LAST CHANCE to save $600 Off Online Courses

SANS NewsBites - Volume: XIII, Issue: 10


Two upcoming deadlines:
(1) Early registration for SANS 2011 is next Wednesday, Feb 9 (save up
to $450). That's the largest security training conference in the world
with the most courses and extra events.
http://www.sans.org/sans-2011

(2) High schools have two more weeks (through 2/18) to register to allow
their students to learn and compete in Cyber Foundations competition:
http://www.uscyberchallenge.org

*************************************************************************
SANS NewsBites                     February 04, 2011                    Volume: XIII, Issue: 10
*************************************************************************
TOP OF THE NEWS

  Final Blocks of IPv4 Address Space Allocated
  Internet Kill Switch an Overstatement
  Verizon to Start Throttling Data Speeds
  Congressmen Seek Answers About Facebook Data Privacy

THE REST OF THE WEEK'S NEWS

  Hoover Dam Not Internet Connected
  Microsoft to Patch 22 Vulnerabilities Next Week
  Internet Restored in Egypt
  New Version of Waledac Incorporates FTP Server and POP3 eMail Credentials
  Wi-Fi Alliance Urges Greater Security
  Former Trader Indicted in Pump-and-Dump Scheme


*************************************************************************
TRAINING UPDATE
-- North American SCADA Security 2011, Lake Buena Vista, FL, February 23-March 2 With special DHS/INL and NERC workshops plus hands-on immersion training.
http://www.sans.org/north-american-scada-2011/

-- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module
http://www.sans.org/phoenix-2011/

-- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

-- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

- - -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, Singapore, Wellington and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
****************************************************************************


TOP OF THE NEWS

Final Blocks of IPv4 Address Space Allocated (February 3, 2011)
The last blocks of IPv4 address space have been allocated to the five Regional Internet Registries. IPv4 addresses have been assigned more rapidly in recent years because of the increase in the number of Internet connected devices. The event underscores the necessity of shifting to IPv6 which has significantly more allocations available. Most users should not be affected by the change because the majority of widely used devices already support IPv6. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=10342
highly recommended,
-http://www.v3.co.uk/v3/news/2274584/ipv4-ipv6-internet-address
-http://www.nextgov.com/nextgov/ng_20110203_6062.php?oref=topnews
-http://news.cnet.com/8301-30685_3-20030482-264.html
[Editor's Note (Paller): The organizations that must focus attention on this challenge are those that run their own large networks. And apparently they are because attendance at SANS IPv6 classes have skyrocketed this year. (Schultz): Lack of IPv4 address space is not in any way some kind of new concern. Many individuals and organizations have for years realized and have been able to work around this problem by assigning a limited number of IPv4 addresses to a limited number of Network Address Translation (NAT) servers and then using private addresses within their networks. ]


Internet Kill Switch an Overstatement (February 3, 2011)
Reports have called the powers granted to the U.S. President by proposed legislation an "Internet kill switch," evoking images of a single button somewhere that has the ability to make the internet go dark. There is no such gadget. An Internet shut down would be the result of a legal order, not the flick of a switch. Some critics of the bill have compared it to what was happened in Egypt last week, when all Internet service was severed. (Eds: Internet service in Egypt has since been restored: see story in this issue.) The likely scenario is that the Egyptian government contacted major ISPs and ordered them to make some changes to routers. The US bill specifically prohibits the president from shutting down the internet to thwart free speech. Other critics acknowledge that the hype about a kill switch is overblown, but note that the problem lies in the ambiguity of the bill's language. Sponsors of this bill have issued a statement clarifying that the legislation would not grant the president the power to shut down the Internet as had been done in Egypt, noting that "the exercise of such broad authority would be an affront to our Constitution."
-http://blogs.computerworld.com/17765/there_is_no_internet_kill_switch_except_met
aphorically

-http://www.computerworld.com/s/article/9207980/The_Internet_kill_switch_that_isn
_t?taxonomyId=17&pageNumber=2

