Ending Soon! Online Training Special Offer: Get iPad Pro w/ Smart Keyboard, HP ProBook, or $350 Off through July 24!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #54

July 10, 2009


US and South Korean Sites Under Attack


Teen Indicted on Swatting-Related Charges
Author of Spamming Tools Pleads Guilty
Not Guilty Plea in Pump-and-Dump Scheme
Revised Anti-Piracy Bill Adopted in French Legislature
Talk Talk Pulls Out of Phorm Deal
Microsoft to Release Six Security Bulletins Next Week
Apple Issues Safari Update
Tagged.com Faces Lawsuit for Alleged Deceptive Marketing Practices
Certain SSNs are Relatively Easy to Guess
MasterCard Prohibits Remote Key Injection Technology in Certain Cases
Thoughts on Naming Executables By Mark Eggleston

********************** Sponsored By Q1 Labs *****************************


Meeting the NERC CIP Compliance Challenge

All public and private energy companies that connect to the bulk power system must comply with this regulation by July 1, 2009, or face potential fines and penalties.
If you're responsible for network and security management at a utility company, you will want to join this webinar to learn about a cost-effective security management solution that provides extensive log and threat management capabilities to substantially reduce the risk of network-based threats and cyber-terrorism. REGISTER FOR THE WEBINAR NOW: http://www.sans.org/info/45824


- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition http://www.sans.org/ns2009
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - The Forensics Summit starts on July 9, and has four courses http://www.sans.org/forensics09_summit/event.php:
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days http://www.sans.org/info/43118
Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org



US and South Korean Sites Under Attack; Late Data Says Attacking PCs to Self Destruct (July 8 & 9, 2009)

A variant of MyDoom is believed to be behind the distributed denial-of-service (DDoS) attacks that took down US and South Korean government, military and private industry websites last week. Some reports have speculated that North Korea may be behind the attacks, which have been described as unsophisticated and "a nuisance." Brian Krebs of the Washington Post reports that the virus that is causing PCs to attack these sites will overwrite the files (including the operating system) of the infected computers. Internet Storm Center:




[Editor's Note (Paller): This morning Korea government sources report that the files on the attacking computers are being overwritten - in a massive suicide of the bot-network. Sadly, it will be very easy to construct a new one.
(Pescatore): These attacks are just standard weather on the Internet. Imagine if a businessman decided to open up franchises housed in igloos in the countries on the equator, or chain-stores based in grass huts in the Scandinavian countries. That is the equivalent of any business that was depending on a web site that couldn't survive these attacks. The press has glommed onto the sexiness of the targets, the real story is the lack of due diligence level of security in those sites that were taken down.
(Guest Editor Marc Sachs): Sites like www.whitehouse.gov are distributed across hundreds (sometimes thousands) of physical locations via services like what Akamai offers. Akamai's original concept was to increase the efficiency of the Internet by pre-distributing popular content (like www.cnn.com) to points that are electrically close to potential users. The unexpected benefit of this approach is that it makes web sites immune to classic flooding attacks since you'd have to flood the content distribution servers rather than the actual FQDN. If Akamai were to go down, then the sites they service die too, but that is a different problem. In the recent DDoS, many .gov sites had outsourced the management and security of their web services. In nearly all of those cases the sites were not impacted. In other cases, where the government agency is keeping everything in house, or if they have low capacity connections to the wider Internet, or if they are outsourcing and they failed to select the "DDoS protection" from the drop-down menu when ordering services - these sites were impacted severely. To me, this is not so much a technology problem as it is a leadership and "taking responsibility" problem. The solutions for DDoS (and countless other technical security issues) are available and work well for those organizations willing to invest in them ahead of time. Crying about being victimized is an indication of how far down in the hole we are with respect to our government understanding how to protect themselves in cyberspace. It's shameful. ]

*************************** SPONSORED LINKS******************************

1) Be sure to register for the HP Tackles Cloud Application Security Webcast, Thursday, July 23rd https://www.sans.org/webcasts/show.php?webcastid=92428

2) REGISTER NOW for the Ask The Expert Webcast: Managing Change and Event Monitoring for Sustainable NERC CIP Compliance. http://www.sans.org/info/45834




Teen Indicted on Swatting-Related Charges (July 8, 9 & 10, 2009)

16-year-old Ashton Lundeby of North Carolina has been indicted for a series of bomb threats that he allegedly turned into a money-making scheme. Lundeby and unnamed cohorts allegedly orchestrated the threats so that people could listen to the phony threat phone calls and view law enforcement response. Lundeby allegedly targeted institutions that used web-based surveillance cameras. The group also allegedly advertised offers to phone in threats to schools for a fee. They allegedly spoofed caller ID to make the threats believable, a cyber crime known as "swatting." The targeted institutions include Purdue University, Indiana University, the University of North Carolina and Boston College, as well as FBI offices in Louisiana and Colorado.

Author of Spamming Tools Pleads Guilty (July 7 & 8, 2009)

David S. Patton pleaded guilty to aiding and abetting violation of the CAN-SPAM Act for developing a tool used by a prolific spammer, Alan Ralsky. Patton could face up to six years in prison and has agreed to forfeit more than US $50,000 he made from selling his Nexus and Proxy Scanner tools. Nexus can be used to create email messages with phony headers; Proxy Scanner, as its name suggests, sends the unsolicited email through compromised proxies. Patton's case stems from a pump-and-dump scheme that was orchestrated by Alan Ralsky, who is facing a prison sentence of up to seven years.

