3 Days left to Save $400 on SANS DFIR Summit

SANS NewsBites - Volume: XII, Issue: 2


The Department of Defense Cyber Crime Center (DC3) is now accepting registrations for 2010 Digital Forensics Challenge.
See: www.dc3.mil/challenge

Alan

*************************************************************************
SANS NewsBites                     January 08, 2010                    Volume: XII, Issue: 2
*************************************************************************
TOP OF THE NEWS

  Microsoft and Adobe Will Issue Security Updates on January 12
  2010 Date Recognition Problems

THE REST OF THE WEEK'S NEWS

   Attackers are Actively Exploiting Critical Adobe Reader and Acrobat Flaw
   Adobe Will Release Silent Update Beta
   Year-Change Confounds Some German Payment Cards
   US Financial Services ISAC to Hold Cyber Incident Exercise
   Software Company Suing Chinese Government Over Alleged Stolen Code in Green Dam
   Thieves Attempt to Steal US $3.8 Million From NY School District
   FTC Roundtable Will Address Cloud Computing Privacy Issues
   Flash Drive Flaw
   Convicted Filesharer Seeks Lower Fine


*********************** Sponsored By AccelOps **************************

AccelOps is offering a Competitive Upgrade Package exclusively for Cisco CS-MARS security appliance customers and resellers seeking greater SIEM functionality, interoperability and investment protection. Upgrade to AccelOps at your current MARS maintenance fee and receive a full year of maintenance & support. Learn about AccelOps SIEM 2.0 and obtain your Free "SOC/NOC Convergence" report by Spire Research.

https://www.sans.org/info/53004

*************************************************************************

TRAINING UPDATE

- -- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses, bonus evening presentations: Top 7 Trends in Incident Response and Computer Forensics, Advanced Forensic Techniques and more
https://www.sans.org/security-east-2010/
- -- SANS AppSec 2010, San Francisco, January 29-February 5, 2010 8 courses, bonus evening presentations, including Social Zombies: Your Friends Want to Eat Your Brains
https://www.sans.org/appsec-2010/
- -- SANS Phoenix, February 14 -February 20, 2010
https://www.sans.org/phoenix-2010/
- -- SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style
https://www.sans.org/sans-2010/
- -- SANS Northern Virginia Bootcamp 2010, April 6-13
https://www.sans.org/reston-2010/
Looking for training in your own community? https://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand/spring09.php
Plus Tokyo, Bangalore, Oslo and Dublin all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

TOP OF THE NEWS

Microsoft and Adobe Will Issue Security Updates on January 12 (January 7, 2010)
Microsoft plans to release just one security bulletin on Tuesday, January 12. It addresses a remote code execution flaw in Microsoft Windows. The vulnerability is rated critical for Windows 2000 and low for all other supported versions of the operating system. (Support for Windows 2000 officially ended on June 30, 2005, although those with extended support for Windows 2000 will get support until July 13 of this year.) Microsoft still has not issued a fix for a zero-day flaw in the Server Message Block protocol for which it issued an advisory in November. On the same day, Adobe plans to release a patch for a vulnerability in Reader and Acrobat that is already being actively exploited. Adobe will also issue a beta version of an automatic updater for both Adobe and Reader.
-http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx
-http://www.scmagazineus.com/microsoft-to-release-single-patch-for-january-update
/article/160845/

-http://news.cnet.com/8301-27080_3-10429070-245.html


2010 Date Recognition Problems (January 5, 2010)
German payment cards are not the only technology to be hit with problems recognizing dates in the new year. (See story below.) Smartphone users running Windows Mobile are getting text messages dated 2016. Symantec's Endpoint Protection manager is labeling signatures dated in the new year as being out-of-date; until the problem is addressed in an update, new malware signatures will be dated 12/31/2009 with increased revision numbers. Other vendors affected include Cisco, SpamAssassin. ISC:
-http://isc.sans.org/diary.html?storyid=7870
-http://isc.sans.org/diary.html?storyid=7873
-http://www.h-online.com/security/news/item/The-year-2010-is-causing-IT-problems-
895628.html

-http://www.theregister.co.uk/2010/01/05/symantec_y2k10_bug/



************************ Sponsored Link: ****************************

1) Participation is needed! Be a part of this years 2010 SANS Log Management Report by completing the survey and have a chance to win a $250 AMEX Card. Click here to complete the survey an be automatically registered. https://www.sans.org/info/53009

