facing 'Increasingly Active' Cyber-Threat from China (26th March 2010)
Richard Willard, an Admiral in the U.S. Navy, appeared before the U.S. House Armed Services Committee on the same day that Google and GoDaddy appeared before a congressional committee and raised a warning about the security threat posed by China against U.S. military computer networks. Speaking before the committee Admiral Willard warned that "U.S. military and government networks and computer systems continue to be the target of intrusions that appear to have originated from within the PRC (People's Republic of China)". He highlighted that the attacks are focused on stealing data "but the skills being demonstrated would also apply to network attacks." Christine Jones, an executive vice president and general counsel at domain registration giant GoDaddy, told the Congressional-Executive Commission on China that "in the first three months of this year, we have repelled dozens of extremely serious DDoS attacks that appear to have originated in China."
-http://www.computerworld.com/s/article/9174242/Military_warns_of_increasingly_ac
tive_cyber_threat_from_China_?taxonomyId=82&pageNumber=1



Stalker Jailed for Framing Man (31st March 2010)
In the United Kingdom a 48 year old man, Ilkka Karttunen, has been jailed for four and half years for breaking into the house of a female work colleague and framing her husband for downloading child pornography. Basildon Crown Court heard how Karttunen became obsessed with his work colleague and hoped to develop a relationship with her by breaking up her marriage. He broke into her family home and while the family was asleep, downloaded the illegal material onto the husband's PC. He then stole the hard disk from the computer and sent it anonymously to the police with a note stating the origin of the disk. Police discovered Karttunen's involvement when they searched his home and found a computer containing the entire contents of his victim's home computer.
-http://www.timesonline.co.uk/tol/news/uk/article7081986.ece
-http://www.net-security.org/secworld.php?id=9090


- -----------------------------------------------------------------


Call for Authors/Invitation to participate!


An Invitation To Participate In the SANS Security Consensus Operational Readiness Evaluation (SCORE) Project:


What's New with SCORE? It's time for SCORE to get an overhaul! Some exciting things are happening including a new SCORE wiki (still a beta project, but it's moving toward public release). Content reviewers/authors/editors/contributors needed!


Periodically, we will be posting opportunities to participate in SCORE projects. We are currently looking for contributors and authors in the following technical areas (If your area is not in this list and you'd like to contribute, don't be afraid to contact us with your idea.):


- - -Microsoft Windows 7 Security
- - -Virtual Machines
- -- How/Where Trojans hide
- - -Ubuntu Linux
- -- Redhat Linux
- -- General Linux
- -- Cloud Security
- - -OS X Security
- -- Rootkits
- - -Malware Analysis Static
- - -Malware Analysis Dynamic
- - -Using Olly Debug for malware analysis
- - -Using IDA Pro for malware analysis
- - -MySQL Security
- - -Webserver Security and Testing
- - -Juniper JunOS
- - -PostgreSQL

If you are a subject matter expert or aspiring to be one, are interested in becoming more involved in the security community (specifically SANS) and/or would like to have the opportunity to benefit from contributing to projects of this type, please email the following information to SCORE project lead - Darren Bennett (dlbennett@gmail.com).


- ------------------------------------------------------------------------
Name:
Area(s) of expertise:
Contact information:
Availability:
- ------------------------------------------------------------------------


While I haven't been asked this question; I'd personally be asking "What's in it for me?" The following is a list of benefits for contributing to SCORE:


*Helping to increase security awareness.
*Having your name credited as an author (or contributor) on one of the projects.
*Networking. This is a great way to meet other security experts and share information.
*CPE's for CISSP credits.
*Recognition within the security community.
*Becoming more involved with a great organization SANS!

To see some examples of popular SCORE checklists, checkout the following:
The SCORE Oracle Checklist (V3.1)
- -http://www.sans.org/score/oraclechecklist.php The SCORE OSX Checklist
- -http://www.sans.org/score/macosxchecklist.php The SCORE Windows 2000/XP DSS Auditing Checklist -http://www.sans.org/score/win2k_xp_checklist.php The SCORE Linux Checklist
- -http://www.sans.org/score/linuxchecklist.php The SCORE Handhelds Checklist (V1.0)
- -http://www.sans.org/score/handheldschecklist.php
** This list is popular and could use updating. If you are a subject matter expert in this area, please let me know!


- -http://www.sans.org/score/index.php
(Security Consensus Operational Readiness Evaluation)
I look forward to hearing from you! Please email me the information requested above and I will put you in contact with other team members, the team leader or the SANS contact you will be working with. Do not hesitate to email me with questions or suggestions.