[Editor's Note (Schultz): Part of the problem here is also "fear television," news stations that play upon people's fears. It wasn't all that long ago that "fear television" stirred anxiety that the U.S. government allegedly had declared that it had the right to arbitrarily seize anyone's computer that was connected to a U.S. government Web site. What next? ]


Verizon to Start Throttling Data Speeds (February 3, 2011)
According to a memo posted on the Verizon Wireless website, the company will today begin throttling data throughput speeds for users who consume inordinate amounts of data. The goal is to improve performance for the majority of users. The change should impact about five percent of users. The memo says that Verizon is also starting to deploy technology aimed at streamlining data transfers, including "caching less data, using less capacity, and sizing the video more appropriately for the device."
-http://www.bgr.com/2011/02/03/verizon-wireless-to-begin-throttling-data-speeds-o
f-heaviest-users-optimizing-content-starts-today/

-http://news.cnet.com/8301-13579_3-20030514-37.html
-https://ecache.vzw.com/imageFiles/Myacct/nda/images/docs/VerizonWirelessServiceI
nformation.pdf



Congressmen Seek Answers About Facebook Data Privacy (February 2, 2011)
US lawmakers are seeking additional information about Facebook's plan to allow websites and third-party applications to request access to users' home addresses, phone numbers and other personal information. The feature was postponed in January over privacy concerns, but Facebook plans to relaunch the feature in the next several weeks. Representatives Ed Markey (D-Massachusetts) and Joe Barton (R-Texas), who co-chair the House Privacy Caucus, have sent a letter to Facebook's Mark Zuckerberg containing a list of questions about why the feature was introduced in the first place.
-http://www.politico.com/news/stories/0211/48703.html
-http://www.usatoday.com/money/media/2011-02-03-facebook03_ST_N.htm
-http://markey.house.gov/docs/2-2-2011ltr_to_fb-_addresses_and_mobile_numbers.pdf
[Editor's Note (Pescatore): Facebook, Google and all the advertising-supported sites should have additional scrutiny - as an industry they aren't doing it themselves. There is a pattern of "if people scream, we back off" that would never be tolerated in physical commerce. ]



*************************** Sponsored Links: ***************************** 1) Join us for our annual winter break in the Arizona desert. SANS Phoenix 2011 February 25! http://www.sans.org/info/67408 2) Register early for the Early Bird discount of $400! SANS Northern Virginia 2011. http://www.sans.org/info/69698 ****************************************************************************


THE REST OF THE WEEK'S NEWS

Hoover Dam Not Internet Connected (February 3, 2011)
In the most recent edition of Newsbites (February 1), we ran story containing a quote implying that the Hoover Dam floodgates are connected to the Internet. However, a spokesman for the US Bureau of Reclamation has since pointed out that the "Hoover Dam and important facilities like it are not connected to the Internet
[and are ]
protected by multiple layers of security, including physical separation from the Internet ... because of multiple security mandates and good business practices." Apparently the incorrect assumption is wide-spread enough to have been cited as a reason necessitating the so-called "Internet kill switch" legislation.
-http://www.wired.com/threatlevel/2011/02/hoover/
[Editor's Note (Northcutt): I want to speak in admiration of the U.S. Bureau of Reclamation and their efforts to shut down a falsehood - that the Hoover Dam floodgates are connected to the Internet. I think the days of disinformation being used to support legislation related to the Internet need to come to an end.
(Paller): A little over five years ago, I was testifying alongside Larry Todd, Director, Security, Safety and Law Enforcement at the Bureau of Reclamation before House of Representatives subcommittee hearing chaired by Cong. Lungren of CA. The chairman's district has a very large dam so he had reason to focus on this issue. Todd testified under oath that the computers controlling the dams run by his agency were not connected to the Internet. I called the folks who had, just a few months earlier, done a red team exercise on two of BuRec-managed dams, and the team leader told me, unequivocally, that the dams' control systems shared routers with business systems that were connected with outside networks accessible from the Internet. I don't know the exact network connections of control systems at Hoover dam, but it is very possible that the dam's control systems are connected to Internet-connect systems. If so, this wouldn't the first time senior executives have made false claims (probably believing they were true) about important systems "not being connected to the Internet." You'll recall the Bank of America ATMs being disabled by the Slammer worm. The banks had said over and over again that their ATMS were not accessible from the Internet. They just didn't understand then how networks work.
(Pescatore): There is huge overhype in this area, as far as the vulnerability of critical infrastructure. However, Stuxnet pointed out that physical separation, "security mandates" and "good" business practice do not add always add up to actual security. ]


