SANS NewsBites - Volume: XII, Issue: 46

*************************************************************************
SANS NewsBites                     June 11, 2010                    Volume: XII, Issue: 46
*************************************************************************
TOP OF THE NEWS

   Adobe Fixes Zero-Day Flaw in Flash
   Irish Data Protection Commissioner Publishes Draft Data Security Breach Code of Practice
   Companies Including Cyber Risks in SEC Filings

THE REST OF THE WEEK'S NEWS

   Judge Questions Validity of Copyright Violation Suits That Name Thousands of John Does
   Malicious Code Spreads to More Than 100,000 Web Pages
   iPad Users' Data Exposed
   RIAA Seeks to Reduce LimeWire to Pulp
   Third-Party Company Will Review Google Data Collection Code
   Apple Releases Updated Safari
   Microsoft Patch Tuesday Fixes 34 Flaws
   Zero-Day Flaw in Windows Help and Support Center
   Cyber Thieves Stole $644,000 from NYC Dept. of Education
   Bank of America Employee Pleads Guilty to Bank Fraud


********************* Sponsored By BreakingPoint ***********************
What is Resiliency and why is it Important to Network Security? Does your organization measure the impact of security threats, blended traffic and extreme load on the overall performance, security and stability of network devices and systems? Take our SANS network resiliency survey and help us find out if organizations have security resiliency on their radars. Complete the survey and be entered in a drawing for a $250 American Express Gift Certificate! Results will be announced in our June 30 SANS Analyst Webcast, 1PM EST.

http://www.sans.org/info/60468
*************************************************************************

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 36 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/

-- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses
http://www.sans.org/virginia-beach-2010/

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

-- Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Amsterdam, Kuala Lumpur, Canberra and Portland all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************


TOP OF THE NEWS

Adobe Fixes Zero-Day Flaw in Flash (June 8, 2010)
Adobe will issue a fix for a critical zero-day vulnerability in Flash on Thursday, June 10, but a patch for the same flaw in Adobe Reader and Acrobat will not be made available until later in the month. The Flash vulnerability is being addressed first because it is more likely to be exploited without user interaction. The flaw is already being actively exploited through specially-crafted PDF documents. Adobe has accelerated its scheduled July 13 quarterly update by two weeks and plans to release security updates for Reader and Acrobat on June 29.
-http://www.computerworld.com/s/article/9177811/Adobe_delays_Reader_patch_as_atta
cks_spread_exploit_code_goes_public?source=CTWNLE_nlt_pm_2010-06-08

-http://www.theregister.co.uk/2010/06/08/adobe_flash_fix/
-http://www.adobe.com/support/security/advisories/apsa10-01.html


Irish Data Protection Commissioner Publishes Draft Data Security Breach Code of Practice (June 10, 2010)
The Irish Data Protection Commissioner has published a draft security breach code of practice that, if adopted, would require any data breach involving information belonging to more than 100 people be reported to the Data Protection Commissioner. Organizations would be exempt from the requirement if they demonstrate that the compromised data are protected by strong security measures or if the breach affects non-sensitive information or small amounts of personal information. The Office of the Data Protection Commissioner is accepting public comment on the draft code through June 18, 2010.
-http://www.scmagazineuk.com/irish-data-protection-commissioner-introduces-draft-
code-of-practice-on-breach-notification/article/172079/

-http://www.dataprotection.ie/viewdoc.asp?DocID=1077&m=f
[Editor's Note (Pescatre): A lot of loopholes in this one, but Europe adding disclosure requirements would be a good thing.
(Honan): As someone who has advocated that Ireland should have data breach laws, I am happy to see the proposed code and encourage those of you in Ireland to read the proposal and submit your comments. Hopefully this code will also serve as an example for other European countries to follow suit. ]


Companies Including Cyber Risks in SEC Filings (June 8, 2010)
In the wake of Google's acknowledgment that hackers managed to gain access to its internal computer systems, companies have begun noting in US Securities and Exchange Commission (SEC) filings that similar attacks could compromise the security and integrity of intellectual property. The notes have been made in mandatory SEC filings that require companies to disclose risks that could have a negative impact on their bottom line. Google noted that "because the techniques used
[by hackers ]
... change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures."
-http://www.businessweek.com/idg/2010-06-08/after-google-hack-warnings-pop-up-in-
sec-filings.html

[Editor's Note (Schultz): Honestly, the problem Google needs to address is not the changing nature of attacks, but rather security 101.
(Paller): I must disagree with Gene. Google's words are accurate, and Security 101 isn't enough. The attack earlier this year taught Google that highly-touted security tools were completely incapable of stopping the attack. In the aftermath, Google moved rapidly to recruit a cadre of people with very advanced technical skills - people the Air force calls "hunters." Hunters are the most valuable people in security - the central ingredient in defending against the advanced persistent threat that compromised Google and is compromising government and industry computers, as you read this. ]