***********************************************************************

THE REST OF THE WEEK'S NEWS

Attackers are Actively Exploiting Critical Adobe Reader and Acrobat Flaw (January 4, 7 & 8, 2010)
Attackers are actively exploiting a critical flaw in Adobe Reader that will not be patched until next week. The flaw can be exploited to crash vulnerable systems and potentially take control of them; it is being exploited for both large scale attacks and targeted attacks. Adobe acknowledged the presence of the vulnerability in mid-December. The attack is being called sophisticated; it is a maliciously crafted PDF file that uses egg-hunting shellcode. Users are urged to disable JavaScript in Adobe Reader and Acrobat until a patch is available.
-http://www.computerworld.com/s/article/9143259/Large_scale_attacks_exploit_unpat
ched_PDF_bug?source=rss_security

-http://www.theregister.co.uk/2010/01/04/adobe_reader_attack/
-http://www.securecomputing.net.au/News/164110,hackers-target-unpatched-adobe-fla
w.aspx

-http://www.krebsonsecurity.com/2010/01/security-tweaks-for-adobe-reader/
[Editor's Note (Ullrich): We covered a number of PDF analysis methods in our ISC diaries recently. See
-http://isc.sans.org/diary.html?storyid=7873
and
-http://isc.sans.org/diary.html?storyid=7906
and
-http://isc.sans.org/diary.html?storyid=7867
A Symantec representative referred to the last one as an old exploit, but the Symantec AV engine did not detect it at the time of the analysis by Bojan Zdrnja. ]


Adobe Will Release Silent Update Beta (January 6, 2010)
Adobe plans to introduce silent updates to help ensure that more users are running current versions of Reader and Acrobat. The beta version of Adobe Reader with silent update is expected to be available later this month. If the beta works well, future releases will have the feature enabled by default. Users would be able to adjust the settings if they need to. If the January test goes well, Adobe could roll out the automatic updater as soon as April.
-http://www.h-online.com/security/news/item/Adobe-to-introduce-silent-updates-for
-Reader-896979.html

-http://www.securityfocus.com/brief/1057
[Editor's Note (Ullrich): 2010 will be a big year for Adobe to gain back a lot of lost trust, lets hope that this new update scheme works out well. ]


Year-Change Confounds Some German Payment Cards (January 6 & 7, 2010)
A software glitch pertaining to the change from the year 2009 to 2010 prevented German shoppers from using their payment cards. Older payment cards with magnetic stripes appear to work as usual; it is the newer cards with data stored on microchips that are having trouble recognizing the new year. The problem affects roughly 30 million chip and pin cards. French card manufacturer Gemalto has acknowledged responsibility for the problem and is hoping to find a solution that will not require new cards to be issued. German consumer affairs minister Ilse Aigner said that bank customers should not be liable for any resultant charges. ISC:
-http://isc.sans.org/diary.html?storyid=7873
-http://www.guardian.co.uk/world/2010/jan/06/2010-bug-millions-germans
-http://www.banktech.com/news/showArticle.jhtml?articleID=222200455
-http://www.theregister.co.uk/2010/01/06/year_2010_payment_card_bug/
-http://www.h-online.com/security/news/item/EC-card-disaster-French-manufacturer-
Gemalto-takes-responsibility-897991.html

[Editor's Note (Schultz): It seems incongruous that the Y2K problem turned out to be miniscule, but the year 2010 changeover is creating significant problems (at least in Germany). The Y2K problem was incredibly overhyped, but very few changeover problems occurred. Perhaps this is why potential 2010 changeover issues have been overlooked by some organizations.

(Ullrich): There appear to be two different reasons why we had so many issues with 2010. First of all the obvious one: Input validation code checked if the year started with '200'. The second one appears to be less obvious. Some systems (like mobile operating systems and it appears some ATM machines) jumped from 2009 straight to 2016. The reason may be that the last two digits are represented in hexadecimal in some places internally in the code. 0x10=16 decimal. ]


US Financial Services ISAC to Hold Cyber Incident Exercise (January 6, 2010)
In February, the Financial Services Information Sharing and Analysis Center (FS-ISAC) will hold a cyber attack simulation for banks, payment processors and retailers. The various organizations have been invited to participate to test their preparedness for managing a variety of attack scenarios. The results of the exercise will remain confidential.
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=222200554&subSection=News



Software Company Suing Chinese Government Over Alleged Stolen Code in Green Dam (January 5 & 6, 2010)
A California software company is seeking US $2.2 billion in recompense for alleged Copyright infringement, misappropriation of trade secrets, unfair competition, and conspiracy. Solid Oak Software is suing the Chinese government, two Chinese companies and seven PC manufacturers for US $2.2 billion for allegedly stealing some of the company's code for use in Green Dam Youth Escort Internet filtering software. The complaint alleges that more than 3,000 lines of Solid Oakcode were used in Green Dam. Last year, the Chinese government mandated that every PC sold in the country come equipped with Green Dam either pre-installed or on an accompanying disk. The government later backed off the requirement. The government allegedly distributed more than 56 million copies of Green Dam.
-http://news.bbc.co.uk/2/hi/technology/8442771.stm
-http://www.h-online.com/security/news/item/CYBERsitter-developers-sue-Chinese-fo
r-billions-in-copyright-infringement-897335.html

