SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Sign Up Now
• Editorial Board

Volume XI - Issue #35

May 05, 2009

Big stories this week: personal health care data in Virginia held hostage -exposure threatened, pirated Windows 7 contain Trojans, the botnet 70GB theft, Europe saying "no more US control of ICANN," the core of the internet under attack, and several more. No one promised security would offer a tranquil career, but the turmoil seems to be accelerating.

On a less stressful topic: I just tried two of the new free mini-courses from SANS (there are four - pen testing, forensics, vulnerability testing and Windows intrusion detection). They are very short - ten minutes or so, just samples, but you actually learn a lot in a short time. What is most interesting about them is how close the online teaching is to live classes. When the instructors are good enough, on-demand courses are just wonderful- perhaps better than traveling to attend a live class because you can replay and review sections (Tivo-like) whenever you want. And you get real time feedback on mastery with quizzes at the end of each section. They are at http://www.sans.org/ondemand/spring09.php

Travel right now is very hard to justify, and even harder with flu questions, so we made access to SANS OnDemand 25% easier. You will save 25% on OnDemand registrations made between May 5 and June 15, 2009. More than 30 of SANS most popular in-depth courses, each taught by the best instructor on that topic we have ever found, are available in the OnDemand program. If you want SANS training without traveling, check out the full list of OnDemand courses at http://www.sans.org/ondemand/courses.php or if you have 25 or more people who could use live training, email onsite@sans.org to schedule SANS classes at your facility.
Alan

---

TOP OF THE NEWS

Cyber Intruders Claim to Hold Personal Health Data Hostage
Air Force Secure Windows Configuration Saved US $100 Million; Cuts Patching Time By 95%
DDoS Attacks Targeting Internet Infrastructure

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Former IT Admin Admits to Deleting Organ Donation Data
LEGAL ISSUES
Tenenbaum Agrees to US Extradition
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Canada Placed on Priority Watch List Due to Intellectual Property Protection Concerns
UPDATES AND PATCHES
Adobe Will Patch Zero-Day Flaw Next Week
DATA LOSS & EXPOSURE
Lexis Nexis and Investigative Professionals Breach Affects 40,000 People
ATTACKS & ACTIVE EXPLOITS
Pirated Versions of Windows 7 Release Candidate Contain Trojan
MISCELLANEOUS
EU Information Society Commissioner Recommends Breaking US Government Hold on ICANN
Researchers Observe Botnet Stealing 70 GB Of Data
Lime Group Chairman Explains Security Changes in Lime Wire 5 to Congress

---

********************* Sponsored By Tufin Technologies *******************

Slash Costs with Automated Firewall Security Audits

For security executives and administrators, Tufin SecureTrack is the key to fast, accurate firewall audits. Lean how you can reduce operating expense and increase network security by automating manual, repetitive firewall administration tasks and optimizing rulebases to improve performance.

Learn more - click for a free Tufin Polo shirt and a chance to win an Apple iPod Touch. http://www.sans.org/info/43164

*************************************************************************

TRAINING UPDATE

- - Application Security Workshop April 29, Washington DC http://www.sans.org/appsec09_summit
- - Toronto 5/5-5/13 (15 courses) http://www.sans.org/toronto09/event.php
- - SANSFire in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - New Orleans 5/5-5/10 (6 courses) http://www.sans.org/securityeast09/event.php
- - Pen Testing and Web Add Summit - Looking for training in your own community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Cyber Intruders Claim to Hold Personal Health Data Hostage (May 4, 2009)

A posting on Wikileaks.org claims that cyber attackers stole data of about eight million patients from the Virginia Department of Health Professionals' Virginia Prescription Monitoring Program website; they are demanding US $10 million in ransom for their return. The intruders claim to have encrypted the database and protected it with a password. That particular site is presently unavailable as are several others related to the Virginia Department of Health Professionals. The ransom note says that if the money is not paid within seven days, the data will be offered for sale. Federal and state authorities are investigating.
-http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia
_he.html?wprss=securityfix
-http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID
=217201397&subSection=Cybercrime
[Editor's Note (Skoudis): Here's an interesting breach twist -- extortion. Enterprise incident handling personnel should brainstorm about how they would handle a scenario like this, at least identifying in advance the decision makers and legal personnel who would work this kind of issue. ]

Air Force Secure Windows Configuration Saved US $100 Million; Cuts Patching Time By 95% (April 30, 2009)

