Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #34

April 30, 2010

TOP OF THE NEWS

Former San Francisco Admin Terry Childs Guilty of Computer Tampering
Prison Time for Snooping on Patient Records
Eight Year Sentence in Brokerage Account Hijacking Pump-and-Dump Scheme
UK National Cyber Security Challenge Seeks to Foster IT Security Talent

THE REST OF THE WEEK'S NEWS

Storm Variant Spreading
Study Says Application Security Not Adequately Funded
Telecoms and ISPs Must Inform Chinese Government of State Secret Leaks
Attack Exploits Buggy PDF Functionality
Guilty Plea Expected in Botnet-for-Hire Case
EU Ministers Propose Cyber Crime Center
Microsoft Re-Issues Faulty Patch
Legality of Raid on iPhone Journalist's Home Questioned


**************************** Sponsored By SANS **************************
At some of the larger hacker conferences, it can be difficult to get to know other attendees and the speakers as you get lost in the shuffle. With detailed sessions, informal breaks, and evening events, the SANS Penetration Testing & Vulnerability Assessment Summit is organized to support networking with other like-minded penetration testing and vulnerability assessment professionals, building relationships, participating in the community, and sharing best practices.

http://www.sans.org/info/58548
*************************************************************************

TRAINING UPDATE
-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

-- SANS Secure Europe Amsterdam 2010, June 21-July 3, 2010 8 courses.
http://www.sans.org/secure-amsterdam-2010/

-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 39 courses.
http://www.sans.org/network-security-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Geneva, Toronto, Singapore and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

TOP OF THE NEWS

Former San Francisco Network Engineer Terry Childs Guilty of Computer Tampering (April 27 & 28, 2010)

Former San Francisco city network engineer Terry Childs has been found guilty of computer tampering. Childs has been in custody for nearly two years. He initially refused to provide the passwords necessary to access the system and surrendered them only when San Francisco Mayor Gavin Newsom met with Childs in his cell. A juror expressed sympathy for Childs's position, saying that "management did everything they possibly could wrong. There was ineffective management, ineffective communication." Childs refused to divulge the passwords because he feared those who wanted them could provide adequate system security. Childs's sentencing hearing is scheduled for June 14. One of the jurors, a senior network engineer, described why he found Childs guilty.
-http://www.theregister.co.uk/2010/04/28/sf_sysadmin_guilty/
-http://www.computerworld.com/s/article/9176114/Terry_Childs_juror_explains_why_h
e_voted_to_convict

-http://blogs.eweek.com/careers/content001/workplace_tech/terry_childs_guilty_ver
dict_is_a_warning_to_it_workers.html

-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/04/28/BA4V1D5Q22.DTL
[Editor's Note (Pescatore): The real issue is the process and management failures that enabled one misguided person to have this level of impact. ]

Prison Time for Snooping on Patient Records (April 28, 2010)

Former healthcare system employee Huping Zhou has been sentenced to four months in prison for snooping into patient records. Zhou, who is a licensed surgeon in China, was working as a researcher at the UCLA School of Medicine. He began accessing patient files without authorization in 2003 after learning that he was going to be fired. Zhou is the first person to receive a prison sentence for violating provisions of the Health Insurance Portability and Accountability Act (HIPAA).
-http://www.scmagazineus.com/health-worker-is-first-hipaa-privacy-violator-to-get
-jail-time/article/168894/

-http://www.nbclosangeles.com/news/local-beat/Former-UCLA-Healthcare-Worker-Sente
nced-Prison-Snooping-92265634.html

[Editor's Comment (Northcutt): This is a big problem in hospitals; I remember they had to fire a number of employees for accessing Britney Spears and George Clooney's records and those are just the ones that got caught. If you work in a hospital and have a particularly neat solution to logging file access, I would appreciate it if you would drop me a quick note and tell me what you use (stephen@sans.edu). ]

Eight Year Sentence in Brokerage Account Hijacking Pump-and-Dump Scheme (April 27, 2010)

