SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Sign Up Now
• Editorial Board

Volume XI - Issue #46

June 12, 2009

TOP OF THE NEWS

Microsoft Fixes Record Number of Flaws
Pricewert Takedown Likely Responsible for Temporary Dip in Spam Levels
France's Constitutional Council Says Three-Strikes Law is Unconstitutional

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES
Aetna Named In Class Action Data Security Breach Lawsuit
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Army Allows Access to Some Social Networking Sites
Security Issues at Dulles Still Need Attention, Says DHS IG Report
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Survey Shows Losing Internet Connection is Strong Motivation to Stop Piracy
UPDATES AND PATCHES
Microsoft Malicious Software Removal Tool Now Detects Certain Scareware
Adobe Releases First Quarterly Security Update
Apple Issues Safari 4.0
ATTACKS & ACTIVE EXPLOITS
VAServ Denies Claim That Weak Passwords Led to Attack
T-Mobile Attack Update

---

********************* Sponsored By Norwich University *******************

Norwich University's Master of Science in Information Assurance program allows information security professionals to integrate their technical competencies with business management skills. A comprehensive core curriculum and an individual case study project equip graduates with the skills to manage and lead an organization-wide information security program.
http://www.sans.org/info/44748

*************************************************************************

TRAINING UPDATE

- - The Forensics Summit starts in four weeks on July 9, and has four courses http://www.sans.org/forensics09_summit/event.php: Computer Forensic and E-discovery Essentials Computer Forensics, Investigation, and Response Advanced Filesystem Recovery and Memory Forensics Drive and Data Recovery Forensics
- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses) http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - National Forensics Summit, July 6-14 http://www.sans.org/forensics09_summit/
Looking for training in your own community? http://sans.org/community/ Save 25% on all On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

Register now for free webcast
Preview of New SANS course: 20 Critical Security Controls: Planning, Implementing and Auditing, by Alan Paller and Eric Cole, PhD Live! from SANSFIRE 2009, Monday, June 15, 2009
To register, visit https://www.sans.org/athome/details.php?nid=19609

*************************************************************************

---

TOP OF THE NEWS

Microsoft Fixes Record Number of Flaws (June 9 & 10, 2009)

On Tuesday, June 9, 2009 Microsoft issued 10 security bulletins to address a total of 31 security flaws in its products, including Windows, Internet Explorer (IE) and various Office applications and components. More than half of the flaws were rated "critical." This is the largest number of vulnerabilities Microsoft has addressed in its scheduled monthly security updates. ISC:
-http://isc.sans.org/diary.html?storyid=6538
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9134156
-http://www.theregister.co.uk/2009/06/10/monster_microsoft_patch_batch/
-http://blogs.usatoday.com/technologylive/2009/06/microsoft-has-just-set-another-
patch-tuesday-record-issuing-security-fixes-for-31-vulnerabilities-17-of-them-ra
ted-critical.html
-http://voices.washingtonpost.com/securityfix/2009/06/microsoft_issues_record_num
ber.html
-http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx
[Editor's Note (Skoudis): A record! How exciting! Actually, it's a really a bummer that we are still seeing so many flaws seven years after Microsoft's much-publicized announcements regarding "Trustworthy Computing". From a vulnerability perspective, we've got a long way to go. And, with the massive number of Adobe and Apple Safari flaws described elsewhere in this issue of NewsBites, it feels like we are losing ground as our software becomes more brittle with each successive wave of patches. ]

Pricewert Takedown Likely Responsible for Temporary Dip in Spam Levels (June 9 & 10, 2009)

The level of spam fell 15 percent following the Federal Trade Commission (FTC) order to shut down the Internet service provider (ISP) Pricewert, also known as 3FN. However, the respite appears to be short-lived, as spam volumes have begun climbing again. The Cutwail botnet, also known as Pushdo, experienced significant downturns in activity following the shutdown. The level of spam is expected to resume its prior level - about 90 percent of all email sent - once spammers make arrangements with companies based outside the US where anti-spam enforcement is not as rigorous. The FTC made its decision to order the takedown based on Pricewert's reputation for recruiting and cooperating with cyber criminals.
-http://news.cnet.com/8301-1009_3-10260338-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.scmagazineus.com/Pricewert-shutdown-brought-only-short-lived-drop-in-
spam/article/138298/

France's Constitutional Council Says Three-Strikes Law is Unconstitutional (June 10, 2009)

France's Constitutional Council has rejected as unconstitutional the government's plan to sever Internet connections of users who are believed to habitually download digital content in violation of copyright law. The government's plan would have given the authority to cut off service to the newly created High Authority for the Distribution of Works and the protection of Rights on the Internet. The Constitutional Council ruled that to cut off users from the Internet without judicial involvement would violate citizens' rights.
-http://www.nytimes.com/2009/06/11/technology/internet/11net.html?_r=1&ref=te
chnology
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9134239

