SANS NewsBites - Volume: XIII, Issue: 21

*************************************************************************
SANS NewsBites                     March 15, 2011                    Volume: XIII, Issue: 21
*************************************************************************
TOP OF THE NEWS

  FTC Closes Twitter Investigation
  Judge Denies Request to Throw Out Order Seeking Twitter Account Information
  Research in Motion Taken Aback by India's Data Interception Demands

THE REST OF THE WEEK'S NEWS

  Microsoft Launches Internet Explorer 9
  Adobe to Release Out-of-Band Patch for Flaw in Flash and Reader
  German Finance Ministry Offline After Security Problems Discovered
  Cyber Attackers Release Internal Bank of America eMails
  AT&T to Impose Data Caps for Broadband Customers
  UK ISPs to Clarify Traffic Management Policies
  Unpatched IE Flaw is Being Actively Exploited


*****************************************************************
TRAINING UPDATE
-- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS 2011, Orlando, FL, March 26-April 4, 2011 40 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
http://www.sans.org/cyber-security-innovations-2011/

-- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

-- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

-- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
https://www.sans.org/cyber-security-innovations-2011/

-- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

-- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses.
http://www.sans.org/cyber-guardian-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Barcelona, Amsterdam, Brisbane and London all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
********************* Sponsored By McAfee, Inc. ***************************
McAfee a Leader in Gartner MQ for Network IPS for Fifth Straight Time Protecting your organization's critical assets begins with superior network intrusion prevention. As the market matures, vendor choices narrow. Only three vendors were listed as 'Leader' in this latest report -- including McAfee -- marking the fifth consecutive time they've been designated a 'Leader.'
http://www.sans.org/info/72763
****************************************************************************


TOP OF THE NEWS

FTC Closes Twitter Investigation (March 11 & 14, 2011)
The US Federal Trade Commission (FTC) has closed its investigation into two incidents that compromised Twitter accounts of high-profile users. In 2009, attackers broke into Twitter systems and took over the accounts of several well-known people and organizations and sent phony messages. Twitter failed to lock people out of accounts after several incorrect login attempts. The FTC maintained that Twitter misled its users when it claimed it was taking adequate security measures to protect their privacy. Twitter and the FTC reached a tentative settlement in June 2010; last week, the settlement was finalized. The terms of the settlement call for Twitter to establish a "comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years." Twitter's privacy policy has been amended to exclude assurances that it has established "administrative, physical, and electronic measures designed to protect
[users' ]
information from unauthorized access."
-http://www.computerworld.com/s/article/9214238/FTC_officially_closes_Twitter_sec
urity_investigation?taxonomyId=17

-http://www.theregister.co.uk/2011/03/14/twitter_ftc_celeb_hack_settlement/
-http://latimesblogs.latimes.com/technology/2011/03/ftc-settles-with-twitter-on-m
isleading-security-practices.html

-http://www.eweek.com/c/a/Security/Twitter-Settles-with-FTC-Over-Privacy-Breach-a
nd-Account-Hacking-151625/

[Editor's Note (Schultz): Privacy practices and controls are for the most part seriously deficient or altogether lacking in the social networking arena, a place in which they are needed the most. ]


Judge Denies Request to Throw Out Order Seeking Twitter Account Information (March 11, 2011)
Last week, a federal judge denied a motion to dismiss the US government's request for data from Twitter to gather information about the accounts of three WikiLeaks associates. US Magistrate Judge Theresa Buchanan said the associates do not have standing to challenge the government's request because the government is not seeking content of the accounts. The government order was unsealed at Twitter's request, but the judge denied a motion to unseal the government's application for that order. According to the unsealed order, the government wants Twitter to provide contact details for the specified accounts, IP addresses used to access those accounts, connection records, data transfer information and the destination IP addresses. The judge ruled that the request did not violate the account holders' First or Fourth Amendment rights.
-http://news.cnet.com/8301-31921_3-20042277-281.html
-http://www.wired.com/threatlevel/2011/03/judge-denies-on-twitter-case/
-http://www.bbc.co.uk/news/world-us-canada-12720631


Research in Motion Taken Aback by India's Data Interception Demands (March 14, 2011)
A Research in Motion (RIM) executive said that India's Home Ministry is demanding the ability to intercept information about email communications sent over BlackBerry handsets. The Ministry wants the data in plain-text. RIM is concerned that such an arrangement would damage the company's commitment to user privacy. Robert Crow, VP of Industry and Government Relations for RIM, also noted that the demands could have more far-reaching implications about what communications the government believes it has the right to intercept.
-http://www.techeye.net/security/india-demands-more-access-to-blackberry-emails



*************************** Sponsored Links: *****************************

1) SEC577 Virtualization Security Fundamentals gives you the skills you need at SANS Northern Virginia 2011. http://www.sans.org/info/69743

2) REGISTER NOW FOR Web 2.0 Security: Same Old But Different WHEN: Thursday, March 24, 2011 at 1:00 PM EDT (1700 UTC/GMT) FEATURING: Johannes Ullrich & Eric Crutchlow http://www.sans.org/info/72768 Sponsored By: SONICWALL http://www.sonicwall.com/
****************************************************************************


THE REST OF THE WEEK'S NEWS

Microsoft Launches Internet Explorer 9 (March 14 & 15, 2011)
Microsoft is scheduled to launch Internet Explorer 9 (IE9) at 9:00 PM Pacific time. The browser will be posted to download sites several hours later. The new version of the browser includes a tracking protection feature that allows users to create lists of sites they do not want to track their browsing activity. IE9 runs on Windows Vista and Windows 7, but not Windows XP. Internet Storm Center:
-http://isc.sans.edu/diary/Internet+Explorer+9+is+out+includes+new+security+featu
res+/10552

