Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #32

April 24, 2009

TOP OF THE NEWS

Pentagon To Centralize Cyber Warfare Command
Hathaway Paints Overview of Cyber Security Review
EU Telecommunications Bill Held Up by Three-Strikes Implementation Concerns
Teen Draws Prison Sentence for Botnet and Swatting Activity

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES
Pirate Bay Defense Attorney to Seek Retrial
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
IRS Awards Payment Processing Contract to RBS WorldPay
NSA Director Says Agency Does Not Want to Control Cyber Security
Defense Science Board Report: DOD Needs Integrated Cyberspace Plan
POLICY AND LEGISLATIVE ACTIVITY
House Committee Seeks Information on P2P Data Theft, Briefing on Fighter Jet Data Theft
UPDATES AND PATCHES
Mozilla Releases Firefox Update
ATTACKS & ACTIVE EXPLOITS
Turnabout is Fair Play
Massive Botnet Claims PCs at 77 Government Domains Worldwide


********************** Sponsored By Sourcefire, Inc. ********************

Your Network Security Isn''t Good Enough Anymore

Today's threats-and networks-are dynamic. Unfortunately most network security systems are not.

Join Martin Roesch, Founder and CTO of Sourcefire(R) and Creator of Snort(R), in a series of seminars, as he shows why network security must include full network visibility, relevant context, and automated impact assessment to be effective.

More information http://www.sans.org/info/42784

*************************************************************************

TRAINING UPDATE

- - Application Security Workshop April 29, Washington DC http://www.sans.org/appsec09_summit
- - Toronto 5/5-5/13 (15 courses) http://www.sans.org/toronto09/event.php
- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - New Orleans 5/5-5/10 (6 courses) http://www.sans.org/securityeast09/event.php
- - Pen Testing and Web Add Summit - Looking for training in your own community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

TOP OF THE NEWS

Pentagon To Centralize Cyber Warfare Command (April 22 & 23, 2009)

US Defense Secretary Robert Gates said he is looking at establishing a "sub-unified command at STRATCOM for cyber (warfare)." Currently, US military cyber security and defense efforts are decentralized, handled by several different entities. A centralized cyber warfare command would help the military avoid duplication of efforts.
-http://www.nytimes.com/2009/04/23/us/politics/23security.html?ref=global-home
-http://online.wsj.com/article/SB124035738674441033.html
-http://www.informationweek.com/news/government/technology/showArticle.jhtml?arti
cleID=217000202

[Editor's Note (Paller): There is ample evidence to believe this move will be taken soon after as Ms. Hathaway's report is released by the White House. It is a significant move by DoD, demonstrating an understanding of the seriousness of the cyber threat and what it takes to respond with confidence and skill. The next great question is whether Congress and the White House will act with the same potency to counter the equally great threat to the critical national infrastructure and the civilian agencies. ]

Hathaway Paints Overview of Cyber Security Review (April 23, 2009)

Speaking at the RSA conference, Melissa Hathaway, the US National Security Coucil official, offered a preview of her recently completed 60-day review of the US government's cyber security preparedness. Hathaway supports a stronger White House role in coordinating cyber security because safeguarding the government's computer networks is too broad a job for any one agency. Hathaway also said that the public and private sectors need to work together to protect the security of the country's infrastructure, but that leadership for the effort "is the fundamental responsibility of our government." The report's findings will be made public after President Obama and members of his administration have reviewed it.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132000&source=rss_topic17

-http://www.msnbc.msn.com/id/30367760/
-http://news.smh.com.au/breaking-news-technology/us-cyberspace-head-says-security
-needs-team-effort-20090423-ag15.html

-http://news.bbc.co.uk/2/hi/technology/8011380.stm

EU Telecommunications Bill Held Up by Three-Strikes Implementation Concerns (April 20 & 22, 2009)

The European Parliament's industry committee approved an amendment to a major European Union telecommunications bill that would require approval from "a competent legal authority" before cutting off Internet service. The move is aimed at deflating France's new three-strikes anti-piracy law that some have viewed as "draconian." The EU telecommunications bill is aimed at unifying the Internet and cellular phone networks among member states.
-http://euobserver.com/19/27979
-http://www.nytimes.com/2009/04/21/technology/internet/21net.html?ref=technology
-http://arstechnica.com/tech-policy/news/2009/04/eu-parliament-raises-hurdles-wit
h-three-strikes-rule.ars