"Opportunity is missed by most people because it is dressed in overalls and looks like work." - Thomas A. Edison


Microsoft Issues Emergency Bulletin for Internet Explorer (30 March 2010)
On Tuesday Microsoft issued an out-of-band bulletin to address ten vulnerabilities in Internet Explorer, including one rated as critical and that is being actively exploited in the wild. The most severe of the vulnerabilities could lead to remote code execution and enable an attacker control the victim's computer should they visit a malicious website using Internet Explorer; users of Internet Explorer 8 running on Windows 7 are not affected by this vulnerability. The bulletin also addresses seven vulnerabilities in Excel, a vulnerability in Windows Movie Maker and a vulnerability in Microsoft Producer 2003. Information security analysts have praised Microsoft for taking the proactive step in releasing the out-of-band bulletin.
-http://news.cnet.com/8301-27080_3-20001428-245.html
-http://www.zdnet.co.uk/news/security-management/2010/03/31/microsoft-patches-int
ernet-explorer-vulnerabilities-40088499/

-http://www.theregister.co.uk/2010/03/30/emergency_ie_fix/
Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=8533


New Attack Against PDF File Format is Discovered (1st April 2010)
Adobe is investigating how to address an attack that exploits a feature in the PDF file format rather than exploiting a vulnerability in the PDF reader software itself. Belgium based security researcher Didier Stevens developed a proof-of-concept PDF file which runs an executable embedded within it. As the attack exploits the launch feature within the PDF file format it is not confined to the Adobe Reader and has been successfully tested against other PDF readers such as Foxit Reader Pro. Stevens has not released the proof-of-concept and has raised the issue with Adobe to investigate. Foxit plan to have an update addressing the issue for release sometime next week.
-http://www.theregister.co.uk/2010/03/31/pdf_insecurity/
-http://blogs.zdnet.com/security/?p=5985
-http://threatpost.com/en_us/blogs/hacker-finds-way-exploit-pdf-files-without-vul
nerability-033010

Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=8545


Barnet Council Loses Data Related To 9,000 Children (30th March 2010)
Following the theft of a laptop, CDs and USB sticks during a burglary at the home of a Barnet Council employee, the council has admitted that data related to 9,000 children has been also been stolen. While the laptop was encrypted the data were stored on the unencrypted USB sticks and CDs which the council has said was "against council policy". The compromised data includes the names, birth dates, postcodes, ethnicity and education data on year 11 pupils attending any school in Barnett from 2006 to 2009. The council believes the risk posed to the students by the compromised data is low, although there were concerns with the identity of one child which "has been dealt with." To prevent a similar breach of policy occurring in the future the council has disabling access to external storage devices on its systems.
-http://www.infosecurity-magazine.com/view/8472/barnet-council-discovers-9000-rea
sons-to-encrypt-data/

-http://www.itpro.co.uk/621970/burglary-leads-to-loss-of-data-about-9-000-childre
n

-http://www.v3.co.uk/computing/news/2260529/barnet-council-employee-loses
[Editor's Note (Honan): From April 6th organisations in the UK will need to ensure they take the appropriate measures to secure any personal data entrusted to them as the UK's Information Commissioner will have the power to fine organisations up to L500,000 for serious data breaches.
-http://www.computerweekly.com/Articles/2010/01/13/239936/ICO-to-fine-firms-up-to
-163500000-for-data-breaches.htm
]


Prison Inmates Hack into Phone Lines (29th March 2010)
Inmates in the Miami-Dade Corrections facilities have discovered how to make phone calls using the fax lines of unsuspecting victims. Corrections officials claim that the inmates are able to forward collect calls through AT&T from a victim's fax line. So far over US $200,000 has been reimbursed to victims over the past two years by the Alabama based Global Tel*Link (GTL) company which operates pre-paid and jail collect call services. Both the Miami-Dade Corrections department and GTL claim that there is little they can do to prevent the scam as it is being done via the AT&T network. A spokesperson for AT&T says the company is investigating and that "AT&T takes such matters seriously and strives to prevent fraudulent use of the AT&T network by third parties."
-http://www.miamiherald.com/2010/03/28/1552713/miami-dade-inmates-collect-call.ht
ml



'Amateur' Malware Not Part of Operation Aurora Attacks Against Google (31 March 2010)
McAfee has announced that due to a mistake in its initial investigations into the attacks against Google and 20 other companies earlier this year, dubbed Operation Aurora, some malware discovered during those investigations was incorrectly associated with Operation Aurora. McAfee now states that the malware, made up of four files, was actually part of a separate attack for a botnet that is currently being used to target activists in Vietnam. While investigating the Operation Aurora attacks in more than a dozen companies, McAfee discovered the Vietnamese botnet files within four of those networks and incorrectly associated them with Operation Aurora. A number of companies and commentators who followed up on McAfee's original research were also subsequently confused with some claiming the malware files indicated the attacks were amateurish and not as sophisticated as first claimed.
-http://www.computerworld.com/s/article/9174484/McAfee_Amateur_malware_not_used_i
n_Google_attacks

-http://news.techworld.com/security/3218946/mcafee-messes-up-google-china-attack-
analysis

-http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?
articleID=224200972



**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/