DFIRCON - Live Online: The ALL Digital Forensics, Threat Hunting and Incident Response Training Event. Save $300 thru 10/7.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #11

February 10, 2009

There have been many kudos and some loud screaming in the aftermath of the release of the Top 25 Most Damaging Programming Errors, and much of it is valuable. One of the most important areas of concern is how to write the Top 25 into procurement documents at the federal and state level and for commercial organizations, and a major SANS project, involving the key players, is underway and planned for completion within 30 days. If you have a strong opinion on how to improve the draft written by Will Pelgrin of New York State with substantial input from Jim Routh of Depository Trust and Jeff Williams at Aspect Security (and OWASP) www.sans.org/appsecsontract, please speak now. Email appseccontract@sans.org.
Two really good reads
(1) To better understand cyber crime: Shane Harris's "The Cybercrime Wave" at the National Journal web site. http://www.nationaljournal.com/njmagazine/cs_20090207_7484.php (2) To better understand the ominous Conficker worm: USA Today's Byron Acohido's blog this morning at http://lastwatchdog.com/?p=329


Hathaway to Lead Federal IT System Security Review
Houston Municipal Court Shutdown Due to Malware Infestation


RBS WorldPay Facing Class Action Lawsuit Over Breach
German Magazine Says Armed Forces Establishing Cyber Warfare unit
NIST Accepting Public Comment on FISMA Compliance Guidance Document
FTC Reaches Settlement with Geeks.com Over Insufficient Security Measures
Phishers Lure Users with Offer of Economic Stimulus Payments
Microsoft to Address UAC Security Concerns in Next Release of Windows 7 Beta
HP Issues Fix for Security Flaw in Printers
Cisco Issues Updates to Address DoS and Privilege Escalation Flaws
Kaiser Permanente Personnel Data Found in Suspect's Home
Kaspersky Database Hit by SQL Injection Attack

***************** Sponsored By the Log Management Summit ****************

Join Storage, Security and Database professionals at the Log Management Summit April 6-7. Get help in selecting and implementing the right log management tools to ensure you meet regulatory requirements and improve security as well as improve operational efficiency. https://www.sans.org/info/38493



- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org



Hathaway to Lead Federal IT System Security Review (February 9 & 10, 2009)

President Barack Obama plans to have Melissa Hathaway, former cyber coordination executive to the Director of National Intelligence, conduct a 60-day review of the government's cyber security. During the review period, Hathaway will serve as Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils. There are unconfirmed reports that after the review period, Hathaway will be named Obama's cyber security chief.

[Editor's Note (Paller): In response to Ms. Hathaway's being named to this White House post, you'll hear a chorus of whining from people outside government who wanted a more technical and experienced cyber person, and you won't hear (because it will all happen behind closed and locked doors) a series of other salvos from the folks who believe that they, rather than Ms. Hathaway, should have the power to control all government and critical infrastructure cyber resources. My take on it is that the folks inside government who want to control all the cyber resources - both offensive and defensive - can probably do that very well, and should be given the operational responsibility. However, they, and the nation, will be best served having someone as effective as Ms. Hathaway (she's actually quite extraordinary) in the White House ensuring their activities balance national priorities effectively. That combination, employing appropriate checks and balances, is a winning strategy.
(Weatherford): This is good news indeed and very encouraging to see it happen so quickly in the new administration. Someone in the White House is listening. The results of the 60 day review could very well set the stage for revolutionary change in government cyber security programs. Bob Gourley has an interesting blog post at CTOvision.com about Melissa Hathaway

Houston Municipal Court Shutdown Due to Malware Infestation (February 7 & 9, 2009)