Teen Draws Prison Sentence for Botnet and Swatting Activity (April 20 & 21, 2009)

A Massachusetts teenager has been sentenced to 11 months in jail for using a botnet to conduct distributed denial-of-service (DDoS) attacks and for "swatting," or making phony emergency calls that lead to SWAT teams being sent out needlessly. According to prosecutors, the teen also broke into corporate computer systems and stole information. He pleaded guilty to computer fraud, interstate threats and wire fraud late last year.
-http://news.bostonherald.com/news/regional/view/2009_04_20_Teen_hacker_sentenced
_to_11_months/srvc=home&position=recent

-http://www.theregister.co.uk/2009/04/21/swatting_hacker_jailed/
[Editor's Note (Liston): This makes ordering a couple unwanted pizzas for the next-door-neighbor's house seem pretty tame, by comparison. Not that, in my youth, I would have *ever* done such a thing, mind you...
(Schultz): Given the severity of the crimes committed, a jail sentence of 11 months may not sound like much. However, the fact that someone under the age of 18 has received time in jail rather than mere probation for the commission of cybercrimes is extremely significant.
(Northcutt): When he gets out in 11 months, then what? He becomes a respected security researcher? I sense we are going to hear about him again. ]

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES

Pirate Bay Defense Attorney to Seek Retrial (April 23, 2009)

A defense attorney representing one of the defendants in the Pirate Bay court case in Stockholm said he will seek a retrial following the revelation that the judge in the case is a member of Swedish copyright protection organizations. Four men were convicted last week of aiding others' attempts to violate copyrights; each man was sentenced to one year in prison and ordered as a group to pay 30 million kronor (US $3.6 million) to digital media companies. The judge said that his involvement with the groups did "not constitute a conflict of interest."
-http://www.siliconrepublic.com/news/article/12811/digital-life/pirate-bay-lawyer
-to-demand-a-retrial

-http://blog.wired.com/27bstroke6/2009/04/pirateconflict.html
-http://news.bbc.co.uk/2/hi/technology/8014626.stm
[Editor's Note (Liston): Regardless of which side of this case you're on, failure on the part of the judge to disclose this information prior to the trial is clearly inappropriate. Whether it rises to the level of warranting a retrial will be up to the Court of Appeal. ]

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

IRS Awards Payment Processing Contract to RBS WorldPay (April 23, 2009)

RBS WorldPay, the payment processor that recently acknowledged a security breach that compromised an estimated 1.5 million payroll card accounts and 1.1 million Social Security numbers (SSNs), has been awarded a contract to process US Internal Revenue Service (IRS) tax return payments. Last month, Visa declared RBS was not in compliance with the Payment Card Industry Data Security Standards (PCI DSS); a spokesperson for the Atlanta-based payment processor says the company expects to be compliant once again "within the next few weeks." RBS will not process payments taxpayer credit card payments until January 20, 2010; before that date, the company must show that its IT systems are PCI-DSS compliant and it must pass an IRS-required security audit.
-http://voices.washingtonpost.com/securityfix/2009/04/rbs_worldpay_awarded_tax_re
cor.html

[Editor's Note (Schultz): Lamentably, the IRS's decision poignantly shows just how little regard this agency has for information security. Hopefully, the IRS's extremely questionable judgment in this case will be subjected to Congressional and GAO oversight.
(Liston): And in other news, the NRA has appointed Dick Cheney as its spokesman for gun safety. ]

NSA Director Says Agency Does Not Want to Control Cyber Security (April 22, 2009)

National Security Agency Director Lt. General Keith B. Alexander said at the RSA Conference that his agency does not want to be in charge of the country's cyber security. Instead, he said, the NSA wants to be part of a team that will take on the issue. Alexander said DHS should continue to oversee cyber security for civilian agencies and the NSA do the same for military agencies. He did put forward the notion that it would be more efficient to manage crises from a centralized position and that NSA "has tremendous technical abilities."
-http://www.securityfocus.com/brief/951
-http://www.scmagazineus.com/RSA-NSA-doesnt-want-to-run-US-cybersecurity-director
-says/article/131099/

-http://news.cnet.com/8301-13578_3-10224579-38.html
[Editor's Note (Northcutt): This approach makes sense. NSA has tremendous technical ability and should be part of the team, but it would be far too easy to start down a path that doesn't lead to liberty and justice if they have the lead for civilian agencies. If this does stay with DHS for civilian agencies, they need to really come up to speed fast. ]