-http://www.darkreading.com/security/client/showArticle.jhtml?articleID=222200546
&subSection=End+user/client+security

-http://www.securityfocus.com/brief/1056
-http://news.cnet.com/8301-27080_3-10425599-245.html
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=222200365

[Editor's Note (Schultz): Solid Oak is fighting a losing cause. Even if this company can prove its allegations in court, this company will almost certainly not collect any money from China. ]


Thieves Attempt to Steal US $3.8 Million From NY School District (January 5 & 6, 2010)
The FBI and New York State Police are investigating an attempt to steal US $3.8 million from the Duanesburg Central School District online bank account. The attempted thefts occurred over several days in December 2009. Authorities were able to recover a majority of the funds, but nearly US $500,000 is still missing. The school district has closed its bank accounts and opened new ones. The attackers attempted to make a total of US $3 million in transfers on two separate days. The fraudulent transactions were not detected until another attempted transfer of US $759,000 was flagged as suspicious.
-http://www.krebsonsecurity.com/2010/01/fbi-investigating-theft-of-500000-from-ny
-school-district/

-http://dcs.neric.org/news/0910/communityltr010510.pdf
-http://www.theregister.co.uk/2010/01/05/school_district_bank_theft/
-http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID
=222200544

-http://www.computerworld.com/s/article/9143144/FBI_investigating_online_New_York
_school_district_theft?source=rss_security



FTC Roundtable Will Address Cloud Computing Privacy Issues (January 5 & 6, 2010)
The US Federal Trade Commission (FTC) will hold a roundtable session on January 28 at the University of California, Berkeley to discuss the consumer privacy ramifications of cloud computing. The FTC will also seek input on cloud computing privacy issues from industry stakeholders. The focus on cloud computing comes in response to a Federal Communications Commission (FCC) Notice of Inquiry seeking information that will help the FCC formulate a National Broadband Plan. The FTC held a roundtable discussion in December that addressed privacy issues associated with online data collection and use and behavioral advertising. A third roundtable discussion will be held later this year. In a separate story, the FCC has asked for a one month extension for submitting its National Broadband Plan; it was originally supposed to be ready on February 17, 2010.
-http://www.computerworld.com/s/article/9143192/FTC_to_examine_cloud_privacy_conc
erns?source=rss_security

-http://news.zdnet.co.uk/security/0,1000000189,39971354,00.htm?s_cid=248%27
-http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleI
D=222200380

-http://voices.washingtonpost.com/posttech/2010/01/the_federal_communications_com
_1.htmls

[Editor's Note (Honan): The European Network and Information Security Agency have released an excellent paper of the risks associated with cloud computing. Given that ENISA is a European agency there is a strong focus on privacy in the paper and it is well worth a read
-http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assess
ment
]


Flash Drive Flaw (January 5, 2010)
Three flash drive manufacturers have issued warnings that a vulnerability in the drives' access control mechanism could allow attackers access to data on what were believed to be secure devices. The memory sticks use 256-bit AES hardware-based encryption and are made by Kingston, SanDisk and Verbatim. The problem lies not in the physical devices themselves, but in the application running on the USB device. ISC:
-http://isc.sans.org/diary.html?storyid=7894
-http://www.scmagazineus.com/flaw-could-allow-attacker-to-decrypt-protected-usb-d
rives/article/160772/

-http://www.csoonline.com/article/512613/Secure_USB_Drives_Not_So_Secure
-http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-
hardware-encryption-cracked-895308.html

-http://www.computerworld.com.au/article/331375/kingston_recalls_some_usb_drives_
due_security_flaw/?fp=4

[Editor's Note (Ullrich): A number of vendors offer recalls and free exchanges. Are you going to return drives with confidential data?]


Convicted Filesharer Seeks Lower Fine (January 4 & 5, 2010)
The Boston University student who was fined US $675,000 for illegally downloading music has asked a judge to reduce the penalty or give him a retrial. Joel Tenenbaum, who was fined US $22,500 for each of 30 songs he was found guilty of downloading in violation of copyright law, says the amount is "grossly excessive."
-http://news.bbc.co.uk/2/hi/technology/8441306.stm
-http://abcnews.go.com/Technology/wireStory?id=9476541
[Editor's Note (Schultz): A fine of nearly USD 700K for downloading 30 songs is simply not just, even if Tenenbaum is, as the music industry has alleged, a hardcore copyright violator. ]


**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, http://www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/