DFIRCON - Live Online: The ALL Digital Forensics, Threat Hunting and Incident Response Training Event. Save $300 thru 10/7.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #88

November 07, 2008


White House Computers Hacked: Multiple Times
Presidential Campaign Systems Attacked, Files Stolen
Lords Approve Amendment to Allow Removal Some of DNA Evidence From Database
Prescription Management Company Receives Extortion Threat


US Chess Federation Board Member Sued for Alleged Unauthorized eMail Access
LA Traffic Engineers Plead Guilty to Disrupting Traffic Signals
Former Intel Employee Faces Additional Charges for Alleged Theft of Trade Secrets
Man Faces Charges for Allegedly Modifying Sniffer Used in Massive Data Theft Case
Guilty Pleas in Connection With Citibank ATM Card Fraud
Prison Sentence for Opening Former Employer's Mail Server to Spammers
Microsoft to Issue Two Patches on November 11
Adobe Updates Acrobat and Reader
Technology Inserts Ads in Copyrighted Uploads

*********************** Sponsored By Q1 Labs ****************************

Enterprise Log Management for Incident Handlers
Does your organization collect logs from your critical devices? Do you truly know how to leverage these logs during or after an incident? Log on to this webcast and learn effective log analysis techniques for incident handling as well as forensic analysis and reporting within your organization. http://www.sans.org/info/35144



- - SANS CDI in Washington 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/cdi08/
- - London (12/1- 12/9) http://sans.org/london08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Orlando SANS SCADA Security Summit http://www.sans.org/scada09_summit
and in 100 other cites and on line any time: www.sans.org



White House Computers Hacked: Multiple Times (Today, November 7)

The Financial Times reported last night that two government officials confirmed multiple penetrations of White House computers have been discovered. Most speculation about the identity of the hackers focuses on Chinese government sponsorship. Also in this story are references to other major penetrations sucha s those aginst the computers that support Defense Secretary Gates, computers at major companies in the defense industrial base, and computers at both the Obama and McCain campaigns.
[Editor's Note (Paller): This story is part of a growing wave of public disclosure of the deep and pervasive (and mostly continuing) penetration of computers in government, in the defense industrial base, and in the critical infrastructure. A culture of compliance has lulled government and industry leaders into cyber complacency - a complacency that ends for each of them the day they discover that malicious outsiders have controlled their computers for months and they cannot find the extent of the infections. The person who ran security for the US missile defense organization described the challenge earlier this week, saying, "the problem is that the people responsible for security think that security must be easy because they successfully passed a security certification exam. It's harder than they think." Many of them are blind to the attacks, lacking the skills to establish strong early warning systems and tough defenses, to find the attackers who evaded those defenses, to uncover the persistent presence, and to recover fully in a way that does not open them up for re-infection. Many think that if their organization has passed a compliance review, they are secure. They are not interested in learning (or in relying upon people who have learned) the specialized security skills that they are missing. A small ray of hope: the President demanded that the specialized security skills gap be closed in his Presidential National Security Directive 54, establishing the multi-billion-dollar Comprehensive National Cyber Initiative. ]

Presidential Campaign Systems Attacked, Files Stolen (November 5, 2008)

The computer systems of both major party US presidential candidates were reportedly compromised by a "foreign entity." IT people at the Obama campaign earlier this summer believed they had been hit with run-of-the mill malware, but later learned that "a serious amount of files (were) loaded off (their) system." The McCain campaign's computer system was similarly attacked. Investigators speculate that the attackers were gathering intelligence on both candidates' policy positions. Internet Storm Center:

Lords Approve Amendment to Allow Removal of Some DNA Evidence From Database (November 5 & 6, 2008)

The UK House of Lords has approved an amendment to the Counter-Terrorism Bill that would allow innocent people to apply to have their biometric information removed from national databases. The data, which include DNA and fingerprints, are gathered during investigations, but are presently retained even when the individuals have been cleared of wrongdoing.
[Editor's Note (Schultz): Given that until now few assurances of the national UK biometrics database security have been given, this bill represents a major step forward for UK citizens. ]

Prescription Management Company Receives Extortion Threat (November 6 & 7, 2008)

Express Scripts, a company that manages prescription benefits for approximately 50 million individuals through thousands of clients, has received a threat that customer records will be exposed unless the company pays a ransom. In a letter turned over to federal investigators, the extortionists included personally identifiable information of 75 people, all of whom have been notified. The exposed data include birth dates, Social Security numbers (SSNs) and some prescription details.

[Editor's Note (Paller): Credit card data has been the "currency" for thousands of cyber extortions reaping hundreds of millions of dollars for criminals, because ecommerce and banking companies will pay dearly to avoid have their clients know that they could not protect the sensitive information with which they were entrusted. This case shows that the criminals may have decided that health records are a second good lever for extortion. If the US hopes to take advantage of health data automation in order to provide universal coverage at lower costs, the security of healthcare data will have to be improved. HIPAA compliance just doesn't cut it. ]

************************* SPONSORED LINK ******************************

1) Join Control System Security peers to learn current issues - SCADA & Process Control Security Summit February 2-3. http://www.sans.org/info/35149




US Chess Federation Board Member Sued for Alleged Unauthorized eMail Access (November 5, 2008)

A member of the United States Chess Federation is facing a lawsuit brought by the organization, alleging that she accessed email messages sent between other board members and a lawyer without authorization. Susan Polgar and her husband Paul Truong, who is also a board member, were sued by another board member in October 2007 for allegedly making offensive posts in his name on Internet bulletin boards. The suit was ultimately dismissed. While the suit was pending, a specially-created US Chess Federation subcommittee hired an attorney to investigate the claims; the investigation determined that Truong was responsible for making the posts in questions. Polgar quoted directly from email communication between the subcommittee and the attorney in messages to the board and on her own web site. She maintains she found the email messages on the Internet but did not access them without authorization.


