Don't Miss Pen Test Hackfest Summit & Training, November 2-9 near DC!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #73

September 15, 2009

The 2009 Top Cyber Risks Report came out this morning. Best risk report ever. Combines attack data (TippingPoint) with vulnerability data (Qualys), both covering thousands of enterprises, to provide an authoritative description of the two cyber risks that matter most, and adds Internet Storm Center analysis and scenarios. Even SANS faculty said the new report taught them a lot. Offers hard evidence that companies and agencies are focusing their defensive dollars in the wrong places. Coverage in New York Times and Business Week and Slashdot and CSO and 50 other pubs. (To find them, Google top security risks in the News). Actual report is posted at



Report Shows Taking Down Small Power Subnetwork Could Cause Significant Outages
Australia's Internet Industry Association Issues Draft eSecurity Code
Proposed Legislation in California Clarifies Breach Notification Requirements


DoD Analyst Charged With Unauthorized System Access
Ads on New York Times Website Serving Up Scareware
Trojan Horse Program Uses Google Groups as Command and Control Channel
Microsoft Update Limits AutoRun Functionality
Linux Botnet
Gonzalez Guilty Plea Settles Two of Three Indictments
Attacker Claims to Have Exploited SQL Injection Vulnerability at RBS WorldPay
Cyber Thieves Stole Payment Card Data From Indiana Bank Customers
Man Draws Six Month Sentence for Unauthorized Background Checks

*************************** Sponsored By HP ***************************

Participate in a 24-hour live hacking challenge! Join application security experts from around the world at HP's virtual conference Sept 29-30. Attend live and on-demand sessions, chat with experts and download the latest information on application security, cloud security, Web 2.0 and more. "HP Functionality, Performance & Security Testing in today's application realities."

Register Now.



- -- SANS Chicago North Shore, Oct. 26-Nov. 2,
- -- SCADA Security Summit, Stockholm, Oct. 27-30,
- -- SANS San Francisco, November 9-14,
- -- SANS London, UK, Nov.28-Dec. 9,
- -- SANS Sydney, Nov.9-14
- -- SANS CDI, Washington DC, Dec. 11-18,
- --Looking for training in your own community?
Save on On-Demand training (30 full courses)
- See samples at
- -- For a list of all upcoming events, on-line and live:



Report Shows Taking Down Small Power Subnetwork Could Cause Significant Outages (September 14, 2009)

The US Department of Homeland Security (DHS) is taking a close look at a report from a Chinese research scientist that posits that "a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid." Cascading failures caused the August 2003 blackout in the northeast US. The purpose of the study, conducted by Jian-Wei Wang and his colleagues at Dalian University of Technology in Liaoning, was to uncover the weak spots in networks that could trigger cascading failures. The researchers expected to find that highly loaded networks posed the greatest risk, because if they went offline, the demand put on smaller networks would be overwhelming. Surprisingly, the team discovered that in certain conditions, "taking out a lightly loaded subnetwork first" took out more of the grid.


Australia's Internet Industry Association Issues Draft eSecurity Code (September 11 & 14, 2009)

Australia's Internet Industry Association (IIA) has published a draft of an eSecurity Code aimed at protecting citizens from online threats. The voluntary code of practice makes numerous suggestions, including having Internet service providers (ISPs) notify subscribers whose computers are infected with malware and in some cases, disconnect those computers from the network. Under the plan as drafted, ISPs would first notify the subscribers and offer them help cleaning the malware from their machines. Recommendations to cut off Internet access would be made only when customers have refused to take action against known problems or if their computers are being used to conduct malicious activity that consumes substantial resources.

[Editor's Note (Schultz): I very much like what the Australian IIA is proposing. Given that most users are not capable of (or perhaps better said, are indifferent towards) securing their systems, having ISPs monitor their systems and provide assistance when systems become infected with malware makes perfect sense. ]

Proposed Legislation in California Clarifies Breach Notification Requirements (September 11, 2009)

Legislation awaiting the governor's signature in California would require that data breach notification letters include specific information about the incident, including what type of information was compromised, and entities experiencing breaches that affect 500 or more individuals provide a copy of the notification letter to the state attorney general's office.

************************ Sponsored Links: ****************************

1) IBM Security Management Solutions Manage the volume & complexity of corporate governance regulations. Learn from the Service Management Resource Center.

2) NetWitness provides next generation security solutions that help organizations discover, prioritize and remediate complex IT risks.