Microsoft to Patch 22 Vulnerabilities Next Week (February 3, 2011)
Microsoft will issue a dozen security bulletins on Tuesday, February 8 to fix 22 flaws in Internet Explorer (IE), Windows, Windows Server and Visio. Among the patches are three for zero-day vulnerabilities, one of which is being actively exploited. The three zero-day flaws are in IE, Windows thumbnail image rendering, and Internet Information server (IIS). There are two other zero-day flaws that Microsoft has acknowledged, but will not patch on Tuesday.
-http://www.computerworld.com/s/article/9208038/Microsoft_to_patch_22_bugs_3_zero
_days_next_week?taxonomyId=17

-http://news.cnet.com/8301-1009_3-20030613-83.html?tag=mncol;title
-http://www.microsoft.com/technet/security/Bulletin/MS11-feb.mspx


Internet Restored in Egypt (February 2, 2011)
Reports indicate that Internet service has been returned to Egypt. Four Egyptian Internet service providers (ISPs) are up and running again. Facebook and Twitter are also now available in the country. All services were cut last week in the midst of mass protests against President Hosni Mubarak. The shutdown lasted for six days. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=10351
-http://www.bbc.co.uk/news/technology-12346929
-http://www.wired.com/threatlevel/2011/02/egypt-internet-returns/
-http://www.infoworld.com/t/network-monitoring-and-management/egypt-flips-the-kil
l-switch-the-other-way-237



New Version of Waledac Incorporates FTP Server and POP3 eMail Credentials (February 2, 2011)
Researchers have gained access to version 2 of the Waledac botnet code and found that it contains credentials that allow the malware to slip past spam filters and other security measures. They found nearly 124,000 FTP server login credentials, and nearly 490,000 POP3 email account credentials. At the end of 2010, Waledac "went dark" for a week, then re-emerged with updated capabilities, including the credentials and improved command-and-control capabilities.
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=229200280&cid=RSSfeed_IWK_All

-http://www.theregister.co.uk/2011/02/02/waledac_account_compromise/


Wi-Fi Alliance Urges Greater Security (February 2, 2011)
According to a survey, 40 percent of those responding said they would trust someone more with their house key than with their Wi-Fi network password. Thirty-two percent of those responding said they had attempted to access Wi-Fi networks that did not belong to them. A similar poll two years ago found 18 percent of people had tried to access Wi-Fi networks without permission. People know they should protect their home networks, but "many have not taken the steps to protect themselves," as evidenced by the data Google harvested from unprotected networks while gathering information for Street View. The Wi-Fi Alliance is urging users to protect their wireless networks and devices by setting home networks for WPA2 security, not transmitting sensitive data through public hot spots, and turning off automatic connecting.
-http://www.darkreading.com/security/client-security/229200250/protecting-your-pe
rsonal-data-on-wi-fi-networks.html

-http://content.usatoday.com/communities/technologylive/post/2011/02/more-america
ns-than-ever-borrow-their-neighbors-wi-fi-connection/1



Former Trader Indicted in Pump-and-Dump Scheme (February 1, 2011)
A former securities trader has been indicted for his role in a pump-and-dump scheme. Gregg Berger has been charged with conspiracy to commit securities and wire fraud for allegedly artificially inflating stock prices, then selling shares at the high price. The scheme appears to be international with co-conspirators. The stocks that were manipulated were lightly traded and low-value Chinese and Israeli stocks. The US Securities and Exchange Commission (SEC) has filed civil charges against Berger and seven other people and three companies allegedly involved in the scheme.
-http://www.scmagazineus.com/ny-broker-charged-for-boosting-stock-prices-with-spa
m/article/195493/



************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/