LAST CHANCE to save $600 Off Online Courses

SANS NewsBites - Volume: XIII, Issue: 16

*************************************************************************
SANS NewsBites                     February 25, 2011                    Volume: XIII, Issue: 16
*************************************************************************
TOP OF THE NEWS

  Hacked Oil Companies Identified
  BIND Flaw
  Dutch Bank Hit by DDoS Attack

THE REST OF THE WEEK'S NEWS

  Microsoft Patches Malware Scanner Flaw
  Man Admits to Stealing Royalties, Breaking Into NASA Network
  Keystroke Loggers Found on Library Computers
  Guilty Plea in Financial Fraud Case
  Microsoft Releases Windows 7 Service Pack 1
  FTC Seeks Injunction Against Text Message Spammer
  OddJob Trojan Steals Online Banking Session IDs


  A Note From Stephen Northcutt


************************************************************************* TRAINING UPDATE
- -- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module
http://www.sans.org/phoenix-2011/

- -- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

- -- SANS 2011, Orlando, FL, March 26-April 4, 2011 40 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

- -- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
https://www.sans.org/cyber-security-innovations-2011/

- -- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

- -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

- -- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
http://www.sans.org/cyber-security-innovations-2011/

- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Singapore, Wellington, Barcelona, Amsterdam and Brisbane all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ********************* Sponsored by Adobe Systems *************************
The Adobe Reader X family of products deliver better application security and protection from PDF-based malware with the introduction of "Protected Mode" - an always-on protective environment. This is in addition to the numerous security enhancements and controls added across the new Adobe Acrobat X family of products. Learn more about how Adobe Acrobat and Reader X are raising the bar on PDF security.

http://www.sans.org/info/71704
****************************************************************************


TOP OF THE NEWS

Hacked Oil Companies Identified (February 24, 2011)
New reports are saying that the attacks on computer networks at international petrochemical companies targeted Shell, Exxon Mobil, BP, Marathon Oil, ConocoPhillips and Baker Hughes. The attacks were first reported by the Christian Science Monitor in January 2010, and were mentioned in a report from McAfee earlier this month. The attackers appear to have been after legal and financial data. The series of attacks has been dubbed "Night Dragon," and may have been going on for as long as four years. The McAfee report says the attacks were traced to IP addresses in China.
-http://www.v3.co.uk/v3/news/2274971/shell-bp-exxon-mobil
-http://www.bloomberg.com/news/2011-02-24/exxon-shell-bp-said-to-have-been-hacked
-through-chinese-internet-servers.html

[Editors' Note (Schultz and Paller): The fact that US oil companies' computers have been owned for some period of time should come to no surprise to anyone. The shame of it all is that a few of these companies have truly achieved information security "best practices" status. ]


BIND Flaw (February 24, 2011)
According to an advisory from the Internet Systems Consortium (ISC), a serious flaw in BIND domain name services (DNS) software could be exploited to crash vulnerable systems. The vulnerability affects BIND versions 9.7.1 through 9.7 2-P3. Users are urged to upgrade to non-vulnerable versions of BIND. The vulnerability can be remotely exploited, but there have been no reports of attacks in the wild.
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=229219353&subSection=Security

-http://www.theregister.co.uk/2011/02/24/dns_bind_vuln/
-http://www.h-online.com/security/news/item/The-unintended-kill-switch-in-Bind-11
96567.html

-https://www.isc.org/software/bind/advisories/cve-2011-0414


Dutch Bank Hit by DDoS Attack (February 23, 2011)
Dutch bank Rabobank experienced a significant distributed denial-of-service (DDoS) attack that took down both its website and its ebanking services. The attack caused collateral damage as well; because the outage sent so many returned transaction messages to iDeal, a Dutch PayPal alternative, that system also experienced a partial outage. The identity of the attackers is still unknown.
-http://news.idg.no/cw/art.cfm?id=3F6822FF-1A64-6A71-CE67724BB606D61C
[Editor's Note (Pescatore): Did you ever notice we don't see news articles that say "power outage takes down Dutch bank." That's because years ago we learned ago that data centers without electricity were just quiet computer museums. Today, data centers without Internet connectivity are just noisy computer museums. If you depend on Internet connectivity, denial of service protection should be part of business continuity planning. ]



*************************** Sponsored Links: *****************************
1) Countdown: SANS Northern Virginia 2011. 5 days left to take advantage of Early Bird $400 savings. http://www.sans.org/info/69698

2) SANS Analysts Program Webcast: Managing Insiders (Contractors, Vendors, and Employees) in SCADA Environments Wednesday, March 23, 2011 Gain key insight from security professionals involved auditing SCADA and other utility control systems about insider risk in control system environments, along with the NERC CIPC controls required to protect against these common insider vulnerabilities. Featuring SANS instructor and senior analyst, Matthew E. Luallen. To register, go here: http://www.sans.org/info/71709

3) REGISTER NOW for the Tuesday, March 01, 2011 Webcast:Bullseye on the Back: Adobe's Product Security Program FEATURING: Dave Shackleford & Brad Arkin START TIME: 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info/71714
***************************************************************************


THE REST OF THE WEEK'S NEWS

Microsoft Patches Malware Scanner Flaw (February 24, 2011)
Microsoft has released a fix for a privilege elevation vulnerability in its malware scanner. The flaw could be exploited by attackers changing a Windows registry key to a certain value. It is exploitable only by people who already have valid logon credentials for the vulnerable system. The patch will be included in an update to the Microsoft Malware Protection Engine.
-http://news.cnet.com/8301-27080_3-20036048-245.html?tag=mncol;title
-http://www.h-online.com/security/news/item/Microsoft-s-virus-scanner-causes-secu
rity-problem-1196731.html

-http://www.microsoft.com/technet/security/advisory/2491888.mspx


Man Admits to Stealing Royalties, Breaking Into NASA Network (February 23 & 24, 2011)
Jeremey Parker, a 26-year old Houston man, has admitted to breaking into servers at NASA's Goddard Space Flight Center and at SWReg, a company that manages royalty payments for independent software developers. Parker admitted to stealing US $275,000 from SWReg accounts and causing US $43,000 in damage to the NASA system.
-http://www.theregister.co.uk/2011/02/24/nasa_hacker_guilty/
-http://www.bizjournals.com/twincities/news/2011/02/23/Computer-Hacker-admits-ste
aling.html



Keystroke Loggers Found on Library Computers (February 24, 2011)
Keystroke logging devices were found plugged in to computers at libraries in Cheshire, UK. It is not known how long the devices were connected to the computers before they were discovered. Keyboards are now being plugged in to ports at the front of computers.
-http://www.scmagazineuk.com/keyloggers-found-plugged-into-library-computers/arti
cle/196936/

-http://www.h-online.com/security/news/item/Hardware-keyloggers-found-in-public-l
ibraries-1190097.html

[Editor's Note (Schultz): Computers in Internet cafes and other public places constitute one of the greatest risks to security. ]


Guilty Plea in Financial Fraud Case (February 23, 2011)
Dmitry M. Naskovets has pleaded guilty to conspiracy to commit wire fraud and credit card fraud for running an identity theft website that provided specialized language services to help thieves conduct fraudulent bank transactions. The site offered the services of German and English speakers who would call the bank from which the thief was attempting to steal the funds and pretend to be the account holder. Naskovets provided dossiers with detailed information about the victims so the impersonators could be convincing on the phone.
-http://www.computerworld.com/s/article/9210980/Belarus_man_pleads_guilty_to_runn
ing_identity_theft_site?taxonomyId=17