3) WEBCAST: Defending against Web 2.0 and Browser Hacks & Attacks. Can SaaS Web Security Deliver Higher Protection & Lower Cost? Keynote by Peter Firstbrook of Gartner



DoD Analyst Charged With Unauthorized System Access (September 14, 2009)

A US Defense Department analyst has been charged with gaining unauthorized access to a protected computer or exceeding authorized access and obtaining classified information. Brian Keith Montgomery said he did not notice a warning message "that only authorized participants of that operation were permitted to access that system" when he logged on to the system. According to an affidavit from a Defense Criminal Investigative Service agent, Montgomery caused harm to the investigation, the US Army and the FBI merely by accessing the system in question. The system was being used as part of a terrorism investigation.
[Editor's Note (Skoudis) Saying that you didn't notice the warning message is a pretty weak excuse, especially if it is succinct and clearly worded. Also, it's quite disturbing to think of personnel in that line of work just poking around systems in their environment. (Northcutt): How many times have you heard a news story and the root problem was access control? ]

Ads on New York Times Website Serving Up Scareware (September 14, 2009)

The New York Times has warned that rogue advertisements on its website were serving scareware over the weekend. The malware creates pop-up boxes which warn users that their computers are infected and provides links that lead to pages where they can purchase products that will allegedly remedy the problem. In fact, the products are either ineffective or infect users' machines with more malware. As a result of the incident, The New York Times has changed its policy on advertisements served directly from advertisers' websites.



Trojan Horse Program Uses Google Groups as Command and Control Channel (September 11 & 14, 2009)

The Grups Trojan horse program uses Google groups as a command and control channel. Grups requests a page from a certain private newsgroup to get instructions. Information gathered from examining the Trojan indicates that it is a prototype in the process of being tested. While news groups have been used to distribute malware, this is believed to be the first instance of such a group being used as a command and control channel, according to Symantec, which discovered the Grups Trojan.


[Editor's Note (Pescatore): Bot-net generation malware has been using all kinds of communication channels, from Twitter to news groups to more generic drop/search/find mechanisms using blog comment fields, etc. Yet more black list signature approaches (IP address/URL reputations) will not be sufficient - the executables themselves have to be dealt with. ]

Microsoft Update Limits AutoRun Functionality (September 14, 2009)

Last month, Microsoft issued "an update that changes the AutoRun functionality in Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008." The AutoRun feature is often exploited to install malicious software on computers. The update does not affect all devices; CD and DVD drives will continue to operate as they did before.
[Editor's Note (Skoudis): In the aftermath of Conficker, I'm shocked that Microsoft is still twiddling with the AutoRun feature. I'm hoping this new update will finally address the problem, but I won't hold my breath. ]

Linux Botnet (September 12 & 14, 2009)

A network of infected Linux servers is being used to distribute malware. All of the compromised machines are serving legitimate content through the Apache webserver and at the same time are running the nginx webserver and serving malicious content through port 8080. The Linux server botnet is connected to a botnet of home computers. The network is presently believed to comprise approximately 100 nodes.

[Editor's Note (Skoudis): When I first saw this, I thought: "How cute! A baby bot-net of only 100 nodes." But, then, I started to consider the damage a determined attacker could do with a network of highly stable bots on a very flexible underlying platform. It's not so cute at all. ]

Gonzalez Guilty Plea Settles Two of Three Indictments (September 11 & 12, 2009)

Albert Gonzalez has pleaded guilty to 20 charges of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft in connection to data thefts at TJX, BJ's wholesale club, OfficeMax, Barnes & Noble and other retailers. The cyber heists netted Gonzalez and his accomplices tens of millions of credit and debit card numbers. The plea settles charges from an indictment handed down in Massachusetts and one handed down in New York. The deal he agreed to with prosecutors could have him in prison for up to 25 years. He is still facing charges in New Jersey for allegedly stealing payment card information from Heartland Payment Systems and several other companies. A defense attorney maintains that Gonzalez was not the ringleader in that case.




Attacker Claims to Have Exploited SQL Injection Vulnerability at RBS WorldPay (September 11, 2009)

A attacker claims to have exploited an SQL injection vulnerability in a web application to gain access to the RBS WorldPay database. RBS WorldPay says the attacker accessed a test website with a database containing dummy data, and that no merchant or consumer information was ever compromised. The attacker disputes that statement. Nonetheless, the flaws have been fixed. The same attacker has exposed similar vulnerabilities on the HSBC France and UK Parliament websites.

Cyber Thieves Stole Payment Card Data From Indiana Bank Customers (September 11, 2009)

Investigators say that cyber thieves stole debit card numbers from customers of People's Saving and Trust Bank in Boonville, Indiana. The numbers were used in fraudulent transactions across the country. The bank will reimburse customers for losses incurred as a result of the data theft if they fill out police reports. The banks' systems were not breached; the information was stolen from a third-party company. Customers whose accounts have been compromised are being urged to close those accounts.

Man Draws Six Month Sentence for Unauthorized Background Checks (September 10, 2009)

An Illinois man has been sentenced to six months in jail for abusing his position as director of a county emergency dispatch agency to conduct unauthorized background checks. Steven R. Cordes ran the checks as a favor to his girlfriend, who was concerned about the people with whom her teenage daughter was spending time. He pleaded guilty to official misconduct. He will pay US $4,666 in restitution to the company he worked for and will serve 30 months probation following his release from jail.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit