SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Sign Up Now
• Editorial Board

Volume XI - Issue #27

April 07, 2009

TOP OF THE NEWS

Judge to Decide if Hannaford Breach Liability Case Will Go to Trial
French Legislators Approve Three-Strikes Anti-Piracy Law
Swedish Anti-Piracy Law Cuts Internet Traffic
UK ISPs Now Required to Retain Internet Communications Data

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
IRS Late in Implementing Federal Desktop Core Configuration Settings
IG Report Says Interior Department Did Not address Security Issues
County Auditor's Office Investigating Presence of Password Sniffers on Computer
VULNERABILITIES
Attackers Exploiting Unpatched PowerPoint Flaw
DATA BREACHES, LOSS & EXPOSURE
Univ. of Washington Notifies 6,000 of Data Breach
ATTACKS & ACTIVE EXPLOITS
Neeris Variant Inspired By Conficker
MISCELLANEOUS
Microsoft and Facebook Team Up to Put the Kibosh on Koobface
COOL TRAINING EVENTS
Penetration Testing Summit
Application Security Summit

---

******************* Sponsored By Tufin Technologies *********************

Complete Firewall Security Audits in 25% of the Time!

Tufin SecureTrack automates repetitive firewall administration tasks so you can make configuration changes twice as fast. Eliminate risks right away with real-time change monitoring and in-depth policy risk analysis. Improve security and performance with automated rulebase usage optimization.

Learn more - click for a free Tufin polo shirt and a chance to win an Apple iPod Touch.
http://www.sans.org/info/42179

*************************************************************************

TRAINING UPDATE

- - Toronto 5/5-5/13 (15 courses) http://www.sans.org/toronto09/event.php
- - SANSFire in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - New Orleans 5/5-5/10 (6 courses) http://www.sans.org/securityeast09/event.php
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- -- Plus San Diego, Amsterdam and more, too. See www.sans.org
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Looking for training in your own community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Judge to Decide if Hannaford Breach Liability Case Will Go to Trial (April 2 & 6, 2009)

A federal judge will soon decide if Hannaford Bros. can be held liable for damages stemming from a data security breach late 2007 and early 2008. The attackers stole details of more than 4 million credit and debit cards. Attorneys for Hannaford have asked that the lawsuit be dismissed, while attorneys for the plaintiff want the judge to certify the case as a class-action lawsuit and allow it to go to trial. The plaintiff's legal team maintains that Hannaford knew of the breach for at least three weeks before disclosing it last March. Hannaford's lead attorney said that none of the plaintiffs suffered any actual damages; those whose cards were used to make unauthorized transactions were reimbursed by their issuing banks, and that the inconvenience of time the affected customers spent cancelling compromised cards and obtaining new ones does not merit a lawsuit.
-http://pressherald.mainetoday.com/story.php?id=248452

French Legislators Approve Three-Strikes Anti-Piracy Law (April 3, 2009)

In an all but unanimous vote, the French National Assembly approved a "three-strikes" anti-piracy bill. Under the pending legislation, users believed to be violating copyright laws by downloading digital content illegally will first receive a warning email. If they continue to download files illegally, they will receive letters, and a third offense will have their Internet connections severed for at least two months and possibly up to one year. The Senate has already passed similar anti-piracy legislation, and a final version of the bill is expected to be hammered out this week.
-http://euobserver.com/9/27910
[Editor's Note (Schultz): Vive La France! ]

Swedish Anti-Piracy Law Cuts Internet Traffic (April 3 & 6, 2009)

An anti-piracy law in Sweden called the Intellectual Property Rights Enforcement Directive (IPRED) that took effect on April 1 appears to be responsible for a significant drop-off in web traffic in that country; the decline has been estimated at between 33 and 40 percent. The new law requires Internet service providers (ISPs) to divulge customer names associated with IP addresses believed to be used to download files illegally.
-http://www.nzherald.co.nz/connect/news/article.cfm?c_id=1501833&objectid=105
65443
-http://www.scmagazineuk.com/File-sharing-levels-plummet-after-anti-piracy-law-is
-passed-in-Sweden/article/130151/
-http://blog.wired.com/business/2009/04/law-forces-swed.html

UK ISPs Now Required to Retain Internet Communications Data (April 6, 2009)

The UK's Data Retention (EC Directive) Regulations 2009, which took effect on Monday, April 6, 2009, require Internet service providers (ISPs) to retain Internet communication data for 12 months. The information to be kept includes websites users visited or attempted to visit; the sender, recipient, date and time of email sent; and the caller and recipient of Internet telephone calls. The regulations also require telecommunications companies to retain information about both fixed and mobile telephone usage, including callers' locations. The new law takes the place of the Data Retention (EC Directive) Regulations 2007. Law enforcement authorities may gain access to the stored records with a warrant.
-http://news.zdnet.co.uk/communications/0,1000000085,39637592,00.htm
-http://news.bbc.co.uk/2/hi/technology/7985339.stm

