Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #7

January 26, 2010


A note from Ed Skoudis:

There are so many articles in this edition of NewsBites that show how rapidly our threatscape is evolving. Rather than just skimming the news (as we all so often do given how busy we are), I strongly encourage NewsBites readers to set aside an hour or two to read through these stories in the next couple of days so that you can get a better idea of what we face. Then, spend some time contemplating what these changes mean for your organization and how you can better focus your security efforts.

Alan

TOP OF THE NEWS

Major US Oil Companies' Networks Infiltrated by Spies
No Easy Deterrent for Cyber Warfare
Chinese Human Rights Sites Hit With DDoS Attack

THE REST OF THE WEEK'S NEWS

Google Attack Fallout Underscores China's Culture of Censorship and Surveillance
China Denies Hacking Allegations; Accuses US
Study Shows US $100,000 Increase in Costs Associated With Average Breach
Judge Reduces Penalty in Jammie Thomas Filesharing Case
Thomas-Rasset Case Offers Glimmer of Hope to BU Student
Ladbrokes Data Breach
Italian Government Considering Law That Would Require Monitoring of Internet Content
RealPlayer Update
Boards.ie User Data Compromised
People Leaving USB Drives in Clothing Pockets, Say Cleaners


********************* Sponsored By netForensics, Inc. ********************

Hear ISF President & CEO, Prof. Howard Schmidt in this on demand webcast, Top Trends in 2010, recorded just prior to his recent appointment as head of the Whitehouse's CyberSecurity Initiative. This timely webcast includes how the threat landscape has evolved, actions effective in managing risk and key recommendations for an optimal defense strategy.

https://www.sans.org/info/53778

**************************************************************************

TRAINING UPDATE

-- SANS AppSec 2010, San Francisco, January 29-February 5, 2010
8 courses and bonus evening presentations, including Social Zombies: Your Friends Want to Eat Your Brains
https://www.sans.org/appsec-2010/
-- SANS Phoenix, February 14 -February 20, 2010
6 courses and bonus evening presentations, including The Art of Incident Response and Advanced Forensic Techniques: Catching Hackers on the Wire
https://www.sans.org/phoenix-2010/
-- SANS 2010, Orlando, March 6 - March 15, 2010
38 courses and bonus evening presentations, including Software Security Street Fighting Style
https://www.sans.org/sans-2010/
-- SANS Northern Virginia Bootcamp 2010, April 6-13
Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
https://www.sans.org/reston-2010/
-- SANS Security West 2010, San Diego, May 7-15, 2010
23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
https://www.sans.org/security-west-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
Plus Tokyo, Bangalore, Oslo and Dublin all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

Major US Oil Companies' Networks Infiltrated by Spies (January 25, 2010)

Three major US oil companies were targeted by sophisticated espionage attacks in 2008; they were unaware of the scope of the problem until the FBI notified them in late 2008 and in 2009. The attacks appeared to be focused on stealing "bid data," valuable proprietary information about the location and likely yield of oil discoveries around the world. The attackers appear to have taken control of the companies' networks and sent data to computers elsewhere. In at least one instance, the data stream was traced to a computer in China, but there is no hard evidence linking that country's government to the attacks. The attacks are sophisticated, targeted, and surreptitious, suggesting that those behind the attacks are well organized and have ample support.
-http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-C
hina-involved

Note that the SCADA Security Summit at the end of March in Orlando will provide in-depth information about how these intrusions and the comparably effective intrusions into electric power companies were carried out, the two primary defenses that can be arrayed, and methods of operating securely when your networks must be treated as "contested territory". The current tools and techniques being offered by control system vendors and most security vendors provide only a thin and ineffective layer of defense. Summit seats are being reserved faster than in any prior year. If you want to come, register at
-http://www.sans.org/scada-security-summit-2010/
[Editor's Note (Schultz): My experience with the petroleum industry leads me to believe that it is better than average in its information security practices. I now fear it is only a matter of time before other critical areas of this infrastructure will fall prey to similar attacks.

