From: The SANS Institute (NewsBitessans.org)
Date: Fri Nov 07 2008 - 13:56:46 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites November 7, 2008 Vol. 10, Num. 88
*************************************************************************
TOP OF THE NEWS
  White House Computers Hacked: Multiple Times
  Presidential Campaign Systems Attacked, Files Stolen
  Lords Approve Amendment to Allow Removal Some of DNA Evidence From
     Database
  Prescription Management Company Receives Extortion Threat
THE REST OF THE WEEK'S NEWS
  LEGAL ISSUES
    US Chess Federation Board Member Sued for Alleged Unauthorized eMail
       Access
  ARRESTS, CHARGES, CONVICTIONS & SENTENCES
    LA Traffic Engineers Plead Guilty to Disrupting Traffic Signals
    Former Intel Employee Faces Additional Charges for Alleged
  Theft of Trade Secrets
    Man Faces Charges for Allegedly Modifying Sniffer Used in Massive
       Data Theft Case
    Guilty Pleas in Connection With Citibank ATM Card Fraud
    Prison Sentence for Opening Former Employer's Mail Server to Spammers
  UPDATES AND PATCHES
    Microsoft to Issue Two Patches on November 11
    Adobe Updates Acrobat and Reader
  MISCELLANEOUS
    Technology Inserts Ads in Copyrighted Uploads

*********************** Sponsored By Q1 Labs ****************************

Enterprise Log Management for Incident Handlers

Does your organization collect logs from your critical devices? Do you
truly know how to leverage these logs during or after an incident? Log
on to this webcast and learn effective log analysis techniques for
incident handling as well as forensic analysis and reporting within your
organization.
http://www.sans.org/info/35144
*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington 30 courses; big security tools expo; lots of
evening sessions: http://www.sans.org/ cdi08/
- - London (12/1- 12/9) http://sans.org/london08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Orlando SANS SCADA Security Summit http://www.sans.org/scada09_summit
and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --White House Computers Hacked: Multiple Times
(Today, November 7)
The Financial Times reported last night that two government officials
confirmed multiple penetrations of White House computers have been
discovered. Most speculation about the identity of the hackers focuses
on Chinese government sponsorship. Also in this story are references
to other major penetrations sucha s those aginst the computers that
support Defense Secretary Gates, computers at major companies in the
defense industrial base, and computers at both the Obama and McCain
campaigns.
http://www.ft.com/cms/s/0/2931c542-ac35-11dd-bf71-000077b07658.html
[Editor's Note (Paller): This story is part of a growing wave of public
disclosure of the deep and pervasive (and mostly continuing) penetration
of computers in government, in the defense industrial base, and in the
critical infrastructure. A culture of compliance has lulled government
and industry leaders into cyber complacency - a complacency that ends
for each of them the day they discover that malicious outsiders have
controlled their computers for months and they cannot find the extent
of the infections. The person who ran security for the US missile
defense organization described the challenge earlier this week, saying,
"the problem is that the people responsible for security think that
security must be easy because they successfully passed a security
certification exam. It's harder than they think." Many of them are
blind to the attacks, lacking the skills to establish strong early
warning systems and tough defenses, to find the attackers who evaded
those defenses, to uncover the persistent presence, and to recover fully
in a way that does not open them up for re-infection. Many think that
if their organization has passed a compliance review, they are secure.
They are not interested in learning (or in relying upon people who have
learned) the specialized security skills that they are missing. A small
ray of hope: the President demanded that the specialized security skills
gap be closed in his Presidential National Security Directive 54,
establishing the multi-billion-dollar Comprehensive National Cyber
Initiative.]

 --Presidential Campaign Systems Attacked, Files Stolen
(November 5, 2008)
The computer systems of both major party US presidential candidates were
reportedly compromised by a "foreign entity." IT people at the Obama
campaign earlier this summer believed they had been hit with run-of-the
mill malware, but later learned that "a serious amount of files [were]
loaded off [their] system." The McCain campaign's computer system was
similarly attacked. Investigators speculate that the attackers were
gathering intelligence on both candidates' policy positions.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=5291
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=212000820
http://www.newsweek.com/id/167581

 --Lords Approve Amendment to Allow Removal of Some DNA Evidence From Database
(November 5 & 6, 2008)
The UK House of Lords has approved an amendment to the Counter-Terrorism
Bill that would allow innocent people to apply to have their biometric
information removed from national databases. The data, which include
DNA and fingerprints, are gathered during investigations, but are
presently retained even when the individuals have been cleared of
wrongdoing.
http://news.zdnet.co.uk/security/0,1000000189,39543009,00.htm
http://www.publicservice.co.uk/news_story.asp?id=7602
[Editor's Note (Schultz): Given that until now few assurances of the
national UK biometrics database security have been given, this bill
represents a major step forward for UK citizens.]