Not Guilty Plea in Pump-and-Dump Scheme (July 7, 2009)

Jaisankar Marimuthu has pleaded not guilty to charges related to his alleged role in a pump-and-dump scheme. Marimuthu, who is from India, was extradited to the US from Hong Kong last month. Thirugnanam Ramanathan has already pleaded guilty to fraud charges in connection with the scheme; a third man, Chockalingam Ramanathan remains at large. The three allegedly broke into online brokerage accounts and created new, fraudulent accounts through which they purchased and sold stocks to manipulate their prices.


Revised Anti-Piracy Bill Adopted in French Legislature (July 9, 2009)

French legislators have adopted a revised version of a controversial Internet piracy bill. An earlier version of the bill that would have allowed a new state agency to cut off Internet access for habitual illegal downloaders was blocked due to concerns about its constitutionality. The new version grants that power to the courts. People believed to be downloading content in violation of copyright law would receive two warnings; if they persist in their activities, the case would be referred to a judge who could impose a ban on Internet access, a fine of up to 300,000 euros (US $420,600) or a two-year jail sentence. People who allow others to use their Internet connections for illegal downloading could face a 1,500 euro (US $2,100) fine and a one-month Internet suspension.


Talk Talk Pulls Out of Phorm Deal (July 8 & 9, 2009)

British Internet service provider (ISP) Talk Talk has said it will not use online targeted advertising technology from Phorm. Earlier this week, BT announced it had no immediate plans to use the technology, either. Unlike BT, Talk Talk has never run a trial of the Phorm service. "The European Commission has ... begun to take legal steps against the UK government for its failure to take action against Phorm or BT for two trials of the technology in 2006 and 2007 ...
[that were ]
conducted ... without first gaining customers' consent."


Microsoft to Release Six Security Bulletins Next Week (July 9, 2009)

Microsoft will release six security bulletins on Tuesday, July 14. Among the vulnerabilities to be addressed are two zero-day flaws that are being actively exploited: one in Direct X's DirectShow and the other in Microsoft Video ActiveX Control. Both issues were disclosed in Microsoft security advisories. Three of the six patches have maximum severity ratings of critical; the other three all have maximum severity ratings of important. Although reports of the attacks have surfaced only recently, Microsoft has apparently known about the DirectShow flaw for a year.




[Editor's Note (Pescatore): Since it sounds like the Microsoft Video ActiveX vulnerability that has been actively exploited will finally have a patch next week, put high priority plans on pushing this out to PCs. Also high priority, the iPhone and the iTunes software means that the Safari browser is on a lot of desktops - Apple has some patches out for that. ]

Apple Issues Safari Update (July 9, 2009)

Apple has released an updated version of its Safari web browser to address two security flaws. One is a cross-site scripting flaw; the other is a memory corruption issue that could be exploited to crash the browser or execute arbitrary code. The new version of safari also addresses a number of stability issues. Users are urged to upgrade to Safari 4.0.2. Internet Storm Center:


Tagged.com Faces Lawsuit for Alleged Deceptive Marketing Practices (June 9 & 10, 2009)

New York Attorney General Andrew Cuomo says he plans to sue social networking site Tagged.com "for deceptive e-mail marketing practices and invasion of privacy." Tagged.com apparently accessed its members' address books and sent emails that appeared to come from the members to everyone listed inviting them to view photos posted by that member. Visitors had to join Tagged.com to see the photos, which did not exist in the first place. Tagged.com is estimated to have sent more than 60 million shady email messages; the company temporarily stopped the practice last month after receiving numerous complaints. The lawsuit will seek to block the deceptive practice and collect fines.



Certain SSNs are Relatively Easy to Guess (July 6, 7 & 8, 2009)

Researchers at Carnegie Mellon University have published findings of a study that shows some Social Security numbers (SSNs) can be guessed with astonishing accuracy given just a person's birth date and place of birth. The researchers were able to accurately guess the first five digits of a person's SSN 44 percent of the time for people born after 1998. In smaller states, the success rate grew to 90 percent. While the Social Security Administration has issued a statement maintaining that "there is no foolproof method for predicting a person's SSN," a privacy expert calls the findings a "really big deal" and says, "There effectively is no way you can keep {SSNs} totally confidential."



[Editor's Note (Pescatore): Of course, surveys constantly show that most people will give their SSN out if you offer them a lollipop. ]


MasterCard Prohibits Remote Key Injection Technology in Certain Cases (July 8 & 9, 2009)

There are unconfirmed reports that MasterCard has decided not to allow some merchants to use remote key injection (RKI) technology "to install new encryption keys on point-of-sale (POS) systems." The alternative is to install new encryption keys manually, which would consume significantly greater resources. Subsequent reports indicate that MasterCard will not allow the use of RKI technology with POS terminals that are not compliant with the Payment Card Industry Data Security Standards (PCI DSS).


[Editor's Note (Pescatore): I remember when the Slammer and Blaster worms hit ATM machines running Windows, it turned out that ATMs couldn't be patched on the network - a technician had to physically visit each machine to install the patch. Yet, the malware could spread over the network. Relying on manual processes to stay ahead of threats doesn't work, but if the reality is that they want to accelerate update to PIN Entry Device certified PoS devices and will only require manual key injection for older devices, I can see why they are doing this. But, lots of pitfalls here if only Mastercard takes this approach. ]

Thoughts on Naming Executables By Mark Eggleston A malware executable by any other name?

As part of good HIPS or endpoint protection, do you block known malware executables? For example, allowing video.exe to run in your environment is asking for trouble. A simple web search should yield the names of software .exe's for vendors to avoid using in their products. Nonetheless, we see more and more legit executables named after known malware making it difficult to block such malware. Often other workarounds must be used to allow horribly named (but legit) exe's.

The way I see it, if the industry can implore vendors to write secure code, getting them to name their executables intelligently certainly sounds feasible. If nothing else a good checklist item as part of good development - maybe even part of a "certified" partner criteria.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/