(Ullrich): Not good if the call from the FBI comes ahead of a call from your IDS department. ]

No Easy Deterrent for Cyber Warfare (January 26, 2009)

In a far ranging and insightful article, New York Times reporters Thom Shanker, David Sanger, and John Markoff analyze the United States' currents capabilities in deterring cyber attacks. Not very encouraging.
-http://www.nytimes.com/2010/01/26/world/26cyber.html?hp=&pagewanted=print

Chinese Human Rights Sites Hit With DDoS Attack (January 25, 2010)

Over the weekend, five Chinese human rights groups, including the Chinese Human Rights Defenders, experienced attacks on their websites. The sites were hobbled for 16 hours by a distributed denial-of-service (DDoS) attack. Malware placed on the sites prior to the attack is now being removed.
-http://news.cnet.com/8301-30685_3-10440342-264.html
-http://www.computerworld.com/s/article/9147938/Chinese_human_rights_sites_hit_by
_DDoS_attack?source=rss_security

-http://www.thetechherald.com/article.php/201004/5140/Chinese-human-rights-domain
s-hit-by-Denial-of-Service-attack


TOP OF THE NEWS

Major US Oil Companies' Networks Infiltrated by Spies (January 25, 2010)

Three major US oil companies were targeted by sophisticated espionage attacks in 2008; they were unaware of the scope of the problem until the FBI notified them in late 2008 and in 2009. The attacks appeared to be focused on stealing "bid data," valuable proprietary information about the location and likely yield of oil discoveries around the world. The attackers appear to have taken control of the companies' networks and sent data to computers elsewhere. In at least one instance, the data stream was traced to a computer in China, but there is no hard evidence linking that country's government to the attacks. The attacks are sophisticated, targeted, and surreptitious, suggesting that those behind the attacks are well organized and have ample support.
-http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-C
hina-involved

Note that the SCADA Security Summit at the end of March in Orlando will provide in-depth information about how these intrusions and the comparably effective intrusions into electric power companies were carried out, the two primary defenses that can be arrayed, and methods of operating securely when your networks must be treated as "contested territory". The current tools and techniques being offered by control system vendors and most security vendors provide only a thin and ineffective layer of defense. Summit seats are being reserved faster than in any prior year. If you want to come, register at
-http://www.sans.org/scada-security-summit-2010/
[Editor's Note (Schultz): My experience with the petroleum industry leads me to believe that it is better than average in its information security practices. I now fear it is only a matter of time before other critical areas of this infrastructure will fall prey to similar attacks.

(Ullrich): Not good if the call from the FBI comes ahead of a call from your IDS department. ]

No Easy Deterrent for Cyber Warfare (January 26, 2009)

In a far ranging and insightful article, New York Times reporters Thom Shanker, David Sanger, and John Markoff analyze the United States' currents capabilities in deterring cyber attacks. Not very encouraging.
-http://www.nytimes.com/2010/01/26/world/26cyber.html?hp=&pagewanted=print

Chinese Human Rights Sites Hit With DDoS Attack (January 25, 2010)

Over the weekend, five Chinese human rights groups, including the Chinese Human Rights Defenders, experienced attacks on their websites. The sites were hobbled for 16 hours by a distributed denial-of-service (DDoS) attack. Malware placed on the sites prior to the attack is now being removed.
-http://news.cnet.com/8301-30685_3-10440342-264.html
-http://www.computerworld.com/s/article/9147938/Chinese_human_rights_sites_hit_by
_DDoS_attack?source=rss_security

-http://www.thetechherald.com/article.php/201004/5140/Chinese-human-rights-domain
s-hit-by-Denial-of-Service-attack


THE REST OF THE WEEK'S NEWS

Google Attack Fallout Underscores China's Culture of Censorship and Surveillance (January 25, 2010)