**************************** Sponsored Link: ***************************
1) REGISTER NOW for the upcoming Industry Analysts Program Webcast - A Guide to Virtual Hardening Guides Sponsored By: VMWare Featuring: Dave Shackleford & Charu Chaubal

http://www.sans.org/info/60473
*************************************************************************


THE REST OF THE WEEK'S NEWS

Judge Questions Validity of Copyright Violation Suits That Name Thousands of John Does (June 9, 2010)
A federal judge has given attorneys representing film studios until June 21 to provide a convincing argument why two lawsuits they have filed against thousands of alleged copyright infringers should not be dismissed for misjoinder. Judge Rosemary Collyer is asking the plaintiffs to explain why she should not dismiss their lawsuits under Federal Rule of Civil Procedure 20, which requires, in part, that defendants named in such a suit must all be party to the same "transaction of occurrence." Judge Collyer's order comes just days after the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) filed an amicus brief complaining of improper joinder in the two cases.
-http://arstechnica.com/tech-policy/news/2010/06/judge-may-dismiss-4576-of-4577-p
2p-defendants-from-lawsuit.ars

-http://www.theregister.co.uk/2010/06/09/bittorrent_piracy_lawsuit_flap/


Malicious Code Spreads to More Than 100,000 Web Pages (June 9, 2010)
Tens of thousands of web pages have been infected with malicious HTML code that redirects visitors to a web server that tries to download malware onto their computers. The attacks have compromised web pages on several high-profile sites, including The Wall Street Journal and The Jerusalem Post. While researchers do not yet have a definitive answer as to the nature of the attacks, there is strong suspicion that an SQL injection attack was used. All the affected web sites appear to be running Microsoft Internet Information Services Web-server software with Active Server Pages. The number of affected pages has dropped significantly since the attack was first detected. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=8956
-http://www.theregister.co.uk/2010/06/09/mass_webpage_attack/
-http://www.computerworld.com/s/article/9177904/Mass_Web_attack_hits_Wall_Street_
Journal_Jerusalem_Post?taxonomyId=17

[Editor's Note (Northcutt): One suggestion is to have your team run Scrawlr, a free unsupported tool from HP to look for pages that are vulnerable to SQL Injection. One nifty thing about it, it proves it does not false positive by displaying table names.
-http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06
/23/finding-sql-injection-with-scrawlr.aspx]


iPad Users' Data Exposed (June 9, 2010)
AT&T has inadvertently leaked information about more than 114,000 iPad users. The data include email addresses and ISS-IDs, unique identifiers used to authenticate iPads' SIM cards to the AT&T network. The breach affects a number of high-profile individuals who were among the first to use iPads. The vulnerability in the AT&T website has since been fixed. The group that found and exploited the vulnerability did not inform AT&T about the problem; instead, the company learned about it from a business customer. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=8941
-http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-expose
d?skyline=true&s=i

-http://www.wired.com/threatlevel/2010/06/ipad-exposed/


RIAA Seeks to Reduce LimeWire to Pulp (June 8 & 9, 2010)
The Recording Industry Association of America (RIAA) says file-sharing company LimeWire could be liable for more than $1 billion for encouraging copyright infringement. Last month, US District Judge Kimba M. Wood ruled that LimeWire users are responsible for a "substantial amount of copyright infringement" and that the Lime Group, LimeWire's parent company, "has not taken meaningful steps to mitigate infringement." LimeWire still hopes to reach a settlement with the RIAA. A settlement appears unlikely, as Judge Wood found that LimeWire "purposeful conduct that fostered infringement, with the intent to foster such infringement." The Lime Wire hash filter, which is designed to help prevent illegal filesharing, must be enabled by users.
-http://www.wired.com/images_blogs/threatlevel/2010/05/limewireruling.pdf
-http://www.wired.com/threatlevel/2010/06/limewire-owes-billion/
-http://www.computerworld.com/s/article/9177871/On_verge_of_closing_P2P_vendor_Li
meWire_hopes_for_a_settlement?taxonomyId=17



Third-Party Audit of Google Street View Data Collection Practices Released (June 8 & 10, 2010)
Google has released the results of an audit conducted by independent Internet security company Stroz Friedberg. Google selected the company to review the data collection process that caused sensitive data to be inadvertently gathered by the systems used to collect images and other data for Google Street View. The report found that while Google's data collection system does save packets collected from unencrypted wireless networks to a hard drive, the company 'does not attempt to analyze or parse that data."
-http://www.mercurynews.com/business/ci_15246525?source=rss&nclick_check=1
-http://www.pcmag.com/article2/0,2817,2364904,00.asp
-http://static.googleusercontent.com/external_content/untrusted_dlcp/www.google.c
om/en//googleblogs/pdfs/friedberg_sourcecode_analysis_060910.pdf

[Editor's Note (Pescatore): When I read the report, I see a review of the source code of the tools Google used, not a third party review of Google's processes around minimizing collection and meeting the well known requirements for assuring privacy of citizens data. ]


