OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #25

March 30, 2010

Free Forensics Tool that rivals the commercial tools: SANS faculty fellow Rob Lee created the SANS Investigative Forensic Toolkit (SIFT) Workstation for use by students in the Computer Forensic Investigations and Incident Response course (FOR 508) in order to show that advanced investigations and investigating hackers can be accomplished using freely available open-source tools. Now he is making it available to everyone who has to do forensics. You can find it at: http://computer-forensics.sans.org/ Look under the Community Tab -> Select Downloads Note: When thousands of people are downloading SIFT at the same time, the network slows down; please be patient.



Security Flaws Found in Smart Meters
DNS Error Extends Great Firewall of China
Calls for Greater Cooperation in the Fight Against Cybercrime


Microsoft to Release Out of Band Emergency Bulletin for Internet Explorer
Loan Records for 3.3 Million Students Stolen
Found USB Stick Contains Sensitive Data
Frenchman Arrested for Hacking Twitter
Former Student Guilty of Hacking School Payroll
Removing Administrator Rights Stops Majority of Windows Bugs
Chinese City is World's Hacking Capital

*************************** Sponsored By SANS **************************
The 2010 European Community Digital Forensics and Incident Response Summit April 19-20 is a user-to-user, non-commercial conference on What Works in Forensics & Incident Response right in your neighborhood. Learn methods for ensuring practical and accurate incident response and computer forensics for incidents, and hear users share the lessons they've learned. http://www.sans.org/info/57428

-- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND http://www.sans.org/reston-2010/

-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World http://www.sans.org/security-west-2010/

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report http://www.sans.org/sansfire-2010/

-- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, June 6-14, 2010 11 courses http://www.sans.org/boston-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Dubai, Geneva, Toronto, Singapore and Amsterdam all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/index.php


Security Flaws Found in Smart Meters (26th March 2010)

A security researcher, Joshua Wright of InGuardians, has identified a number of security vulnerabilities with the smart meters a number of US utilities are rolling out to their customers. The vulnerabilities, which could be exploited remotely via wireless technology or by physically tampering with the meter, include the ability to ramp up peoples' bills and to shut off their power. The research, which was commissioned by a three power utility companies, discovered vulnerabilities in all five of the makers of meters submitted for testing. So far eight million smart power meters have been installed within the United States with that number reaching 60 million by 2020.


[Editors' Note (Paller and Schultz): The US utility industry has rushed to install smart meters, completely trusting the meter manufacturers to ensure they are secure, predictably without systematically analyzing the security risks involved and without verifying the vendor's efforts were effective against known threats. ]

DNS Error Extends Great Firewall of China (25th March 2010)

Problems with a root DNS Server in China caused computers in the United States and Chile to come under the control of the Great Firewall of China, resulting in requests to sites such as Facebook, Twitter and YouTube to be redirect to Chinese servers. Once the server, operated by the Swedish service provider Netnod, was disconnected from the Internet, the problem was resolved. The problem was first noticed by NIC Chile, that noticed that several ISPs were providing faulty DNS information. China uses DNS to enforce its Great Firewall and somehow the affected ISPs were using this DNS information. Netnod claims that their server did not contain the faulty data that redirected traffic and security experts believe that it must have been altered by the Chinese government.



[Editor's Note (Schultz): Depending on how you look at it, the government of the People Republic of China is either a "good guy" or a "bad guy." Either way, it is clear that this government excels in spying on information from other countries far better than other countries spy upon China.
(Northcutt): This is really worth your time to read and keep in mind that you have a host table and it is consulted first by default on many operating systems. Consider putting your VPN concentrator, mail server etc in your host table. As I understand it, this is not such a new thing for China, here is a similar event in 2002:
And of course there was some discussion about filtering during the Olympics in 2008:

Calls for Greater Cooperation in the Fight Against Cybercrime (26th March 2010)

The fifth annual Council of Europe (CoE) conference on cybercrime is taking place this week in Strasbourg, France. During the conference delegates are looking at a number of ways to tackle the growing threat of cybercrime. These include greater cooperation between law enforcement and industry, ICANN to tighten up controls on domain name registration processes and for a worldwide implementation of the CoE's Convention on Cybercrime. A total of 29 countries, which includes the USA and a number of European countries, have already ratified the convention, which was first introduced in 2001. Nineteen other countries have signed the convention but have yet to ratify it. The convention provides guidelines to countries that wish to introduce legislation against cybercrime and also provides a framework for international cooperation.