The recent disclosure of cyber attacks on Google and other US companies and the allegations that they originated in China has shined a spotlight on China's practices of surveillance and censorship that have been requirements for multinational companies wanting to conduct business in that country. In the wake of the attacks, Google announced that it will no longer filter search results and has suggested that it might pull out of China altogether if the government refuses to allow that.
-http://www.usatoday.com/tech/news/2010-01-23-googlechina25_cv_N.htm

China Denies Hacking Allegations; Accuses US (January 23 & 25, 2010)

The Chinese government has categorically denied allegations that it is behind a series of attacks on Google and other American companies. It has called accusations that it encouraged or sponsored the attacks "groundless." A Chinese official has said that a speech by US Secretary of State Hillary Clinton in which she asked that China investigate the attacks and spoke negatively about China's stranglehold on the free flow of information to its citizens could "undermine China-US relations."
-http://www.h-online.com/security/news/item/China-denies-involvement-in-attacks-o
n-Google-912636.html

-http://www.nytimes.com/2010/01/26/world/asia/26google.html?ref=technology
-http://www.cnn.com/2010/TECH/01/24/china.cyber.attacks/index.html?eref=rss_tech&
amp;utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+rss%2Fcnn
_tech+%28RSS%3A+Technology%29

-http://www.washingtonpost.com/wp-dyn/content/article/2010/01/22/AR2010012201090.
html

-http://www.nextgov.com/nextgov/ng_20100122_4585.php?oref=topnews
Update: China has now accused America of using "online warfare".
-http://www.guardian.co.uk/world/2010/jan/24/china-us-iran-online-warfare

Study Shows US $100,000 Increase in Costs Associated With Average Breach (January 25, 2010)

According to a study from the Ponemon Institute, the costs associated with data security breaches rose US $100,000 between 2008 and 2009, from US $6.65 million to US $6.75 million. The figures were formulated based on 45 reported breaches of sensitive customer data in 2009 at companies that were willing to discuss the incidents. The average cost per compromised record in 2009 was US $204, up just US $2 from 2008 figures, but over the five years that the study has been conducted, cost per record has increased $66. The factors considered in figuring the cost of a breach include cost of lost business; legal fees; disclosure expenses; consulting; and remediation. The study divides the breaches into three main causes: negligence, accounting for 40 percent of the incidents; system glitches, which account for 36 percent; and malicious attacks, which account for 24 percent.
-http://www.pcworld.com/businesscenter/article/187611/data_breaches_get_costlier.
html

[Editor's Note (Schultz): The results of this study are extremely significant. Previous studies by the CSI and FBI have shown that the average cost of security incidents has actually fallen over recent years. The CSI and FBI results may very well be valid, but they were based on *all* incidents reported by survey respondents. When senior management of organizations learned of these (the CSI and FBI study) results, they too often used them as justification for cutting or at least not increasing information security budgets. Data security breaches in and of themselves are, however, clearly another matter, as the Ponemon Institute results have shown. They should cause senior management to rethink what has too often amounted to their underestimation of the seriousness of security risks. ]

Judge Reduces Penalty in Jammie Thomas-Rasset Filesharing Case (January 22 & 25, 2010)

A US District Court judge in Minnesota has reduced the monetary penalty imposed on Jammie Thomas-Rasset for illegal filesharing from nearly US $2 million to US $54,000. Saying that "the need for deterrence cannot justify a US $2 million verdict," Judge Michael Davis called the US $1.92 million fine "monstrous and shocking," and says he would have reduced it even further if he could. The initial fine imposed on Thomas-Rasset was US $220,000, but she appealed that verdict and the subsequent trial resulted in the US $1.92 million penalty. Judge Davis also ordered Thomas-Rasset never to infringe on music copyright again and to delete all files she had obtained illegally.
-http://www.computerworld.com/s/article/9147501/Judge_reduces_2M_music_sharing_ve
rdict_to_54k?taxonomyId=17

-http://news.cnet.com/digital-media/8300-1023_3-93.html?keyword=Recording+Industr
y+Assocation+of+America