-http://www.informationweek.com/news/windows/microsoft_news/showArticle.jhtml?art
icleID=229300939&cid=RSSfeed_IWK_All

-http://www.nbr.co.nz/article/ie-9-launches-do-not-track-tool-aw-88266
-http://www.computerworld.com/s/article/9214461/Microsoft_to_release_IE9_Monday_n
ight?taxonomyId=89

-http://blog.seattlepi.com/microsoft/2011/03/14/microsoft-releasing-internet-expl
orer-9-tonight/

-http://www.bbc.co.uk/news/technology-12737013


Adobe to Release Out-of-Band Patch for Flaw in Flash and Reader (March 14, 2011)
Adobe says it will release emergency fixes for a critical flaw in Flash and Reader that is being actively exploited in targeted attacks to plant malware on vulnerable computers. The patches will be available the week of March 21, according to Adobe, and will address the problem in Adobe Flash player 10 and Adobe Reader versions 9, 10 and X, with the exception of Reader X for Windows. That version of Reader ships with a sandbox feature that has blocked the attack thus far. The attackers are using specially-crafted Microsoft Excel documents to exploit the flaw.
-http://www.theregister.co.uk/2011/03/14/adobe_flash_reader_emergency_patch/
-http://www.computerworld.com/s/article/9214521/Hackers_exploit_Flash_zero_day_Ad
obe_confirms?taxonomyId=17

-http://blogs.adobe.com/psirt/2011/03/security-advisory-for-adobe-flash-player-ad
obe-reader-and-acrobat-apsa11-01.html



German Finance Ministry Offline After Security Problems Discovered (March 14, 2011)
The German federal finance ministry, Deutsche Finanzagentur, has removed its website from the Internet after learning that it contained security flaws that could have been exploited to spy on agency customers, steal login information or launch phishing attacks. Attackers could also have exploited a vulnerability which would have allowed them to alter financial transaction quotes from the agency. The problem lay in a browser-based file manager that all users were able to access.
-http://www.h-online.com/security/news/item/German-federal-finance-agency-s-web-s
erver-wide-open-1206634.html

-http://www.theregister.co.uk/2011/03/14/german_finance_agency_site_suspension/


Cyber Attackers Release Internal Bank of America eMails (March 14, 2011)
The group of hackers that calls itself Anonymous has released email messages that they say demonstrate fraud at Bank of America (BofA). The information appears to come from an unnamed whistleblower, a former employee of Balboa Insurance, which used to be owned by BofA. The emails indicate that the company withheld foreclosure information from regulators.
-http://www.v3.co.uk/v3-uk/news/2033862/anonymous-hacktivists-reveal-fraud-bank-a
merica

-http://www.businessinsider.com/anonymous-hackers-bank-of-america-wikileaks-email
s-documents-2011-3

-http://content.usatoday.com/communities/ondeadline/post/2011/03/anonymous-hacker
s-release-bank-of-america-emails/1



AT&T to Impose Data Caps for Broadband Customers (March 14, 2011)
AT&T has announced that it will cap data use for its broadband customers. DSL Customers will have a monthly limit of 150GB; customers who have AT&T's U-Verse broadband will have a monthly limit of 250GB. Customers who exceed their limit in three or more months will be charged US $10 for every additional 50GB. The policy will take effect on May 2. Customers will be notified as their usage approaches 65 percent, 90 percent and 100 percent of their limit. Comcast placed usage limits on broadband users in 2008, limiting customers to 250GB a month. Comcast says the median monthly data use is between 2GB and 3 GB of data.
-http://news.cnet.com/8301-30686_3-20042839-266.html
-http://latimesblogs.latimes.com/technology/2011/03/atts-bandwidth-caps-a-bad-dea
l-for-whom.html

-http://www.wired.com/epicenter/2011/03/att-dsl-cap/
-http://www.pcworld.com/article/222039/atandts_uverse_and_dsl_data_caps_good_deal
_bad_precedent.html



UK ISPs to Clarify Traffic Management Policies (March 14, 2011)
Major broadband providers in the UK will soon clarify their network traffic management practices. BT, Virgin Media and others have signed a voluntary code of practice saying they will provide consumers with clear information about when Internet connection speeds are slowed, why they are slowed, and what effect the throttling will likely have on consumers' broadband service. The disclosures will also state whether the provider has arrangements with specific content providers to prioritize their traffic.
-http://www.bbc.co.uk/news/technology-12730440
-http://www.wired.co.uk/news/archive/2011-03/14/broadband-consortium
-http://www.zdnet.co.uk/news/networking/2011/03/14/isps-to-be-honest-about-traffi
c-management-policies-40092124/



Unpatched IE Flaw is Being Actively Exploited (March 12 & 14, 2011)
An unpatched flaw in Internet Explorer (IE) is being exploited in "limited, targeted attacks," according to Microsoft. The vulnerability in the mshtml.dll software library used by IE was disclosed two months ago, but Microsoft has not yet released a patch for the issue, although a Fixit tool is available. The attacks involve tricking users into visiting a specially-crafted web page that launches a drive-by attack on the browser. Google says the attacks appear to be politically motivated.
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=229300931&subSection=Security

-http://www.computerworld.com/s/article/9214259/New_attacks_leverage_unpatched_IE
_flaw_Microsoft_warns?taxonomyId=17

-http://www.v3.co.uk/v3-uk/news/2033669/google-warns-politically-motivated-target
ed-attacks-users

-http://www.microsoft.com/technet/security/advisory/2501696.mspx


************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/