*************************** Sponsored Links ***************************
1) Sign up today for SANS Webcast: Database Monitoring - Beyond Compliance to Pro-active Information Protection sponsored by NitroSecurity. Go to:

2) Thanks to the hundreds of people who participated in the assessment of CISA, CEH, SSCP and other DoD 8570 certification candidates. Winners include Ann Marie Keim of NASA, Don Prince, Southern Co., and Norahana Salimin of Cybersecurity Malaysia.


Microsoft to Release Out of Band Emergency Bulletin for Internet Explorer (29th March 2010)

Microsoft has announced that it will release an emergency out of band security bulletin, MS10-018, on Tuesday 30th March to address vulnerabilities in Internet Explorer versions 6 and 7. Microsoft has taken the unusual step of releasing the emergency bulletin in response to publicly disclosed a vulnerability in the iepeers.dll library and deciding that "an out-of-band release is needed to protect customers". The disclosed vulnerability does not impact Internet Explorer 8. The bulletin will also contain fixes for nine other vulnerabilities which Microsoft had originally planned to release on 13 April.

[Editor's Note (Cole): While patching is essential, this story reinforces the fact that patching is ineffective without solid configuration management with end point security, consisting of a behavioral HIPS solution with complementary white listing. ]

Found USB Stick Contains Sensitive Data (29th March 2010)

A USB stick has been found on a pavement in Stoke-on-Trent in England containing sensitive information on children in care. The USB stick was not encrypted and contained dozens of documents belonging to the Stoke-on-Trent council, which included records of foster carers, child custody arrangements, psychological history of children and family court proceedings. Storing information on USB sticks without encrypting it is against council policy and the council has stated "We will conduct a thorough investigation to determine the circumstances in which the data was lost." In response the UK's Information Commissioner's office has said "We may serve an enforcement notice if an organisation has failed to comply with any of the data protection principles. We have statutory power to impose a financial penalty if there has been a serious breach of data protection."


Frenchman Arrested for Hacking Twitter (24th March 2010)

French police have arrested a 25 year old unemployed man on suspicion of hacking into a number of administrator accounts belonging to the micro-blogging site, Twitter. French police believe the suspect, who uses the online name of Hacker Croll, gained access to the accounts by simply guessing the answers to the password reset questions. Once he had access to the administrator accounts, the suspect also accessed the Twitter accounts of well known people such as President Obama and singers Britney Spears and Lily Allen. Should he be convicted, the suspect could face up to 2 years in prison and a fine of EUR30,000 (US $40,395)


Former Student Guilty of Hacking School Payroll (25th March 2010)

Christopher Berge, a 21 year old man, was sentenced to ten years in prison after pleading guilty to charges relating to a security breach of Vancouver Public Schools' payroll data. Berge, who was a former student at Evergreen Public School, gained access to the payroll data after shoulder surfing the password of an employee at Evergreen while he was still a student there. Using that password, Berge as able to access the student records system of Evergreen and from there gain access to the Vancouver Public Schools' payroll system which was housed on the same server. The breach resulted in the school district spending approximately US $30,000 in direct and indirect costs to investigate and develop controls to prevent it occurring again. It also resulted in the personal data of more than 5,000 people being put at risk of identity theft.

Removing Administrator Rights Stops Majority of Windows Bugs (29th March 2010)

A recent study demonstrates that 90 per cent of all vulnerabilities reported in Microsoft Windows 7 would have been mitigated had users been using an ordinary account rather than one with administrative rights. The study from BeyondTrust also states that of all the 190 vulnerabilities published by Microsoft in 2009, restricting administrator rights for users would have mitigated all vulnerabilities in Microsoft Office, all vulnerabilities in Internet Explorer 8, 94% of all vulnerabilities in all other versions of Internet Explorer and 64 per cent of all Windows vulnerabilities.

Chinese City is World's Hacking Capital (28th March 2010)

Researchers based in Symantec studied over 12 billion emails and identified that almost 30% of all malicious emails are sourced from within China and that 21.3% came from the Chinese city of Shaoxing alone. The researchers were also able to identify that the primary targets for these malicious emails were human rights activists and experts in Asian defence policy, which they claim indicates a strong state involvement in the attacks. The research shows that 28.2% of the targeted attacks came from China, with 21.1% coming from Romania and the United States coming in as the third highest source of malicious emails.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/