LA Traffic Engineers Plead Guilty to Disrupting Traffic Signals (November 5 & 6, 2008)

Two City of Los Angeles (California) traffic engineers have pleaded guilty to illegally accessing a city computer. Gabriel Murillo and Kartik Patel admitted that they disrupted the traffic light control computer system shortly before a union action. The two used stolen supervisor credentials to disconnect signal control boxes at some of the cities' busiest intersections, then manipulated the system so other managers could not reconnect the lights. The terms of their plea agreement dictate that they will pay restitution, serve 120 days in jail or 240 hours of community service and submit to having their home and work computer user monitored.
[Editor's Note (Northcutt): A chilling element of this story: the first time they went to court and pleaded not guilty, they were gratified that a large number of city workers supported their cause; someone could have been killed:

Former Intel Employee Faces Additional Charges for Alleged Theft of Trade Secrets (November 6, 2008)

Former Intel design engineer Biswamohan Pani , who was earlier charged with theft of trade secrets from his former employer before he left for a job at a competing company, has been indicted on additional charges of wire fraud. Pani allegedly stole more than 100 pages of documents, including more than a dozen files that included processor chip information design. The stolen information is estimated to be worth US $1 billion in R&D costs. Pani began working for Intel competitor AMD before he had officially separated from Intel. If he is convicted, Pani could face 190 years in prison for the trade secrets charge, and 20 years for each of the wire fraud charges. According to prosecutors, AMD was not aware that Pani possessed the documents and did not benefit from them.

[Editor's Comment (Northcutt): For Intel employees, this is a nightmare security scenario, they had even encrypted the documents. Be interesting to learn the details of the breach. According to the Computerworld story, values the information at 1 Billion and I do not doubt that for a second. If the allegations in the indictment prove to be true, this is a very bad boy:

Man Faces Charges for Allegedly Modifying Sniffer Used in Massive Data Theft Case (October 29 & November 5, 2008)

Federal prosecutors have charged Stephen Watt with conspiracy for allegedly modifying a sniffer program for Albert Gonzalez, the man who masterminded a massive data theft scheme that resulted in the theft of financial account information from the computer networks of numerous companies, including TJX. If he is convicted, Watt could face up to five years in prison and a US $250,000 fine.

Guilty Pleas in Connection With Citibank ATM Card Fraud (November 5, 2008)

Three people have pleaded guilty to charges of federal conspiracy and access device fraud for their roles in a scheme that used stolen Citibank ATM card information to steal US $2 million. Ivan Biltse, Angelina Kitaeva and Yuriy Rakushchynets (aka Yuriy Ryabinin) are just three of 10 suspects charged in the case earlier this year. The group allegedly broke into a server that processes ATM transactions from 7-Eleven cash machines.

Prison Sentence for Opening Former Employer's Mail Server to Spammers (November 4, 2008)

An IT manager has been sentenced to a year and a day in prison for breaking into his former employer's mail server and changed it to be an open server, which caused it to be used to send spam and caused email traffic from the company's servers to be blacklisted. Steven Barnes was fired from his position as IT manager at Blue Falcon Networks, now known as Akimbo Systems, in April 2003 after seven months on the job; his termination was related to his addiction to alcohol and cocaine. Barnes also admitted to deleting the company's Microsoft Exchange email database and the mail server's core boot files. He later accessed the servers again and changed the domain name.



Microsoft to Issue Two Patches on November 11 (November 6, 2008)

Microsoft plans to release two security bulletins on Tuesday, November 11, 2008. One of the bulletins is rated critical; the other is rated important. The critical bulletin addresses security issues in XML Core Services in Windows and Microsoft Office; the important bulletin addresses security issues in Windows. Both could be exploited to allow remote code execution.



Adobe Updates Acrobat and Reader (November 4 & 5, 2008)

Adobe has released security updates for Adobe Reader and Adobe Acrobat to address flaws that could be exploited to gain control of vulnerable computers. The flaws affect versions 8.1.2 and earlier of the products. Adobe Reader 9 is not vulnerable to the flaw. There have not been any reports of the vulnerabilities being exploited in the wild, but because the flaws have been rated critical, users are urged to update to version 8.1.3 or 9 as soon as possible. Internet Storm Center:




Technology Inserts Ads in Copyrighted Uploads (November 3, 2008)

MySpace and MTV Networks plan to begin testing software that automatically places advertisements on video clips uploaded by users that are deemed to be violating copyright laws. Such technology could change the face of the copyright issue by allowing people to upload content and allowing copyright holders to derive income from that content. YouTube already has a similar technology in place that allows users who upload copyrighted content to choose between inserting advertisements or removing the clips; 90 percent of users elect to add the ads.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board. Will Pelgrin is Chief Information Security Officer of New York State, chair of the Multi-State Information Sharing and Analysis Center and co-chair of the National ISAC Council.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/