---

************************ Sponsored Links: *****************************

1) SANS Vendor Demo Spotlight: Cisco Enterprise Policy Manager - XACML-based solution for administering, enforcing, and auditing entitlements to portals, applications, and databases.
http://www.sans.org/info/44753

2) SANS Recommended Webcast Replay featuring Novell - Novell ZENworks Endpoint Security Management- A Technical Demonstration
http://www.sans.org/info/44758

3) Join the SANS WhatWorks in Forensics & Incident Response Summit, Washington DC, July 7-8
http://www.sans.org/info/44763

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES

Aetna Named In Class Action Data Security Breach Lawsuit (June 9, 2009)

A class-action lawsuit filed in Pennsylvania District Court names Aetna as a defendant, alleging that the Hartford-based health insurance company "failed to maintain reasonable systems and procedures to protect (the plaintiffs' personal) information." Intruders allegedly gained access to Aetna's computer systems and compromised the Social Security numbers (SSNs) and other sensitive information of approximately 65,000 current, former employees and job applicants.
-http://www.hartfordbusiness.com/news9190.html
[Editor's Note (Pescatore): There is always a hope in security circles that threats such as class action lawsuits or "downstream liability" will cause a light bulb to go off in boards of directors' heads and they will say "Aha - information security is important, increase the budget, promote the CISO!!" In reality, when boards hear "liability" they tend to mostly make sure that the corporate Directors and Officers Liability insurance coverage is sufficient. The actual business damage of incidents is usually the bigger driver for action by boards of directors. ]

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Army Allows Access to Some Social Networking Sites (June 10, 2009)

A US Army document recently made public ordered Army network managers to allow soldiers access to several social media sites, including Facebook, Twitter and Flickr. The document, dated May 18, 2009, also allows soldiers access to web-based email. The order does not apply to all overseas bases or to bases operated by other branches of the US armed services. Certain sites, including MySpace, YouTube and Pandora, will continue to be blocked.
-http://www.wired.com/dangerroom/2009/06/army-orders-bases-stop-blocking-twitter-
facebook-flickr/
[Editor's Note (Pescatore): Access to social network sites has been overly demonized. The majority of security issues are the same as any other web site access. There is certainly malware being planted at those sites - just like at other websites we allow users to go to. There is definitely a data leakage issue as far as what users might post at social network sites - just as the same problem exists when they post at other web sites. The big differences come in when the business or mission side wants to have an official presence on the social network site. A lot of the reflex-action block of access has been due to a feeling that they are time wasters, not needed for business - like most felt about Internet access in general not all that long ago.
(Northcutt): I know when my son was deployed to Iraq and posted an update on Facebook, it meant a lot to Kathy and me. Granted there is an OPSEC risk and soldiers must be briefed on what they can and should not say at least yearly, but near instant communication is a valuable thing. I just blogged two more interesting articles of unique uses of Twitter, jump straight to the last two paragraphs for the meat:
-https://blogs.sans.org/security-leadership/2009/06/11/business-and-social-media/
(Skoudis): The balance between the security risks and information leakage possibilities of these sites versus the morale-improving effects of giving such access is a tough one to get right. I do hope that the process of granting access to some bases is combined with security awareness campaigns for social networking sites in those same bases, as well as some pretty careful filtering and monitoring for malicious activity.
(Weatherford): The Navy and Air Force have made similar policy changes. My prediction is that in two years we won't even be having the discussion about whether social media in the workplace is acceptable or not...the train has already left the station. Are there security concerns? Of course, but we as security professionals need to address them up front and not pretend the social media movement is some kind of fad. It's not, so unless we want to find ourselves shuffled to the side of the road and marginalized, we need to avoid the hand-wringing that undermines our credibility and become solution providers. The social media train ain't stoppin'.]

Security Issues at Dulles Still Need Attention, Says DHS IG Report (June 10, 2009)

According to a report from the US Department of Homeland Security (DHS) Office of Inspector General, US Customs and Border Protection (CBP) and the Transportation Security Administration (TSA) at Dulles International Airport still need to address certain security concerns that could compromise the "confidentiality, integrity, and availability of the automated systems used to perform their mission critical activities." Both CBP and TSA have made "significant progress in improving technical security for information technology assets at Dulles;" however, the report recommends that both organizations take steps to improve "their operational controls over the physical security of their information technology (as well as their) technical controls." Some servers in use appear not to be running the most current release of operating system software.
-http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_09-66_May09.pdf
-http://fcw.com/Articles/2009/06/10/Dulles-IT-security-needs-work-IG-says.aspx
[Editor's Note (Pescatore): The physical security discrepancies seem to be the highest level issues here given the real threat. ]

Survey Shows Losing Internet Connection is Strong Motivation to Stop Piracy (June 10 & 11, 2009)