-http://www.wired.com/threatlevel/2010/01/judge-reduces-shocking-file-sharing-awa
rd/

-http://news.bbc.co.uk/2/hi/technology/8478305.stm

Thomas-Rasset Case Offers Glimmer of Hope to BU Student (January 25, 2010)

Boston University graduate student Joel Tenenbaum is cautiously hopeful that the significant reduction of damages levied against Jammie Thomas-Rasset will prompt the judge in his case to reduce the US $675,000 fine he is facing for illegal filesharing. Tenenbaum says that the fines imposed in both cases were based on a law intended to punish commercial copyright infringers, not individuals.
-http://www.computerworld.com/s/article/9148318/Student_facing_675k_music_piracy_
fine_hopeful_award_will_be_lowered?source=rss_security

Ladbrokes Data Breach (January 24 & 25, 2010)

A man claiming to represent a Melbourne, Australia company provided UK newspaper The Mail on Sunday with the names and other personal details of 10,000 people who were customers of the Ladbrokes bookmaking company and offered to sell them a database of information on 4.5 million people. The mail alerted Ladbrokes to the breach and turned over the list of 10,000 records to the Information Commissioner's Office (ICO). The data on the list do not include bank information or passwords. The man who gave the information to the mail claims to have worked as a security consultant for Ladbrokes several years ago.
-http://www.dailymail.co.uk/news/article-1245622/For-sale-Personal-details-millio
ns-Ladbrokes-gamblers.html

-http://www.theregister.co.uk/2010/01/25/ladbrokes_data_fail/

Italian Government Considering Law That Would Require Monitoring of Internet Content (January 22, 2010)

Italian Prime Minister Silvio Berlusconi's government has proposed legislation that would require all video uploaded to YouTube, blogs and news media outlets to be vetted for pornographic or excessively violent content. The law could go into effect as soon as February 4, 2010. Opponents say that not only would the law violate freedom of expression, but monitoring all content uploaded is virtually impossible.
-http://www.msnbc.msn.com/id/35017877/ns/technology_and_science-security/
[Editor's Note (Ullrich): Berlusconi runs a media empire that may feel threatened by the rise in user contributed video like YouTube. ]

RealPlayer Update (January 19 & 22, 2010)

RealNetworks has issued a security update to address 11 vulnerabilities in its RealPlayer media player. The US Computer Emergency Readiness Team (US-CERT) is encouraging users to apply the update. There are RealPlayer updates available for Windows, Mac and Linux users. RealNetworks is not aware of any attacks exploiting the vulnerabilities at this time. The 11 buffer and heap overflows could be exploited to put malware on users' computers.
-http://www.computerworld.com/s/article/9147540/RealPlayer_fix_addresses_11_secur
ity_bugs?source=rss_security

-http://www.h-online.com/security/news/item/Eleven-vulnerabilities-in-RealPlayer-
fixed-910996.html

-http://service.real.com/realplayer/security/01192010_player/en/
-http://www.us-cert.gov/current/index.html#realnetworks_inc_releases_updates_to

Boards.ie User Data Compromised (January 22, 2010)

Boards.ie (an Irish online community site) has reset passwords for all users following a cyber attack that compromised the security of usernames, email addresses and passwords. The site was offline for several hours on January 21. Users are urged to change passwords on other sites if they are the same as those they established on Boards.ie.
-http://www.theregister.co.uk/2010/01/22/irish_board_hack/
-http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/8473824.stm

People Leaving USB Drives in Clothing Pockets, Say Cleaners (January 20, 2010)

A UK survey found that 4,500 USB drives have been found in people's clothing pockets when they were taken to dry cleaners. That number is half what it was a year earlier, but this could be explained by a shift to users downloading data to smartphones and netbooks as opposed to increased vigilance about data security. USB drive security was in the news recently when several manufacturers acknowledged a vulnerability in the access control mechanism of their devices.
-http://www.csoonline.com/article/519330/Taken_to_the_Cleaners


**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/