Defense Science Board Report: DOD Needs Integrated Cyberspace Plan (April 23, 2009)

A Defense Science Board report said that DOD cannot adequately defend its networks from cyber attacks because it lacks centrally managed networks and systems that can respond to the attacks. The task force responsible for the report concluded that "without an integrated net-centric/cyberspace plan, threats from cyber-intelligent adversaries represent a clear and present danger to US national security." The report recommends steps DOD can take toward establishing a "joint interoperable net-centric force within" the department.
-http://www.nextgov.com/nextgov/ng_20090423_2545.php
-http://www.acq.osd.mil/dsb/reports/2009-04-Interop.pdf

POLICY AND LEGISLATIVE ACTIVITY

House Committee Seeks Information on P2P Data Theft, Briefing on Fighter Jet Data Theft (April 22 & 23, 2009)

The US House Committee on Oversight and Government Reform has sent letters to Attorney General Eric Holder and Federal Trade Commission (FTC) chairman Jon Leibowitz asking what the Justice Department and the FTC have done to prevent illegal use of peer-to-peer (P2P) filesharing applications. Specifically, the committee is concerned about the applications being used to steal financial account information, health data and other sensitive information. Security experts would like to see the committee focus on encouraging agencies to prevent workers from downloading P2P applications. In a separate story, the same House committee is seeking a cyber security briefing following allegations that cyber intruders stole information about the Joint Strike Fighter.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/04/21/AR2009042103508_
pf.html

-http://www.nextgov.com/nextgov/ng_20090423_8694.php
-http://fcw.com/Articles/2009/04/22/Web-cyber-security-briefing.aspx
[Editor's Note (Liston): While technical means for controlling P2P use exist, they're certainly not foolproof. From my perspective, nothing works better than making the installation of an unapproved application a fireable offense AND monitoring your networks and following through on the threat. ]

UPDATES AND PATCHES

Mozilla Releases Firefox Update (April 23, 2009)

Mozilla has released Firefox 3.0.9. The web browser update fixes a dozen security flaws, four of which have been deemed critical; two of the critical flaws affect the browser engine and the other two affect the JavaScript engine. The vulnerabilities could be exploited to allow attackers to execute arbitrary code. Two other flaws addressed in the update could be exploited to allow cross-site scripting (XSS) attacks and content injection attacks.
-http://news.cnet.com/8301-1009_3-10224719-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20

-http://www.heise.de/english/newsticker/news/136629
-http://www.mozilla.com/en-US/firefox/3.0.9/releasenotes/

ATTACKS & ACTIVE EXPLOITS

Turnabout is Fair Play (April 22, 2009)

A tool that is used to sniff out Conficker worm infections has been updated to use the same peer-to-peer (P2P) protocol that the malware itself uses to receive communication from those who control it. The "script goes out and looks for Conficker's listening ports, then tries to chat with them." Conficker has infected millions of PCs since it first emerged late last year.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9131983&source=NLT_PM

Massive Botnet Claims PCs at 77 Government Domains Worldwide (April 21 & 22, 2009)

Finjan security says it has discovered a botnet that comprises nearly 2 million PCs. The botnet was traced to a group in Ukraine; the botnet's control server has been disabled. The group allegedly made money by renting out use of the botnet. The malware used to establish the botnet spreads through Internet Explorer (IE), Firefox and .PDF flaws; it can be used to log keystrokes, copy files, send spam and take screenshots. The botnet infected PCs in 77 government domains, including those in the US and the in UK. It also infiltrated 52 corporate networks around the world. Finjan has notified affected corporate and government entities about the situation.
-http://fcw.com/Articles/2009/04/22/RSA-botnet.aspx
-http://news.bbc.co.uk/2/hi/technology/8010729.stm
-http://www.theregister.co.uk/2009/04/22/superbotnet_server/
-http://gcn.com/Articles/2009/04/22/RSA-botnet.aspx
-http://www.ft.com/cms/s/0/2e8a5a04-2e8f-11de-b7d3-00144feabdc0.html?nclick_check
=1

[Editor's Note (Northcutt): There is going to be a lot pain for the folks at these government domains and corporate networks responsible for incident response. Getting these systems clean is not going to be easy and unless they can solve the root cause of how they are getting infected, soon after they get a box clean it will get infected again with even worse malware. ]


**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/