Apple Releases Updated Safari (June 8, 2010)
Apple has issued an updated version of its Safari web browser that fixes at least 48 security flaws. Safari 5 is available for Windows and for Mac. Apple also issued Safari 4.1 to fix the same set of vulnerabilities in Mac OS X 10.4, which does not support Safari 5. The update addresses flaws in Safari, ColorSync and WebKit. The flaws could be exploited to allow cross-site scripting attacks, access data, cause denial-of-service conditions or execute arbitrary code.
-http://www.scmagazineus.com/newly-issued-safari-5-closes-dozens-of-holes/article
/171936/

-http://www.us-cert.gov/current/#apple_releases_safari_5_0
-http://support.apple.com/kb/HT4196


Microsoft Patch Tuesday Fixes 34 Flaws (June 8 & 9, 2010)
On Tuesday, June 8, 2010, Microsoft issued 10 security bulletins to address a total of 34 vulnerabilities. Three of the bulletins were rated critical; they addressed a total of 10 security flaws. The only other time Microsoft has fixed this many flaws in one month was October 2009. In addition, one of the bulletins addresses 14 separate vulnerabilities in Excel, which is a first for Microsoft. Microsoft noted in one of the bulletins (MS10-036) that it would not fix a component object model (COM) vulnerability in Office XP, because to develop a patch "would require rearchitecting a very significant amount of the Microsoft Office XP products," and was therefore "infeasible."
-http://isc.sans.edu/diary.html?storyid=8929
-http://www.theregister.co.uk/2010/06/09/microsoft_patch_tuesday_june_2008/
-http://www.h-online.com/security/news/item/Microsoft-s-June-Patch-Tuesday-101818
7.html

-http://www.computerworld.com/s/article/9177891/Microsoft_leaves_some_Office_XP_u
sers_patchless?source=rss_news

-http://www.microsoft.com/technet/security/bulletin/ms10-036.mspx
-http://news.cnet.com/8301-27080_3-20007103-245.html?part=rss&subj=news&t
ag=2547-1_3-0-20

-http://krebsonsecurity.com/2010/06/microsoft-apple-ship-big-security-updates/
-http://www.microsoft.com/technet/security/Bulletin/MS10-jun.mspx
[Editor's Note (Honan): Not only has this story reignited the "responsible vulnerability disclosure" debate, it also has generated controversy over how the flaw was disclosed and in particular as the person who discovered the flaw is a Google employee.
-http://news.cnet.com/8301-27080_3-20007421-245.html?tag=mncol;title]



Zero-Day Flaw in Windows Help and Support Center (June 10, 2010)
Just days after a scheduled security update that offered fixes for a record-tying number of security issues, Microsoft has issued a security advisory about a zero-day vulnerability in Windows XP and Windows 2003. The flaw lies in the Windows Help and Support Center component. The flaw could be exploited to execute arbitrary code with the privileges of the current user. Attackers can exploit the flaw by tricking users into visiting specially crafted websites while running Internet Explorer (IE). Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=8956
-http://www.h-online.com/security/news/item/Windows-Help-used-as-attack-surface-1
019381.html

-http://www.scmagazineuk.com/new-zero-day-vulnerability-in-microsoft-windows-xp-a
nd-2003-discovered/article/172078/

-http://www.crn.com/security/225600300
-http://www.microsoft.com/technet/security/advisory/2219475.mspx
[Editor's Note (Pescatore): In both this vulnerability and in the ATT vulnerability in iPad services, there seems to have been irresponsible disclosure going on. ]


Cyber Thieves Stole $644,000 from NYC Dept. of Education (June 7, 2010)
Cyber thieves have targeted the New York City Department of Education, electronically draining one of the department's bank accounts of more than US $644,000. The account, which was designated for petty cash spending, was limited to US $500 purchases, but an oversight allowed transfers of any amount. The thieves made transfers for more than three years before the scheme was detected. Officials didn't discover the problem because they neglected to reconcile their accounts regularly. Albert Attoh was sentenced to one year in prison and ordered to pay US $270,000 in restitution for his role in the thefts. In exchange for payments, Attoh gave bank routing and account data to other people who used it to pay student loans and make purchases.
-http://www.theregister.co.uk/2010/06/07/electronic_account_raided/


Bank of America Employee Pleads Guilty to Bank Fraud (June 7 & 8, 2010)
Bank of America (BofA) call center employee Brian Matty Hagen has pleaded guilty to bank fraud. Hagen admitted he stole customer information and tried to sell it. Hagen's scheme was uncovered when he attempted to make a data sale to an undercover FBI agent. Hagen targeted only BofA accounts with balances in excess of US $100,000. Hagen was keeping track of customers' information and hoped to exchange it for 25 percent of the profits. The information was allegedly going to be used to establish credit lines at other financial institutions.
-http://www.theregister.co.uk/2010/06/08/bank_insider_data_theft/
-http://www.businessweek.com/idg/2010-06-07/bofa-call-center-worker-pleads-guilty
-to-data-theft.html



**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/