FLASH: The Internet Storm Center reported a new Windows zero-day vulnerability early this morning. This is a critical vulnerability, even without code execution. A single packet can remotely shut down a windows host.
The top of the news this week has three stories about useful resources.
Corrected Update on the European SCADA Security Summit (Stockholm October 27-30): Real-world case studies of smart metering and virtualization in control systems have just been added, with insights into the security repercussions of both. Also the US Department of Homeland Security Control Systems Security Program is offering free courses and tools. Info and registration at
Security Company in China Will Make Gigantic Malware Database Available to Others
KnownSec, a Chinese security company, has developed a gigantic database containing information about malware and malware infections in China available to others. The data are gathered by a crawler that visits almost two million sites each day. KnownSec keeps a history of events that occur at each site, a list of all infected sites at any time, and information about each virus and worm that is discovered. CEO Zhao Wei has announced that KnownSec will share information in this database with incident response teams. -http://www.first.org/newsroom/releases/20090703a.html
Apache Issues Incident Report About Recent Attack (August 28 & September 3, 2009)
Administrators at Apache Software Foundation have posted a detailed account of a security breach that forced them to temporarily shut down their website. The attackers gained root access to a particular server and destroyed logs, so the admins had to piece together what happened from other evidence. The attackers appear to have gained access to the server by exploiting a known vulnerability in the Linux kernel; the flaw was addressed in a recent release, but it had not yet been applied to this server. The incident report indicates that among the problems the incident illuminated were that SSH keys were not appropriately restricted and bad data backup procedures were being used. Among the practices that worked well were "redundant services in two locations allow(ing them) to run services from an alternate location" and "a non-uniform set of compromised machines (that) made it difficult for the attackers to escalate privileges on multiple machines." As a result of the intrusion, Apache plans to generate new keys with a minimum length of 4096 bits for hosts and also possibly to introduce centralized logging. -http://www.theregister.co.uk/2009/09/03/apache_website_breach_postmortem/ -https://blogs.apache.org/infra/entry/apache_org_downtime_report -http://isc.sans.org/diary.html?storyid=7030 [Editor's Note (Ullrich and Honan): This is an excellent analysis of how the attack happened and how other systems can be used by attackers to target your core systems. Thanks Apache. We wish we would see more reports like this to be able to learn from other's experiences. ]
H1N1 Pandemic Preparedness Papers from SANS Technology Institute degree Candidates
If you are trying to decide how prepared you and your IT systems are for an H1N1 pandemic, you'll want to read the mini-thesis submitted by Jim Beechey and Rob VandenBrink as part of their candidacy for Master of Science in Security Engineering at the SANS Technology Institute. It's really well done and has an associated PowerPoint presentation you will find useful for educating others. -http://www.sans.edu/resources/pandemic-preparedness/
Chinese News Sites Requiring Commenters to Log On With True Identities (September 6, 2009)
Computer users wishing to make comments on Chinese news websites must log on with their real names and identification numbers; the sites have imposed the requirement to meet a confidential directive from China's State Council Information Office. Previously, users could log in to most news sites anonymously; sites still screened posts and users could be traced through IP addresses associated with their comments. Chinese authorities maintain the change will foster increased "social responsibility" and "civility;" however, news stories about the requirement have been repressed. -http://www.nytimes.com/2009/09/06/world/asia/06chinanet.html?_r=1&ref=techno logy&pagewanted=print [Editor's Note (Northcutt): This seems reasonable to me. We are learning that the new world of "every person is a journalist" needs to come with a sense of responsibility for the words that we post. There are certainly places where anonymous posting needs to be possible, but not necessarily news outlets. ]
Older Versions of WordPress Blogging Software Vulnerable to Worm Attack (September 5 & 7, 2009)
[Editor's Note (Ullrich): Wordpress is not alone. Web applications like wordpress continue to be a problem. Patching them is frequently hard as they are not covered by regular operating system patch protocols. Finding solutions to inventory and patch them is critical. ]
Amazon Offers to Restore Animal Farm and 1984 to Kindle Users' Devices (September 5, 2009)
Amazon is offering Kindle owners whose copies of Animal Farm and 1984 were removed from their devices without notice earlier this summer the choice of having the books restored or being issued a US $30 credit. Amazon deleted the books from users' devices after it learned that the entity making the editions available did not possess the rights to the works. Amazon chief Jeff Bezos apologized for the way the matter was handled in July, calling it "stupid, thoughtless, and painfully out of line with our principles." -http://www.informationweek.com/news/hardware/handheld/showArticle.jhtml?articleI D=219501472 [Editor's Note (Northcutt): Amazon demonstrated a powerful form of censorship. You can buy the book, Amazon can take the book from you at any time. They can track which books you buy, which books you read, what page you are on. Kindle all you like my friends, I am sitting this one out.]
Some Web Monitoring Software Collects and Sells Chat Contents (September 4, 2009)
Certain web monitoring software is collecting the contents of users' chats and selling the data to companies that use it to fine tune their marketing strategies. The software in question is called Sentry and FamilySafe; it is developed by EchoMatrix Inc. While the company allows families that do not want their children's data collected to opt out of the arrangement, that choice is not part of the agreement that accompanies the program when it is downloaded; users must visit the company web site to select that option. -http://www.msnbc.msn.com/id/32694224/ns/technology_and_science-security/
Australian Man Will be Tried for Cyber Crimes (September 4, 2009)
An Australian man has been charged with numerous offenses in connection with allegedly compromising thousands of computers around the world with malware designed to steal financial account information. Anthony Scott Harrison was in the Adelaide Magistrates Court last week, where prosecutors asked for several months to gather evidence in the case against him. Harrison faces four counts of modifying computer data to cause harm or inconvenience, two counts of possession or control of data to commit serious computer offenses, and one count of dishonestly manipulating a machine for benefit, all related to the alleged computer crimes. -http://news.theage.com.au/breaking-news-national/accused-bank-computer-hacker-fa ces-court-20090904-fatp.html
Infected USB Drive Wreaks Havoc on London Area Council IT Systems (September 4, 2009)
(Northcutt): UK friends, I need help. In our Security Leadership Essentials class we talk about the importance of a smoking gun, proof that infosec is important and saves money. If you have evidence this event changes the behavior of the Ealing Council going forward, I would love to hear from you, firstname.lastname@example.org -http://www.sans.org/training/description.php?mid=62]
Apple Releases Java Update (September 3 & 4, 2009)
Canadian Privacy Commissioner Wants Bell Canada to be Forthright About Data Collection (September 3, 2009)
Canada's Privacy Commissioner Jennifer Stoddart is demanding that Bell Canada inform all of its subscribers that in the process of managing Internet traffic, it collects some identifying information. Earlier this year, Stoddart found that Bell's use of deep packet inspection technology does not comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). Bell collects the Internet protocol (IP) addresses associated with subscribers' computers. While the numbers themselves do not identify individual users, they can be traced to a user ID. Stoddart determined that IP addresses are personal information. Bell Canada uses DPI technology to identify peer-to-peer (P2P) headers on Internet traffic and slow it down. -http://www.itworldcanada.com/a/Security/f8c8388d-1425-4e20-b1d9-c025c9318a4e.htm l [Editor's Note (Honan): In 2008 the European Union's Working Group 11 on Data Privacy also stated that an IP address should be regarded as personal information. -http://www.washingtonpost.com/wp-dyn/content/article/2008/01/21/AR2008012101340. html]
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/