Today is the first day on the job for President Obama's newly named National Cyber Coordinator, Howard Schmidt. His greatest challenge is not in knowing the right things to do; it is in getting federal agencies to act together to get those things done. Government aversion to innovation and risk taking is legendary. Our hope is that the level of threat is recognized widely enough that Mr. Schmidt can move quickly to make the federal government leads by example in risk reduction, in situational awareness, and in effective incident response.
************************************************************************* SANS NewsBites January 19, 2010 Volume: XII, Issue: 5 *************************************************************************
*********** Sponsored By RSA, The Security Division of EMC ***********
Virtualization and Security Information and Event Management (SIEM)
* Do you have a plan to address security and compliance needs for your virtualization project(s)? * Do you need to incorporate VMware into your Compliance Audits? * Do you need to monitor VMware changes?
-- SANS AppSec 2010, San Francisco, January 29 - February 5, 2010 8 courses and bonus evening presentations, including Social Zombies: Your Friends Want to Eat Your Brains https://www.sans.org/appsec-2010/ -- SANS Phoenix, February 14 - February 20, 2010 6 courses and bonus evening presentations, including The Art of Incident Response and Advanced Forensic Techniques: Catching Hackers on the Wire https://www.sans.org/phoenix-2010/ -- SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style https://www.sans.org/sans-2010/ -- SANS Northern Virginia Bootcamp 2010, April 6 - 13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND https://www.sans.org/reston-2010/ -- SANS Security West 2010, San Diego, May 7 - 15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World https://www.sans.org/security-west-2010/ Looking for training in your own community? https://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand/ Plus Tokyo, Bangalore, Oslo and Dublin all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org
Google Has No Immediate Plans to Leave China (January 18, 2010)
According to a Reuter's news service report, Google says it is not leaving China and is instead seeking to negotiate with authorities there over the next several weeks regarding information filtering restrictions. Google has said it will no longer filter Internet searches in China, which runs counter to its agreement with the Chinese government. Some have said that Google's decision to go public with the attack allegations and its decision to stop filtering results has put a strain on its relationship with the Chinese government and that the company may therefore find itself subject to more stringent restrictions if it decides to continue operations in the country. It has also been observed that Google's reputation among advertisers has been affected by the publicity and it may find that its advertisers have decided to move to its competitor, Chinese search engine Baidu. -http://www.reuters.com/article/idUSTRE60E0BC20100117 -http://english.people.com.cn/90001/90776/90882/6871045.html [Editor's Note (Schultz): Google has little choice; neither do other non-Chinese businesses in China. The government there has clearly for years been spearheading massive attacks on computers owned by businesses from other countries, but to retaliate by terminating doing business with China would put these businesses at a huge economic disadvantage. ]
France and Germany Warn Users Against IE Until Fix is Available (January 16 & 18, 2010)
1) Participation is needed! Be a part of this years 2010 SANS Log Management Report by completing the survey and have a chance to win a $250 AMEX Card. Click here to complete the survey an be automatically registered.
Researchers Say Malware Used in Google Attack is Too Sophisticated for Amateurs (January 15, 2010)
According to researchers brought in to investigate the attack on Google, the malware used to exploit a zero-day vulnerability on Internet Explorer (IE) is too sophisticated for run-of-the-mill attackers to have developed; they surmise that the code was designed and deployed with the support of Chinese authorities. The malware used in the attack has been called "unique," and the researchers noted that they had never seen anything resembling it in "commercial space," but had seen similarly sophisticated attacks on government systems. Time stamps in the command and control log files indicate the attacks began in mid-December 2009 and continued through January 4, 2010. Google has acknowledged that attackers stole information from its corporate network. The researchers also said that the IE flaw was not the sole vector of attack. The same group is believed to have launched attacks on the computer networks of more than 30 US companies. -http://www.computerworld.com/s/article/9145279/Chinese_authorities_behind_Google _attack_researcher_claims?taxonomyId=1R [Editor's Note (Skoudis): The information revealed about this attack so far has been fascinating. I'm hoping that the investigators working on it will be allowed eventually to share sanitized technical lessons learned so that other organizations can prevent and, just as importantly, detect when these kinds of attacks inevitably occur in the future. ]
IE Exploit Code in the Wild (January 15 & 18, 2010)
DoD Contractors Receiving Malicious PDF Attachments (January 18, 2010)
Cyber attackers have targeted US Defense Department (DoD) contractors with emails that appear to come from the DoD and have malicious PDF attachments. The email messages refer to a legitimate conference that is scheduled for March in Las Vegas. If the recipients open the maliciously crafted documents, the malware they contain attempts to install a Trojan horse program on users' computers. The attack exploits a critical flaw in Adobe Reader and Acrobat that Adobe patched, just one week ago. -http://www.theregister.co.uk/2010/01/18/booby_trapped_pdf_cyber_espionage/
FCC Proposed Rulemaking on Net Neutrality Generates Strong Comments (January 15, 2010)
Lincoln National Warns Customers of Potential Data Security Breach (January 14 & 15, 2010)
Lincoln National Corp. has begun notifying about 1.2 million customers of an incident that may have compromised the security of their personally identifiable information. The Financial Industry Regulatory Authority (FINRA) learned of the breach last August when an unidentified source provided the organization with a username and password that allowed access to Lincoln's portfolio management system. An investigation conducted by Lincoln found other instances of shared usernames and passwords at one of its subsidiaries. The shared passwords were established a decade ago to perform administrative activities. All shared access information has been changed. The management system in question is not used to conduct transactions, but does contain Social Security numbers (SSNs), account numbers and balances and other personal information valuable to identity thieves. -http://www.darkreading.com/vulnerability_management/security/privacy/showArticle .jhtml?articleID=222301034&cid=RSSfeed -http://www.computerworld.com/s/article/9145240/Financial_firm_notifies_1.2M_afte r_password_mistake?taxonomyId=17 -http://doj.nh.gov/consumer/pdf/lincoln_financial.pdf [Editor's Note (Pescatore): While the high profile targeted attacks got all the press coverage, this incident is indicative of the types of problems (shared passwords, weak internal practices) that cause way more material damage to businesses in the long run. Lincoln National did the right thing in taking the very expensive step to notify customers event though there is no evidence that any compromise actually occurred. The cost of avoiding this incident (detecting and stopping the use of shared administrative passwords) would have been a small fraction of the cost of going through this disclosure event. ]
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/