SANS NewsBites - Volume: X, Issue: 95


SANS 2009 Annual Conference and Training Program will be held in Orlando in early March. It includes the largest selection of SANS courses ever held, and all taught by our top rated teachers. Also includes the largest security tools expo and extensive networking programs through evening sessions, lunch & learns, and more. This is the one program that you need to register early for because courses fill up more quickly than for any other training conference. http://www.sans.org/sans2009
Alan

*************************************************************************
SANS NewsBites                     December 05, 2008                    Volume: X, Issue: 95
*************************************************************************
TOP OF THE NEWS

  Just Two Percent of PCs are Fully Patched
  Texas PI License Requirement Law is Having Unforeseen Consequences
  Sweden Considering Law That Would Identify Habitual Illegal Downloaders

THE REST OF THE WEEK'S NEWS

  LEGAL ISSUES
   Judge Hears Case Challenging Constitutionality of FISA Amendments Act
  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
   Former Government Contractor Pleads Guilty to Stealing Laptops
  MALWARE
   ChromeInject Trojan Targets Firefox Users
   Koobface Virus Hits Facebook
  UPDATES AND PATCHES
   Microsoft Will Issue Eight Security Bulletins on December 9
   Sun Update for Windows Addresses At Least 14 Security Flaws
  DATA LOSS & EXPOSURE
   Army Notifies 6,000 of Possible Data Loss
  ATTACKS
   Online Payment Site Domain Hijacked
  MISCELLANEOUS
   Apple Removes Antivirus Recommendation Advisory


******************** Sponsored By Alert Logic, Inc. *********************

Vendors have begun offering log management in-the-cloud (or Software-as-a-Service) as a way to simplify and reduce the cost of log management. This white paper from Jerry Shenk of SANS presents some questions to consider when deciding between an in-house or an in-the-cloud solution for log management. http://www.sans.org/info/36174

*************************************************************************

TRAINING UPDATE

- - SANS CDI in Washington (12/10-12/16) 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/cdi08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

TOP OF THE NEWS

Just Two Percent of PCs are Fully Patched (December 3 & 4, 2008)
According to statistics gathered by Secunia, 98 percent of PCs are running at least one unpatched program. The results were extrapolated from a sample of 20,000 PCs scanned by the company's Personal Software Inspector 1.0 over the past week. Approximately 30 percent of the PCs had between one and five unpatched programs; 25 percent had between six and 10 unpatched programs; and 45 percent had 11 or more unpatched programs. The results are slightly worse than those gathered in a similar Secunia survey in January 2008.
-http://www.scmagazineuk.com/Report-Nearly-all-computer-users-running-insecure-pr
ograms/article/121946/

-http://www.heise-online.co.uk/news/Secunia-publishes-shocking-vulnerability-stat
istics--/112137

-http://secunia.com/blog/37/


Texas PI License Requirement Law is Having Unforeseen Consequences (December 4, 2008)
Recent legislation in Texas that requires people performing computer forensics to be licensed private investigators has had some unforeseen consequences. Because of the wording of the law, anyone who collects and evaluates electronic records for use in a court of law must have a private investigator's license. A judge in Texas recently ruled that a company that operates a camera system that identified drivers who run red lights at traffic intersections was acting illegally because it does not hold a PI's license. Citizens are now challenging the validity of traffic tickets that have been issued.
-http://legal-beagle.typepad.com/wrights_legal_beagle/2008/12/e-discovery-forensi
cs-private-investigator-license-for-computer-data-collection-and-assessment.html



Sweden Considering Law That Would Identify Habitual Illegal Downloaders (December 4, 2008)
Proposed legislation in Sweden would allow music and movie companies to obtain court orders to discover the identities of individuals suspected of downloading digital content in violation of copyright laws. The government said that occasional downloaders of copyrighted material will not be identified to the companies. The proposed law requires parliamentary approval. Several other European countries, including Sweden's neighbors Denmark and Finland, already have similar laws in place.
-http://www.google.com/hostednews/ap/article/ALeqM5iMUvi5Gm3535xaN8wRNTb6uUlliQD9
4RSUCO0




************************* SPONSORED LINK ******************************

1) Learn about using/implementing automated log management technologies at the Log Management Summit April 6-7. http://www.sans.org/info/36179

*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES


Judge Hears Case Challenging Constitutionality of FISA Amendments Act (December 3, 2008)
A District Court Judge in California has heard arguments in a case regarding the constitutionality of the FISA (Foreign Intelligence Surveillance Act) Amendments Act (FAA), which was passed last July. The Electronic Frontier Foundation (EFF) argued that the recently amended FISA violates Americans' First and Fourth Amendment rights as well as the constitutionally established separation of powers of the federal government. The point of focus is that the FAA gives telecommunications companies that cooperated with US government requests for wiretaps after the 2001 terrorist attacks retroactive immunity from prosecution. Lawyers for the US Department of Justice argued that the information that such prosecutions would expose needs to remain secret to ensure national security. Judge Vaughn Walker did not say when he expects to rule on the case.
-http://www.securityfocus.com/brief/865


GOVERNMENT SYSTEMS AND HOMELAND SECURITY


Former Government Contractor Pleads Guilty to Stealing Laptops (December 3, 2008)
A former US government contract worker has pleaded guilty to theft of government property. Darryl R. Lyles stole at least 89 laptop computers, a projector and other equipment from the Government Accountability Office (GAO). Lyles attempted to sell the stolen equipment on Craigslist. Another man who bought most of the laptops and resold them on eBay has not been charged. Lyles will likely be sentenced to 18 to 24 months in prison.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/12/03/AR2008120302122_
pf.html