---

************************** SPONSORED LINKS ******************************

1) InstantSecurityPolicy.com - Custom IT Security Policies Created and Delivered Online; Quick, Comprehensive, and Complete. http://www.sans.org/info/42184

2) Alert Logic webinar demonstrates how cloud computing makes log management better, faster, and cheaper. http://www.sans.org/info/42189

3) Visit the SANS Vendor Demo resource page to see the latest INFOSEC products & solutions in action! http://www.sans.org/info/42194

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

IRS Late in Implementing Federal Desktop Core Configuration Settings (March 27 & April 6, 2009)

A report from the Treasury Inspector General for Tax Administration (TIGTA) says that the US Internal Revenue Service (IRS) has been dragging its feet in its implementation of required security measures. Nine months after the February 1, 2008 deadline for adoption of the Federal Desktop Core Configuration (FDCC), the IRS had implemented 102 of the 254 required security settings on its 98,000 desktop and laptop computers running Windows XP or Vista. By December 2008, 205 of the settings had been implemented. Among the obstacles the IRS faces are the large number of locations (670) in which it has computers and the fact that it runs about 1,900 applications, all of which must be tested against FDCC settings. The delay was also compounded by the fact that the IRS did not assemble a FDCC implementation team until a week before the February 1 deadline. The report also found that IRS computers do not have automated monitoring to detect changes made to settings after installation.
-http://fcw.com/Articles/2009/04/06/Web-IRS-security-settings.aspx
-http://www.nextgov.com/nextgov/ng_20090406_2265.php
-http://www.treas.gov/tigta/auditreports/2009reports/200920055fr.html
[Editor's Note (Pescatore): The real issue is not having every PC run the baseline FDCC image. Even with the update of the core configuration, many roles will need deviations from FDCC to get their job done. The issue is reducing the number of images, having standard images and using SCAP-compliant vulnerability testers to make sure only those standard images are in use.
(Schultz): Security problems in the IRS have been in the spotlight now for many years. Given the importance of safeguarding taxpayer information, it is difficult to understand why the IRS is not doing better.
(Ranum): I question the usefulness of "102 of 254 required settings" as a metric of security goodness. But what always frustrates me about these articles like "federal agency X fails security efforts yet again" is that they never include any information indicating that anything is going to be done about it. Accepting failure facilitates failure. ]

IG Report Says Interior Department Did Not address Security Issues (April 5, 2009)

A report from the US Interior Department's then-Inspector General (IG) written last spring, but made public just last week, said that despite having been ordered by a judge to fix serious cyber security problems the department's computer network remains vulnerable. The report also states that it may not be possible to tell if information has been compromised. For example, in January 2008, "nearly 70 percent of the network traffic leaving the Department through a single one of its Internet gateways ... was bound for known hostile countries and (Interior) lacked the capability to even determine what the traffic was." The report, which was written by then-IG Earl A. Devaney, became public when it was published as part of a longstanding lawsuit brought by Native Americans against the federal government.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/04/04/AR2009040403162_
pf.html
[Editor's Note (Pescatore): The IG's report places a lot of blame on DoI's decentralized IT organization, with various Bureaus all going off in their own directions. This is a common problem - if you can't have centralized control, then you at least need a federated governance approach. Just being "decentralized" is often no different than being "chaotic."
(Northcutt): There has been so much published about the Department of Interior and BIA in particular that it is hard for an outsider to know the truth. I do think a small bit of the stimulus money could go towards making the security investments to make DOI a model agency, a poster child for information security. I would be willing to volunteer some time to visit some facilities and make some suggestions and I would like to think several other security professionals would do the same.
(Paller): Interior officials, with the judge looking over their shoulders, are in a perfect position to become the first agency to use the Consensus Audit Guidelines (CAG) as a standard, and the Interior IG and OMB should be standing right next to them helping. The battles being fought in court and at Interior are almost entirely over the question, "How much security is enough?" That's the key question the Twenty Critical Controls in the CAG answer. ]

County Auditor's Office Investigating Presence of Password Sniffers on Computer (April 4, 2009)

The Clark County, Indiana auditor's office is conducting an internal investigation after two suspicious applications were detected on one of its computers. (Both applications - Cain & Abel and LCP - are known password recovery tools for Windows systems.) Few details were available about the actual incident under investigation apart from the fact that it occurred on the evening of March 30, 2009 and the possibility that someone had accessed information without permission.
-http://www.newsandtribune.com/clarkcounty/local_story_094202804.html
-http://www.newsandtribune.com/local/local_story_093134940.html
[Editor's Note (Schultz): The presence of cracker software on a system is normally a major indication of wrongdoing. Possibly an insider has installed such software without authorization, or an external attacker has gained unauthorized accesss and the necessary privileges to be able to do so. ]