Jaisankar Marimuthu has been sentenced to nearly eight years in prison for breaking into online brokerage accounts and using them to manipulate stock prices. Marimuthu and his accomplices operated a pump and dump scheme out of Chennai and Thailand. Marimuthu pleaded guilty earlier this year to charges of conspiracy to commit wire fraud, securities fraud, computer fraud and aggravated identity theft. He was also ordered to pay nearly US $2.5 million in restitution to the 90 individuals and seven brokerages he victimized. Marimuthu, an Indian national, was arrested in Hong Kong last year and extradited to the US. One accomplice, Thirugnanam Ramanathan, received a two year sentence. but was deported to India before the sentence was completed; a third accomplice, Chockalingham Ramanathan, remains at large.
-http://www.computerworld.com/s/article/9176046/Man_gets_81_months_2.5M_fine_for_
stock_scheme?taxonomyId=82

UK National Cyber Security Challenge Seeks to Foster IT Security Talent (April 27 & 28, 2010)

The UK has launched its own Cyber Security Challenge to identify and train students with the interest and potential to become the next generation of cyber security specialists. Modeled after the US program of the same name, the challenge will involve cyber security exercises in network defense, forensics and web application vulnerabilities. The UK, like many countries, is experiencing a shortage of skilled IT security professionals.
-http://www.pcworld.com/businesscenter/article/195057/uk_kicks_off_program_to_rec
ruit_security_gurus.html

-http://www.zdnet.co.uk/news/jobs/2010/04/28/uk-wide-cyber-security-challenge-kic
ks-off-40088794/

-http://cybersecuritychallenge.org.uk/site/Press


************************ Sponsored Links: *****************************

1) Save $350 on the SANS Forensics and Incident Response Summit when you
book by May, 26 2010. http://www.sans.org/info/58558


2) Register for the SANS Security Architecture Summit by April, 28th
2010 and save $250. http://www.sans.org/info/585630

*************************************************************************

THE REST OF THE WEEK'S NEWS

Storm Variant Spreading (April 29, 2010)

Researchers have detected a new variant of the Storm worm. Storm infects computers with software that makes them part of a botnet. Storm was believed to have been largely eradicated over a year ago. The new variant appears to arrive bundled with phony anti-virus software. Infected computers are being used to send pharmaceutical spam. Experts say the new variant is not as resilient as the older version. Instead of communicating through a peer-to-peer system, this version of storm communicates through HTTP traffic and receives instructions from a single IP address hosted in the Netherlands.
-http://www.securecomputing.net.au/News/173327,storm-worm-making-comeback-with-ne
w-spam-run.aspx

-http://www.computerworld.com/s/article/9176074/Experts_say_new_Storm_worm_is_poo
rly_designed?source=CTWNLE_nlt_pm_2010-04-28

Study Says Application Security Not Adequately Funded (April 29, 2010)

A new study has found that despite evidence that application security is critical, just 18 percent of IT security budgets are allocated for application security. Seventy percent of respondents do not believe their organizations are allocating adequate resources to application security, and 55 percent say developers do not have time to fix security problems in existing applications. "The State of Application Security" report from the Ponemon Institute was commissioned by Imperva and WhiteHat Security. The report also notes that "the vast majority of attacks come through applications."
-http://darkreading.com/security/app-security/showArticle.jhtml?articleID=2247002
50&subSection=Application+Security

[Editor's Note (Schultz): I strongly disagree with the Ponemon Institute's statement that the vast majority of attacks are attacks against Web applications. Although it is true that many attacks are against Web applications, this institute has overlooked the huge number of attacks against users and Web browsers. It has also overlooked recent findings that the most frequently exploited vulnerabilities have been vulnerabilities in Adobe Reader. ]

Telecoms and ISPs Must Inform Chinese Government of State Secret Leaks (April 28 & 29, 2010)

China plans to tighten a current law to require telecommunications companies and Internet service providers (ISPs) to inform the government about individuals who discuss state secrets over their networks. The amendment to the Law on Guarding State Secrets states that "Information transmissions should be immediately stopped if they are found to contain state secrets," and that if state secrets have been found to be leaked, the companies must keep records of the incident and notify authorities. The definition of state secrets in China is quite broad; information such as maps and economic statistics could be considered prohibited for discussion.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/04/27/AR2010042704503.
html