-http://www.theregister.co.uk/2011/02/23/naskovets_guilty/
-http://www.fbi.gov/newyork/press-releases/2011/belarusian-proprietor-of-internat
ional-identity-theft-website-pleads-guilty-in-manhattan-federal-court

[Editor's Note (Honan): In the light of the hype over cloud computing could this be a new use of the term SaaS, Scam as a Service? ]


Microsoft Releases Windows 7 Service Pack 1 (February 23, 2011)
Microsoft has released Service Pack 1 for Windows 7; it includes all security fixes to date. A public test release of Windows 7 SP1 took place in July 2010, and installation difficulties have been reported. Users running Windows 7 and Linux on the same PC have reported that they were unable to continue with the installation process due to error 0x800f0a12; Microsoft has posted a fix for that issue.
-http://isc.sans.edu/diary/Windows+7+2008+R2+Service+Pack+1+Problems/10453
-http://voices.washingtonpost.com/fasterforward/2011/02/microsofts_windows_7_serv
ice_p.html

-http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?a
rticleID=229219123&subSection=Security

-http://www.zdnet.com/blog/bott/quick-fix-for-windows-7-sp1-installation-errors/3
040

Important link if you are experiencing problems:
-http://blogs.technet.com/b/joscon/archive/2011/02/17/windows-7-2008-r2-service-p
ack-1-fails-with-0x800f0a12.aspx

[Editor's Comment (Northcutt): it is kind of ironic. Microsoft has gotten so good at testing and release management for the monthly patches that we have a tendency not to take a service pack as seriously as we should. We should always back up before installing a service pack! I ran into problems myself with a piece of security software, Bit 9, as the apparent culprit, when we turned it off, the SP1 install succeeded. ]


FTC Seeks Injunction Against Text Message Spammer (February 23, 2011)
The US Federal Trade Commission (FTC) wants a judge to shut down a text-messaging spammer who was sending out unsolicited messages about home loan modification and other services. The scheme, allegedly run by Phillip A, Flora, sent out messages at a rate of 85 every minute during a 40-day period in late summer of 2009. Many of the people who received the messages had to pay fees to their carriers. Flora allegedly collected personal information from people who responded to the messages, even from those who asked him to stop sending them, and sold that information to marketers. According to the FTC's complaint, Flora violated the FTC Act by sending unsolicited messages and by misrepresenting his business as being affiliated with a government agency. The complaint also alleges that he violated the CAN-SPAM Act.
-http://www.computerworld.com/s/article/9210979/FTC_asks_court_to_shut_down_text_
spammer?taxonomyId=17

-http://www.ftc.gov/opa/2011/02/loan.shtm
-http://www.ftc.gov/os/caselist/1023005/110223phillipcmpt.pdf


OddJob Trojan Steals Online Banking Session IDs (February 22, 2011)
The OddJob banking Trojan grabs online banking session ID tokens in real time, allowing thieves to keep the sessions open longer and make fraudulent transactions. The malware is being actively used in the US, Poland and Denmark. Researchers have noted that those behind OddJob have made refinements to the malware over the last few weeks.
-http://www.scmagazineus.com/trojan-steals-session-ids-bypasses-logout-requests/a
rticle/196816/

-http://www.computerworld.com/s/article/9210764/New_bank_Trojan_employs_fresh_tri
cks_to_steal_account_data?taxonomyId=17

-http://www.theregister.co.uk/2011/02/22/oddjob_banking_trojan/
Trusteer posted a good overview of the Oddjob Trojan site at
-http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-
open-after-users-%E2%80%9Clogout%E2%80%9D




A Note From Stephen Northcutt:
Most of us remember where we were when we heard the news of the attacks on September 11, 2001. The National September 11 Memorial and Museum in New York City has launched an interactive timeline of the September 11 attacks. The timeline offers recordings and images from a day that we have a responsibility to remember.
-http://www.aolnews.com/2011/02/23/new-york-citys-sept-11-museum-launches-interac
tive-timeline-of/



************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/