VULNERABILITIES

Attackers Exploiting Unpatched PowerPoint Flaw (April 2 & 3, 2009)

An unpatched vulnerability in PowerPoint is being actively exploited in "limited and targeted attacks," according to Microsoft. Successful exploitation depends on tricking users into opening maliciously crafted PowerPoint files either on websites or as email attachments. Security company McAfee has detected attempts to exploit the flaw to place Trojan horse programs on vulnerable computers. Microsoft says it is investigating the vulnerability, which often means a patch will be forthcoming.
Intenet Storm Center:
-http://isc.sans.org/diary.html?storyid=6115
-http://www.theregister.co.uk/2009/04/03/powerpoint_0day_trojan_menace/
-http://www.microsoft.com/technet/security/advisory/969136.mspx
[Editor's Note (Schultz): (Humor intended) Given McAfee's stance, this vendor will soon blame the problem on "cloud computing" (whatever this grossly overgeneralized term means).
(Honan): It should be noted that this does not affect PowerPoint 2007 or the PowerPoint viewers for Office 2003 and 2007. You can also use MOICE (the Microsoft Office Isolated Conversion Environment) to view files until Microsoft release a patch for this vulnerability, see
-http://support.microsoft.com/kb/935865
(Northcutt): Until the patch is available, organizations with awareness newsletters etc should warn users about opening PowerPoint files from anyone other than another employee or someone known to them. ]

DATA BREACHES, LOSS & EXPOSURE

Univ. of Washington Notifies 6,000 of Data Breach (April 1 & 3, 2009)

The University of Washington has notified more than 6000 employees that their personal information was compromised in a data security breach late last year. Perpetrators managed to gain access to two University Transportation Department servers containing the employees' names and Social Security numbers (SSNs). The attacks began in early December 2008; the servers were taken offline on December 30 after a review revealed "obvious signs of compromise." The university stopped using SSNs as unique identifiers in 2002, but the Transportation Department continued to use the numbers to process transactions.
-http://www.kuow.org/program.php?id=17258
-http://seattletimes.nwsource.com/html/localnews/2008958501_uwdata01m.html

ATTACKS & ACTIVE EXPLOITS

Neeris Variant Inspired By Conficker (April 3 & 6, 2009)

A new variant of the Neeris worm now exploits the same Windows flaw used by Conficker. Neeris was first detected in May 2005 and originally exploited a flaw that Microsoft patched in MS06-040. The new version of the worm has been updated so that it exploits the flaw patched in MS08-067. Like Conficker, Neeris spreads through Autorun. Detections of the worm spiked on March 31 and April 1, but there is no evidence that it is linked to Conficker's April 1 domain algorithm change.
-http://blogs.technet.com/mmpc/archive/2009/04/03/a-new-exploit-of-ms08-067-has-b
een-identified.aspx
-http://www.theregister.co.uk/2009/04/06/old_worm_adopts_conficker_tricks/

MISCELLANEOUS

Microsoft and Facebook Team Up to Put the Kibosh on Koobface (April 6, 2009)

Microsoft and Facebook are working together to protect users from the Koobface worm. Koobface spreads through Facebook and MySpace social networking sites and infects users who run vulnerable versions of Windows. It steals login information so it can hijack accounts and spam users' contact lists. The spam usually contains a link to what is billed as a video, but users who click the link are told they must download a program to watch the clip. If users agree to the download, their machines become infected with malware. Microsoft has added Koobface to its Malicious Software Removal Tool (MSRT), which removed nearly 200,000 instances of Koobface from more than 133,000 computers in two weeks.
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=216403016
-http://www.scmagazineuk.com/Microsoft-and-Facebook-join-forces-to-battle-and-cru
sh-Koobface-worm/article/130153/
-http://www.theregister.co.uk/2009/04/06/koobface_clean_up/

COOL TRAINING EVENTS

Penetration Testing Summit

Where else can you find the best speakers from other hacker conferences all at one program: HD Moore on the future of Metasploit; Joshua Wright on evolving wireless attacks; Jeremiah Grossman on the Top Ten Web Hacking Techniques; Robert "rSnake" Hansen on web app vulnerabilities; Paul Asadoorian on late-breaking pen test techniques; Larry Pesce on using document metadata in pen tests; Jason Ostrum on VoIP pen testing; Ed Skoudis on secrets of pen testing?
The Summit is June 1 and 2 in Las Vegas. Registration information is here:
-http://www.sans.org/pentesting09_summit/

Application Security Summit - April 9 - Washington DC.

Learn from actual users which application security tools and processes work best and participate in establishing requirements that may be used for large scale procurement of these tools across government.
-http://www.sans.org/appsec09_summit/

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/