-http://www.msnbc.msn.com/id/36847600/ns/technology_and_science-security/
[Editor's Note (Pescatore): Gee, not much angst about net neutrality in China, huh? Of course, many look at the Patriot Act in the US and see similar wording that broadly addresses terrorism. Government monitoring of citizen communications is always a very slippery slope. ]

Attack Exploits Buggy PDF Functionality (April 28, 2010)

There are reports of an active malware attack that exploits an unpatched bug in the PDF format. The malware spreads through maliciously crafted PDF attachments and infects users' computers with malware known as Auraax or Emold. The messages appear to come from system administrators about mailbox setting changes. The malicious attachments exploit the PDF format's Launch function, which is not technically a vulnerability.
-http://www.computerworld.com/s/article/9176088/Major_malware_campaign_abuses_unf
ixed_PDF_flaw?taxonomyId=17

Guilty Plea Expected in Botnet-for-Hire Case (April 28, 2010)

David Anthony Edwards will plead guilty to charges that he and an accomplice launched a distributed denial-of-service (DDoS) attack with a botnet against an ISP to impress a potential customer. Edwards and Thomas James Frederick Smith allegedly built the botnet of 22,000 compromised PCs with the intention of selling its services to cyber criminals.
-http://www.computerworld.com/s/article/9176108/Texas_man_set_to_admit_building_b
otnet_for_hire?taxonomyId=17

-http://www.theregister.co.uk/2010/04/28/botnet_for_hire_guilty/

EU Ministers Propose Cyber Crime Center (April 27 & 29, 2010)

The EU Council of Ministers has announced plans to establish a cyber crime center that will have the authority to revoke domain names and IP addresses to help combat cyber crime. The UK already has a similar plan in place; Nominet has cooperated with the police in shutting down 1,200 domains last December. The Council of Ministers is also hopeful that the center will encourage police in EU member countries to share information in the fight against cyber crime.
-http://www.theregister.co.uk/2010/04/27/eu_cybercrime/
-http://www.eweekeurope.co.uk/news/ec-cybercrime-agency-to-combat-fraud-6763

Microsoft Re-Issues Faulty Patch (April 27, 2010)

Microsoft has released a new version of MS10-025, the security update that was ineffective in protecting computers from a remote code execution flaw in Windows 2000 computers running Windows Media Services. The original version of the fix, released on Tuesday, April 13, was pulled last week; the updated version was released on Tuesday, April 27. The flaw is rated critical, but affects only Windows 2000 users running Windows Media Services.
-http://www.pcworld.com/businesscenter/article/195072/microsoft_rereleases_botche
d_windows_2000_update.html

-http://www.microsoft.com/technet/security/bulletin/ms10-025.mspx

Legality of Raid on iPhone Journalist's Home Questioned (April 26, 27 & 28, 2010)

Questions have been raised about the legality of the warrant used in last week's raid on the home of a Gizmodo editor Jason Chen. Chen is a journalist for Gizmodo, which earlier this month published a story about a prototype next-generation iPhone that had been left in a bar. Gawker Media, which published Gizmodo, purchased the phone from a source for US $5,000, but has since returned the device to Apple. According to Electronic Frontier Foundation civil liberties director Jennifer Granick, the federal Privacy protection Act prevents the government from seizing items from journalists and other individuals who have the items for the purpose of communicating to the public. Even if the government believes the journalist committed a crime in obtaining or possessing the item, the item cannot be seized. The police seized four computers and two servers, an iPhone, digital cameras, checking account records and a printed copy of an email. Examination of the seized items has been put on hold until San Mateo county chief deputy district attorney Steve Wagstaffe issues a legal memo. In a related story, the man who found the phone in the bar and sold it to Gizmodo now says he regrets not having done more to return it to Apple.
-http://www.wired.com/threatlevel/2010/04/iphone-raid/
-http://news.bbc.co.uk/2/hi/technology/10089786.stm
-http://news.cnet.com/8301-13579_3-20003539-37.html?tag=mncol;txt
-http://www.sfgate.com/cgi-bin/blogs/techchron/detail?entry_id=62491


**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/