 --Prescription Management Company Receives Extortion Threat
(November 6 & 7, 2008)
Express Scripts, a company that manages prescription benefits for
approximately 50 million individuals through thousands of clients, has
received a threat that customer records will be exposed unless the
company pays a ransom. In a letter turned over to federal
investigators, the extortionists included personally identifiable
information of 75 people, all of whom have been notified. The exposed
data include birth dates, Social Security numbers (SSNs) and some
prescription details.
http://www.nytimes.com/2008/11/07/business/07data.html?partner=rssnyt&emc=rss&pagewanted=print
http://ap.google.com/article/ALeqM5jdqiki6koBq7ZGmecrtfzKIMsboQD949MQ881
http://www.esisupports.com/
[Editor's Note (Paller): Credit card data has been the "currency" for
thousands of cyber extortions reaping hundreds of millions of dollars
for criminals, because ecommerce and banking companies will pay dearly
to avoid have their clients know that they could not protect the
sensitive information with which they were entrusted. This case shows
that the criminals may have decided that health records are a second
good lever for extortion. If the US hopes to take advantage of health
data automation in order to provide universal coverage at lower costs,
the security of healthcare data will have to be improved. HIPAA
compliance just doesn't cut it.]

************************* SPONSORED LINK ******************************
1) Join Control System Security peers to learn current issues - SCADA &
Process Control Security Summit February 2-3.
http://www.sans.org/info/35149
*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
 --US Chess Federation Board Member Sued for Alleged Unauthorized eMail Access
(November 5, 2008)
A member of the United States Chess Federation is facing a lawsuit
brought by the organization, alleging that she accessed email messages
sent between other board members and a lawyer without authorization.
Susan Polgar and her husband Paul Truong, who is also a board member,
were sued by another board member in October 2007 for allegedly making
offensive posts in his name on Internet bulletin boards. The suit was
ultimately dismissed. While the suit was pending, a specially-created
US Chess Federation subcommittee hired an attorney to investigate the
claims; the investigation determined that Truong was responsible for
making the posts in questions. Polgar quoted directly from email
communication between the subcommittee and the attorney in messages to
the board and on her own web site. She maintains she found the email
messages on the Internet but did not access them without authorization.
http://www.nytimes.com/2008/11/05/crosswords/chess/05chess.html?_r=1&oref=slogin&ref=crosswords&pagewanted=print

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
 --LA Traffic Engineers Plead Guilty to Disrupting Traffic Signals
(November 5 & 6, 2008)
Two City of Los Angeles (California) traffic engineers have pleaded
guilty to illegally accessing a city computer. Gabriel Murillo and
Kartik Patel admitted that they disrupted the traffic light control
computer system shortly before a union action. The two used stolen
supervisor credentials to disconnect signal control boxes at some of the
cities' busiest intersections, then manipulated the system so other
managers could not reconnect the lights. The terms of their plea
agreement dictate that they will pay restitution, serve 120 days in jail
or 240 hours of community service and submit to having their home and
work computer user monitored.
http://www.theregister.co.uk/2008/11/06/traffic_control_system_sabotage/
http://www.latimes.com/news/local/la-me-engineers6-2008nov06,0,3327448.story
[Editor's Note (Northcutt): A chilling element of this story: the first
time they went to court and pleaded not guilty, they were gratified that
a large number of city workers supported their cause; someone could have
been killed:
http://cbs2.com/local/Traffic.Signals.Los.2.526583.html ]

 --Former Intel Employee Faces Additional Charges for Alleged
Theft of Trade Secrets
(November 6, 2008)
Former Intel design engineer Biswamohan Pani , who was earlier charged
with theft of trade secrets from his former employer before he left for
a job at a competing company, has been indicted on additional charges
of wire fraud. Pani allegedly stole more than 100 pages of documents,
including more than a dozen files that included processor chip
information design. The stolen information is estimated to be worth US
$1 billion in R&D costs. Pani began working for Intel competitor AMD
before he had officially separated from Intel. If he is convicted, Pani
could face 190 years in prison for the trade secrets charge, and 20
years for each of the wire fraud charges. According to prosecutors, AMD
was not aware that Pani possessed the documents and did not benefit from
them.
http://news.cnet.com/8301-1009_3-10083671-83.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9119358&source=rss_topic17
http://www.usatoday.com/tech/news/2008-11-06-amd-intel_N.htm?csp=34
[Editor's Comment (Northcutt): For Intel employees, this is a nightmare
security scenario, they had even encrypted the documents. Be interesting
to learn the details of the breach. According to the Computerworld
story, values the information at 1 Billion and I do not doubt that for
a second. If the allegations in the indictment prove to be true, this
is a very bad boy: http://regmedia.co.uk/2008/11/06/amd
paniindictment.pdf ]