Just 33 percent of people who receive warning letters would stop downloading content in violation of copyright law, according to the results of a survey from media law firm Wiggin. However, 80 percent of the respondents said they would stop pirating digital content if they thought their Internet connections would be cut off. The UK's Strategic Advisory Board for Intellectual Property estimates that seven million Internet users in the UK use filesharing networks once a week to pirate content. The UK government is expected to publish a report next week that will include "recommendations that ISPs investigate 'technical solutions' to piracy, which could involve slowing down connection speeds." The survey also found that people would be willing to pay more for various levels of content services through their ISPs.
-http://www.macworld.co.uk/news/index.cfm?newsid=26261
-http://news.bbc.co.uk/2/hi/technology/8091107.stm
[Editor's Comment (Northcutt): No joke, evidence is starting to become available that suggests the Internet has more of an attraction than television, especially for younger people:
-https://blogs.sans.org/security-leadership/2009/06/03/im-sane-yaayyyyy/
(Pescatore): Of course, if they question had been phrased "would you still download music if it meant having to change ISPs?" the survey response might have been different... ]

UPDATES AND PATCHES

Microsoft Malicious Software Removal Tool Now Detects Certain Scareware (June 9, 2009)

In addition to the 10 security bulletins released on Tuesday, Microsoft released an updated version of its Malicious Software Removal Tool so that it now detects and removes scareware known as Internet Antivirus Pro. The malware pops up a phony warning message on infected computers and claims to be scanning the machines for malware, but it really downloads software that searches for and steals FTP user names and passwords.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9134161&source=CTWNLE_nlt_dailyam_2009-06-10
-http://news.cnet.com/8301-1009_3-10261851-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
[Editor's Note (Pescatore): The Microsoft Security Intelligence Report (see
-http://go.microsoft.com/fwlink/?LinkId=147935)
shows a lot of data that comes back from the MSRT. It shows that over 25% of PCs out there have Trojans or bot clients running when MSRT is run. The numbers are tilted towards consumer and small business PCs - but those are the PCs your employees are using if you allow access from home PCs. ]

Adobe Releases First Quarterly Security Update (June 9, 2009)

Adobe's first scheduled quarterly security update arrived on June 9, 2009; it addresses 13 critical security flaws including heap overflow vulnerabilities, a stack overflow vulnerability, and a memory corruption flaw that could be exploited to execute arbitrary code.
-http://www.eweek.com/c/a/Security/Adobe-Plugs-13-Security-Holes-in-Critical-Upda
te-149623/
ISC:
-http://isc.sans.org/diary.html?storyid=6541

Apple Issues Safari 4.0 (June 8 & 9, 2009)

On Monday, June 8, Apple released Safari 4.0, an updated version of its browser that fixes more than 50 security flaws. Left unaddressed, the vulnerabilities could be exploited to execute arbitrary code, create denial-of-service conditions or steal sensitive data. In the new version of the browser, crashes caused by Flash, Shockwave or other plug-ins are sandboxed, meaning that only the plug-in will crash. Safari 4.0 is available for both Windows and Mac. ISC:
-http://isc.sans.org/diary.html?storyid=6535
-http://www.scmagazineus.com/New-Safari-40-fixes-more-than-50-vulnerabilities/art
icle/138229/
-http://download.cnet.com/8301-2007_4-10260313-12.html
-http://support.apple.com/kb/HT3613

ATTACKS & ACTIVE EXPLOITS

VAServ Denies Claim That Weak Passwords Led to Attack (June 10 & 11, 2009)

While VAServ.com maintains that the attack that wiped out more than 100,000 hosted sites was conducted by exploiting a zero-day flaw in a server virtualization application called HyperVM, postings purported to be from the attackers claim they gained access to the web hosting company's network through poorly selected passwords and server configuration. In a sad turn of events, the head of the Indian company that developed the virtualization software committed suicide, although it does not appear that the attack on VAServ had any bearing on his decision. ISC:
-http://isc.sans.org/diary.html?storyid=6532
-http://www.theregister.co.uk/2009/06/10/vaserv_follow_up/
-http://www.mxlogic.com/securitynews/identity-theft/hack-deletes-100000-websites-
software-developer-kills-self386.cfm
-http://blogs.computerworld.com/death_of_software_exec_adds_pathos_to_attack_on_w
eb_hosting_firm

T-Mobile Attack Update (June 8, 9 & 10, 2009)

T-Mobile now acknowledges that intruders were able to obtain company data, but says that the document the attackers copied does not pose a significant threat to T-Mobile customers. The company will "continue to investigate the matter and have taken additional precautionary measures to further ensure our customers' information and our systems are protected." A company spokesperson said the data were not obtained through hacking.
-http://www.scmagazineus.com/T-Mobile-confirms-hack-but-doubts-crooks-have-the-go
ods/article/138211/
-http://voices.washingtonpost.com/securityfix/2009/06/t-mobile_investigating_data
_br.html?wprss=securityfix
-http://gadgetwise.blogs.nytimes.com/2009/06/10/stolen-t-mobile-data-not-hacked-s
ays-company/
[Editor's Note (Pescatore): This one had some hoax-like aspects from the start, but finding one termite usually means you find others when you look harder.
(Schultz): It seems ironic that so many organizations that experience data security breaches so often claim that minimum damage and/or disruption has occurred long before facts become available. ]

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/