Former US Air Force CIO John Gilligan details the evolution of the agency's secure Windows configuration. In 2003, National Security Agency (NSA) penetration tests made mincemeat of the Air Force network; the majority of the intrusions were due to poorly configured software. In meetings with Microsoft CEO Steve Ballmer, the Air Force asked that the company develop a configuration of Windows XP that would be secure from the start. To determine what needed to be locked down, the Air Force went to the NSA and also called in the National Institute of Standards and Technology (NIST), the Defense Information Systems Agency and the Center for Internet Security. The single configuration drastically reduced the lag time between patches' availability and installation, from eight to 14 weeks or more to just 72 hours. The Air Force's program became the basis for the Federal Desktop Core Configuration program.
-http://www.wired.com/threatlevel/2009/04/air-force-windows/
[Editor's Note (Pesactore): Reducing the number of desktop images from infinite to some small finite number always reduces patch time and increases security. However, reducing it down to such a locked down version that many business/mission roles can't use it (which is what the first FDCC image was) caused alternate images to multiply. What's been missing are FDCC configurations for standard role types - some progress made here recently.
(Paller): Role based configurations make sense; the key players are available at major agencies and NSA to establish those confidently. What will surprise them when they do is that the differences in configuration settings will be miniscule - approaching zero except for collaboration applications. The problem with the FDCC was that NIST added specific requirements - not used by the Air Force. Those requirements introduced the most critical incompatibilities. Then NIST told the Air Force they were out of compliance. NIST seems to be grasping defeat from the jaws of victory. When you have a working model like the one at the Air Force, use it and improve upon it, don't break it! ]

DDoS Attacks Targeting Internet Infrastructure (May 1, 2009)

Groups monitoring the frequency and magnitude of distributed denial of service (DDoS) attacks have noted a sharp increase in particularly virulent attacks in the last several months. The attackers also appear to be targeting critical Internet infrastructure systems more often. A March attack on cloud computing provider GoGrid lasted for several days and affected half of the company's 1,000 customers. Other attacks have targeted web hosting providers Register.com and The Planet as well as Brazilian Internet service provider (ISP) Telefonica. In most cases, the attacks persisted for several days and then ceased abruptly.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/05/01/AR2009050101593_
pf.html
[Editor's Note (Skoudis): Given the large number of these types of attacks over a short period, it sounds to me like someone is testing the waters here. ]

---

*************************** Sponsored Links: ****************************

1) Zscaler EDUCATIONAL WEBCAST: Keynote by GARTNER'S Peter Firstbrook, "Newer Threats and Newer Defenses against Web 2.0" http://www.sans.org/info/43169

2) Alert Logic webinar demonstrates how cloud computing makes log management better, faster, and cheaper. http://www.sans.org/info/43174

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Former IT Admin Admits to Deleting Organ Donation Data (May 1, 2009)

A former IT administrator at an organ and tissue donor bank has admitted to breaking into the organization's computer network and deleting data. Danielle Duann has pleaded guilty to felony computer intrusion for accessing the LifeGift computer network from a laptop computer at her home in November 2005 just days after she learned she had lost her job; she deleted organ donation database records and other information. She will pay US $94,200 in restitution and faces 10 years in prison and a US $250,000 fine when she is sentenced this summer. Duann's activity was detected by a third-party company that provided backup services for LifeGift.
-http://www.theregister.co.uk/2009/05/01/fired_it_manager_rampage/
-http://www.pcworld.com/businesscenter/article/164221/it_director_pleads_guilty_t
o_deleting_organ_donation_records.html
[Editor's Note (Honan): In the current economic climate we will no doubt see more of these attacks by disgruntled ex-employees. Now is the time to act. Spend time to ensure your own termination processes and procedures are up to date and communicated clearly to all management and HR. ]

LEGAL ISSUES

Tenenbaum Agrees to US Extradition (May 1 & 3, 2009)

Ehud Tenenbaum has agreed to be extradited to the United States to face charges in connection with an international payment card fraud scheme. He is currently being held in Canada, where he was arrested on charges of stealing CAD $1.8 million (US $1.5 million) from a company called Direct Cash. By agreeing to the extradition, Tenenbaum eliminates the possibility of facing additional charges in the US, which could have been included had he contested the order. The charges include credit card fraud and hacking. The scheme is believed to have netted US $10 million.
-http://www.theregister.co.uk/2009/05/01/tenenbaum_us_extradition/
-http://www.ynetnews.com/articles/0,7340,L-3709692,00.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Canada Placed on Priority Watch List Due to Intellectual Property Protection Concerns (April 30 & May 4, 2009)

The Special 301 Report from the Office of the United States Trade Representative "is an annual review of the global state of intellectual property rights protection and enforcement." The report places Canada on the priority watch list of countries notorious for their lack of intellectual property protection, including China, Russia and Venezuela. In past years, Canada has been on the low level watch list; the move speaks to the US's frustration with Canada's lack of follow through on promises to enact new copyright laws.
-http://www.theglobeandmail.com/servlet/story/RTGAM.20090430.wtrade0430/BNStory/T
echnology/home
-http://www.ustr.gov/assets/Document_Library/Reports_Publications/2008/2008_Speci
al_301_Report/asset_upload_file553_14869.pdf

UPDATES AND PATCHES

Adobe Will Patch Zero-Day Flaw Next Week (May 4, 2009)