MALWARE


ChromeInject Trojan Targets Firefox Users (December 4, 2008)
Researchers have detected a Trojan horse program that targets only Firefox users. Trojan.PWS.ChromeInject.A places itself in the Firefox plug-ins folder and uses JavaScript to detect when users are visiting specific banking websites; the malware then steals the login credentials and sends them on to a server in Russia. Users' computers become infected either through drive-by downloading or by being tricked into downloading the malware.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9122419&source=rss_topic17

-http://www.theregister.co.uk/2008/12/04/firefox_plug_in_trojan/
-http://www.heise-online.co.uk/security/FireFox-plug-in-harvests-web-passwords--/
news/112147



Koobface Virus Hits Facebook (December 4, 2008)
The Koobface virus is spreading through the messaging system of the social networking site Facebook. The malware attempts to harvest sensitive financial information, such as credit card numbers. Koobface spreads itself through messages that appear to come from a friend, suggesting that recipients view a movie clip. Recipients who click on the link are then directed to a website where they are asked to download what purports to be Flash Player, but which is actually a copy of the malware. Because of the way Facebook is structured, users are likely to be trusting of messages that come from within the social network. Koobface can also redirect infected users' computers to pages it chooses when they are performing searches. The malware hit MySpace earlier this year but has since been eradicated from that network. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=5437
-http://www.usatoday.com/tech/news/computersecurity/2008-12-04-facebook-virus_N.h
tm?csp=34

-http://www.masshightech.com/stories/2008/12/01/daily44-Boston-media-members-hit-
by-Facebook-virus.html



UPDATES AND PATCHES


Microsoft Will Issue Eight Security Bulletins on December 9 (December 4, 2008)
Microsoft's final set of security updates for 2008 will include eight bulletins, six of which are deemed critical. The bulletins will address vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft Office, Microsoft Server Software and Microsoft Developer Tools and Software. Five of the eight bulletins will require restarts. There are some indicators that one of the Windows fixes will be for a rights elevation vulnerability that was first acknowledged in April and which has been actively exploited since October. The bulletins will be released this coming Tuesday.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9122521&source=rss_topic17

-http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx


Sun Update for Windows Addresses At Least 14 Security Flaws (December 3, 2008)
Sun Microsystems has released an update for Java that addresses at least 14 vulnerabilities. Sun has not released detailed information about the vulnerabilities fixed in Java 1.6.0_11. The update also addresses 34 non-security issues. The update is for Windows users. Mac OS X users will have to wait for Apple to provide Sun with patches for that version of Java.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9122281&source=NLT_PM&nlid=8

-http://java.sun.com/javase/6/webnotes/6u11.html


DATA LOSS & EXPOSURE


Army Notifies 6,000 of Possible Data Loss (December 2, 2008)
The US Army waited nearly two months to notify approximately 6,000 people that their personally identifiable information may have been held on a laptop computer that was reported missing on October 4, 2008. Officials knew for sure that the names, Social Security numbers (SSNs), medical data and other information of at least 26 people were on the missing computer, but could not be sure if the information of the nearly 6,000 others was on the computer as well. The computer was reportedly in an employee's backpack that was lost at a train station in Nuremburg, Germany. Officials indicated that there was encryption software installed on the laptop.
-http://www.stripes.com/article.asp?section=104&article=59159


ATTACKS


Online Payment Site Domain Hijacked (December 3, 2008)
There are reports that online payment website CheckFree has been the victim of a domain hijacking attack. The attack has been traced to an IP address with a reputation for cyber crime including running botnet command-and-control channels and drive-by malware download sites. CheckFree took steps to fix the problem earlier this week. Other web addresses are being directed to that particular IP address as well, according to several organizations that track such things. Although the attacks could have been perpetrated through DNS poisoning, evidence indicates that they were made through surreptitious domain transfers.
-http://www.theregister.co.uk/2008/12/03/checkfree_hijacked/
-http://voices.washingtonpost.com/securityfix/2008/12/hackers_hijacked_large_e-bi
ll.html?nav=rss_blog



MISCELLANEOUS


Apple Removes Antivirus Recommendation Advisory (December 2 3, 2008)
Apple has taken down a notice recommending that users install multiple antivirus programs on their Mac computers. Apple said it removed the notice "because it was old and inaccurate," and that Macs have "built-in technologies" to protect them from malware and other security threats, but added that extra protection might not hurt. The article making the recommendation to install antivirus programs was published last year.
-http://www.securityfocus.com/brief/866
-http://www.newsoxy.com/apple/article11414.html
-http://news.cnet.com/8301-1009_3-10111958-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20

-http://news.bbc.co.uk/2/hi/technology/7760344.stm
[Editor's Note (Schultz): Apple needs to quit flipflopping re. whether anti-malware software needs to run on Macs. Many serious malware-related threats against Macs exist. Apple's waffling with respect to recommending what to do about these threats is a huge disservice to the Mac user community.
(Honan): Apple seriously needs to get with the security program. No system is immune from security threats and users should take all necessary precautions. My fear is that Apple removed this page from their website so as not to undermine their TV advert where Apple mock PCs for having to have anti-virus software.]


*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/