A malware infection of some computers in the Houston, Texas city network resulted in the shutdown of part of the city's municipal court system late last week. Offices were still open for people to pay parking tickets and other fines, but the court dockets had to be reset. Due to the infection, Houston police temporarily stopped making some minor offense arrests. Officials believe the malware has spread to 475 of the city's more than 16,000 computers, an infection level of about three percent. On Friday afternoon, city officials brought in a cyber security company to help clean the computers. Houston's deputy director of information technology says the primary malware suspect in the case is Conficker, also Downadup. As of Monday morning, the courts were still closed.
[Editor's Note (Hoelzer): Only 2.9% of their computers down brings the courts to a halt and has a direct affect on the real world. This is why cyberterrorism is so serious. Imagine the impact of 10% of federal systems... or worse, 90%. This example provides ammunition to demonstrate the real world impact of what is really a minor infestation!
(Ullrich): News articles focus on the impact on court business. An infection like this is of course also a huge opportunity data leakage. Let's remember that Downadup is just the type of tool a bad guy would use to break into these systems.
(Pescatore): There has been a lot of complacency about patching - the patch for this has been out since 15 October 08. While more recent targeted threats are *not* targeting unpatched systems, old style threats are alive and well. The key is reducing the cost of regularly patching and keeping signature-based protection up to date, vs. just not doing it. ]

******************** SPONSORED LINKS **********************************

1) Visit the SANS Vendor Demo resource page to see the latest INFOSEC products & solutions in action! http://www.sans.org/info/38498




RBS WorldPay Facing Class Action Lawsuit Over Breach (February 6, 2009)

Law firms in Pennsylvania, Georgia and Washington DC have filed a class action lawsuit against payment processor RBS WorldPay. A security breach of the company's computer network led to a worldwide ATM scam in which people armed with phony payment cards made US $9 million in fraudulent ATM withdrawals. The withdrawals occurred on November 8, 2008 in 49 cities around the world; RBS WorldPay learned two days later that the information used to create the phony cards came from its computer network. Customers were notified of the breach on December 23, 2008.


German Magazine Says Armed Forces Establishing Cyber Warfare unit (February 9, 2009)

German magazine Der Spiegel Reports that the country's armed forces are in the process of establishing a unit dedicated to cyber warfare. The unit will take on responsibility for protecting German IT infrastructure from attacks as well as conduct reconnaissance and interventions on foreign and "enemy" computer networks.

[Editor's Note (Skoudis): To me, this seems perfectly natural. Many battles have occurred in the cyber realm already, and will do so increasingly. I also think a nation state should signal its willingness to engage in that arena, lest its adversaries assume weakness leading to potentially tragic miscalculations. ]

NIST Accepting Public Comment on FISMA Compliance Guidance Document (February 6, 2009)

The National Institute of Standards and Technology (NIST) has released for public comment a revised draft of Special Publication 800-53 (SP 800-53), Recommended Security Controls for Federal Information Systems and Organizations, the document's "first major update ... since its initial publication in December 2005." The document aims to help federal agencies implement changes to comply with the Federal Information Security Management Act (FISMA). NIST is accepting public comment on the draft document until March 27, 2009.


FTC Reaches Settlement with Geeks.com Over Insufficient Security Measures (February 5, 6 & 9, 2009)

The US Federal Trade Commission (FTC) has announced a settlement with Compgeeks, which does business as Geeks.com and Computer Geeks Discount Outlet, and Compgeeks parent company Genica regarding charges that the company did not take adequate steps to ensure the security of customer data. According to the terms of the settlement, Compgeeks and Genica are barred from making "deceptive privacy and data security claims." The company will also establish a security program and submit to third party audits every two years for the next 10 years. Customer data were compromised when cyber criminals accessed company computer systems through SQL injection attacks. The attacks persisted throughout the first half of 2007, although Compgeeks did not learn of the breach until the end of that year. The company disclosed the intrusion in January 2008. According to the FTC complaint, Compgeeks was storing the customer data unencrypted.