Adobe plans to push out a patch next week to address a zero-day flaw in Acrobat and Reader that could be exploited to create denial of service conditions or execute arbitrary code. Adobe will issue fixes for Reader and Acrobat versions 7, 8 and 9 for Windows and for versions 8 and 9 for Mac and Unix. Adobe has also acknowledged a second flaw in Reader for Unix that will be fixed in forthcoming Adobe Reader for Unix updates. Until the fixes are available, Adobe recommends disabling JavaScript in both Reader and Acrobat.
-http://www.eweek.com/c/a/Security/Adobe-Preps-Patch-for-Zeroday-Vulnerability-36
6529/
-http://blogs.adobe.com/psirt/2009/05/adobe_reader_issue_update.html

DATA LOSS & EXPOSURE

Lexis Nexis and Investigative Professionals Breach Affects 40,000 People (May 1, 2009)

The United States Postal Inspection Service is investigating a data breach that affected customers of Lexis Nexis and Investigative Professionals. As many as 40,000 individuals are believed to be affected by the breach; of those approximately 300 had their personal information used to make fraudulent credit card purchase. Affected customers have been notified by a letter that says the unauthorized access occurred between June 14, 2004 and October 10, 2007 and that compromised information included names, dates, and in some cases, social security numbers (SSNs). The letter also says that the perpetrators "were operating businesses that at one time were both ChoicePoint and Lexis Nexis customers."
-http://www.cbsnews.com/stories/2009/05/01/cbsnews_investigates/main4982989.shtml
-http://www.msnbc.msn.com/id/30525513/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132474&source=rss_null17

ATTACKS & ACTIVE EXPLOITS

Pirated Versions of Windows 7 Release Candidate Contain Trojan (May 4, 2009)

Reports are circulating that pirated versions of Windows 7 Release Candidate available on filesharing sites contain malware. The malware has been identified by one user as the Falder Trojan horse program, which plants scareware on PCs and uses a rootkit to evade detection by real antivirus packages. Microsoft is scheduled to release Windows 7 RC on Tuesday, May 5. Earlier this year, pirated copies of Apple's iWork '09 were found to contain malware that took control of Macs.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132522&source=rss_null17

MISCELLANEOUS

EU Information Society Commissioner Recommends Breaking US Government Hold on ICANN (May 4, 2009)

European Union (EU) Information Society Commissioner Viviane Reding has called for increased privatization of the Internet Corporation for Assigned Names and Numbers (ICANN). On September 30 of this year, an agreement under which ICANN operates with the US Department of Commerce will expire. Reding envisions "greater transparency and accountability in Internet governance" once the agreement expires this fall; the shift would "include ... an independent judicial body ... (and) a 'G12 for Internet Governance.'"
-http://www.siliconrepublic.com/news/article/12876/comms/eu-wants-icann-to-sever-
ties-with-us-government
-http://www.technewsworld.com/story/EU-Commissioner-Urges-US-to-Cut-ICANNs-Umbili
cal-Cord-66975.html?wlc=1241476375
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132516&intsrc=news_ts_head
-http://ec.europa.eu/commission_barroso/reding/index_en.htm
-http://ec.europa.eu/commission_barroso/reding/video/text/message_20090504.pdf

Researchers Observe Botnet Stealing 70 GB Of Data (May 4, 2009)

Researchers at the University of California at Santa Barbara were able to monitor a botnet's activity for 10 days before the command-and-control instructions were changed. The researchers observed as the botnet harvested 70 GB of data, including email passwords and online banking account information. The botnet, known as Torpig, Anserin and Sinowal, infected PCs through drive-by downloads when they visit compromised websites. The researchers are working with the FBI, the US department of Defense and various ISPs to notify people affected by the data theft; ISPs are also shutting down some of the sites that have been used to send instructions to compromised machines.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132521&source=rss_null17
-http://www.theregister.co.uk/2009/05/04/torpig_hijacked/
-http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf

Lime Group Chairman Explains Security Changes in Lime Wire 5 to Congress (May 1, 2009)

Lime Group chairman Mark Gorton told US legislators in a letter dated May 1, 2009 that Lime Wire 5, the most recent version of the company's file sharing software, is "the most secure file-sharing software available." Lime Wire 5 does not allow any files to be shared "without explicit permission from the user," even if the file had been shared in an older version of the software. Furthermore, it ignores document related file types by default to avoid the inadvertent sharing of sensitive data. Gorton's letter was written in response to renewed concern from legislators about inadvertent data leaks due to peer-to-peer (P2P) file sharing programs. In 2007, Gorton appeared at a congressional hearing on P2P software and said he would address security and privacy issues that were pointed out to him at that time. An April 20, 2009 letter to Gorton from the House Committee of Oversight and Government Reform maintains that "Lime Wire and other P2P providers have not taken adequate steps to address" the problems. Gorton's letter appears to refute that claim for his company's product.
-http://news.cnet.com/8301-1023_3-10232079-93.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.wired.com/epicenter/2009/05/limewire-ceo-assures-congress-privacy-saf
eguards-are-in-place/
House Committee Letter to Mark Gorton:
-http://oversight.house.gov/documents/20090421184338.pdf
Gorton's response:
-http://www.wired.com/images_blogs/epicenter/2009/05/letter-to-oversight-committe
e_doc.pdf

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/