 --Man Faces Charges for Allegedly Modifying Sniffer Used in
Massive Data Theft Case
(October 29 & November 5, 2008)
Federal prosecutors have charged Stephen Watt with conspiracy for
allegedly modifying a sniffer program for Albert Gonzalez, the man who
masterminded a massive data theft scheme that resulted in the theft of
financial account information from the computer networks of numerous
companies, including TJX. If he is convicted, Watt could face up to
five years in prison and a US $250,000 fine.
http://www.theregister.co.uk/2008/11/05/hacker_indicted/
http://www.cybercrime.gov/wattCharge.pdf

 --Guilty Pleas in Connection With Citibank ATM Card Fraud
(November 5, 2008)
Three people have pleaded guilty to charges of federal conspiracy and
access device fraud for their roles in a scheme that used stolen
Citibank ATM card information to steal US $2 million. Ivan Biltse,
Angelina Kitaeva and Yuriy Rakushchynets (aka Yuriy Ryabinin) are just
three of 10 suspects charged in the case earlier this year. The group
allegedly broke into a server that processes ATM transactions from
7-Eleven cash machines.
http://blog.wired.com/27bstroke6/2008/11/three-plead-gui.html

 --Prison Sentence for Opening Former Employer's Mail Server to Spammers
(November 4, 2008)
An IT manager has been sentenced to a year and a day in prison for
breaking into his former employer's mail server and changed it to be an
open server, which caused it to be used to send spam and caused email
traffic from the company's servers to be blacklisted. Steven Barnes was
fired from his position as IT manager at Blue Falcon Networks, now known
as Akimbo Systems, in April 2003 after seven months on the job; his
termination was related to his addiction to alcohol and cocaine. Barnes
also admitted to deleting the company's Microsoft Exchange email
database and the mail server's core boot files. He later accessed the
servers again and changed the domain name.
http://www.theregister.co.uk/2008/11/04/it_manager_turns_exemployer_email_server_open_relay/
http://www.techworld.com/security/news/index.cfm?newsID=106507

UPDATES AND PATCHES
 --Microsoft to Issue Two Patches on November 11
(November 6, 2008)
Microsoft plans to release two security bulletins on Tuesday, November
11, 2008. One of the bulletins is rated critical; the other is rated
important. The critical bulletin addresses security issues in XML Core
Services in Windows and Microsoft Office; the important bulletin
addresses security issues in Windows. Both could be exploited to allow
remote code execution.
http://news.cnet.com/8301-1009_3-10084063-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9119400&source=rss_topic17
http://www.microsoft.com/technet/security/bulletin/ms08-nov.mspx

 --Adobe Updates Acrobat and Reader
(November 4 & 5, 2008)
Adobe has released security updates for Adobe Reader and Adobe Acrobat
to address flaws that could be exploited to gain control of vulnerable
computers. The flaws affect versions 8.1.2 and earlier of the products.
Adobe Reader 9 is not vulnerable to the flaw. There have not been any
reports of the vulnerabilities being exploited in the wild, but because
the flaws have been rated critical, users are urged to update to version
8.1.3 or 9 as soon as possible.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=5297
http://www.theregister.co.uk/2008/11/04/adobe_reader_flaw/
http://voices.washingtonpost.com/securityfix/2008/11/adobe_issues_critical_acrobat.html?nav=rss_blog
http://www.heise-online.co.uk/security/Several-critical-holes-closed-in-Adobe-Reader-8-and-Acrobat-8--/news/111878
http://www.adobe.com/support/security/bulletins/apsb08-19.html

MISCELLANEOUS
 --Technology Inserts Ads in Copyrighted Uploads
(November 3, 2008)
MySpace and MTV Networks plan to begin testing software that
automatically places advertisements on video clips uploaded by users
that are deemed to be violating copyright laws. Such technology could
change the face of the copyright issue by allowing people to upload
content and allowing copyright holders to derive income from that
content. YouTube already has a similar technology in place that allows
users who upload copyrighted content to choose between inserting
advertisements or removing the clips; 90 percent of users elect to add
the ads.
http://technology.timesonline.co.uk/tol/news/tech_and_web/article5074961.ece

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at
the FBI and is the incoming President of the InfraGard National Members
Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board. Will
Pelgrin is Chief Information Security Officer of New York State, chair
of the Multi-State Information Sharing and Analysis Center and co-chair
of the National ISAC Council.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkkUg2kACgkQ+LUG5KFpTkYUXQCfYGrSxqXkX3aCG7NJU4xNegJj
TUMAn068Tnvz5WE/zAP4VQMqH6qGk82+
=G8Ig
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]