Phishers Lure Users with Offer of Economic Stimulus Payments (February 7 & 9, 2009)

The US Computer Emergency Readiness Team (US-CERT) has warned that phishers are sending email messages that appear to come from the Internal Revenue Service (IRS). The messages tell the recipients that they can receive economic stimulus payments by visiting a certain website or filling out an attached document, both of which ask for personal information.
[Editor's Note (Pescatore): just think: somewhere out there is a legitimate Nigerian banker who really *is* trying to return $450,000 to someone - but no one will believe him. It really is time for the industry to invest in authenticated email. ]


Microsoft to Address UAC Security Concerns in Next Release of Windows 7 Beta (February 6, 2009)

Microsoft says that it will make changes to the user account control (UAC) interface in the next release of Windows 7 Beta. Last week, Microsoft responded to reports that the current UAC in Windows 7 could be disabled without user interaction, but the company now plans to make the next version of Windows 7 Beta run the UAC control panel "in a high integrity process," which should prevent the attack described last week. In addition, users will be prompted before any changes are made to the UAC level.


[Editor's Note (Skoudis): I'm glad that Microsoft is now taking this seriously. In Vista, UAC was an annoyance. Getting it tuned properly for Win7 is proving to be difficult, but that doesn't mean it should be thrown out. ]


HP Issues Fix for Security Flaw in Printers (February 6 & 9, 2009)

HP has released a firmware update for its LaserJet printers to fix a directory traversal vulnerability that could be exploited to gain access to files sent through the web administration console. The flaw affects the HP LaserJet 2410, 2420, 2430, 4250, 4350, 9040 and 9050 series; the HP LaserJet 4345mfp, 9040mfp and 9050mfp; the HP Color LaserJet 4730mfp and 9500mfp; and the HP 9200C Digital Sender. Attackers can potentially view vulnerable printers' configurations, which would allow them to see cached versions of printed documents.
[Editor's Note (Ullrich): Patching embedded systems will continue to be a challenge. Most are overlooked and not all that visible. Printers are a great place to get started and this is not the first security relevant patch for a printer.
(Northcutt): A modern printer is a computer. Anything that can happen to a computer can happen to a printer, especially an advanced printer. That said, I know that HP has been proactive in trying to secure their printers, or at least they were a year ago. If anyone from HP (or any other printer manufacturer ) would like to submit a one or two page white paper on what they have done to secure their product, please contact me, stephen@sans.edu ]

Cisco Issues Updates to Address DoS and Privilege Escalation Flaws (February 5 & 6, 2009)

Cisco has issued updates to address a trio of denial-of-service flaws and a privilege escalation flaw in its wireless routers. The DoS vulnerabilities can be exploited to stop a system or cause it to restart. The flaws affect Cisco Wireless LAN Controller, catalyst 6500 Wireless Services module and catalyst 3750 Integrated Wireless LAN Controller. Administrators are urged to apply the updates as soon as possible.




Kaiser Permanente Personnel Data Found in Suspect's Home (February 6, 2009)

Kaiser Permanente employees in Northern California have been notified that a recently arrested criminal suspect was found to be in possession of their personal data. A computer file containing the data was discovered in the home of Mia Garza, who is not a Kaiser employee. Approximately 29,500 people are believed to be affected by the breach. The data are from the employees' personnel files and do not include medical records. Kaiser has initiated an internal investigation to determine the source of the breach. A Kaiser human resources executive says that "only a handful of employees have reported identity theft." Garza faces half a dozen felony charges, including receiving stolen property, identity theft and forgery.


Kaspersky Database Hit by SQL Injection Attack (February 9, 2009)

Kaspersky Lab has confirmed reports that an intruder was able to access a company database that holds customer information through an SQL injection attack. The information was exposed for a week and a half before the company became aware of the situation. A senior researcher at the company said that no customer data were accessed; the attack accessed only the database's table labels. Upon learning of the vulnerability, Kaspersky "immediately took action to roll back the (affected) subsection of the site to eliminate the risk." The company has hired an expert to investigate the breach.


[Editor's Note (Honan): Seems to be a spate of attacks recently against computer security companies, BitDefender also were apparently hit by the same hacker
and the sites for Metasploit, Packetstorm, and Milw0rm were victims of DDOS attacks over the weekend
(Schultz): Having worked for a security product vendor in the past, I know that news of a security breach, especially one in which customer data are potentially involved, is one of the worst marketing setbacks such a vendor can have. The fact that Kaspersky learned of the breach only after being notified by the attackers is not going help help Kaspersky's tarnished image, either. ]

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/