Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #71

September 08, 2009

FLASH: The Internet Storm Center reported a new Windows zero-day vulnerability early this morning. This is a critical vulnerability, even without code execution. A single packet can remotely shut down a windows host.


The top of the news this week has three stories about useful resources.

Corrected Update on the European SCADA Security Summit (Stockholm October 27-30): Real-world case studies of smart metering and virtualization in control systems have just been added, with insights into the security repercussions of both. Also the US Department of Homeland Security Control Systems Security Program is offering free courses and tools. Info and registration at




Security Company in China Will Make Gigantic Malware Database Available
Apache Issues Incident Report About Recent Attack to Others
H1N1 Pandemic Preparedness Papers from SANS Technology Institute degree Candidates


Oracle Quarterly Patch Update Delayed One Week; Adobe's Delayed One Month
Chinese News Sites Requiring Commenters to Log On With True Identities
Older Versions of WordPress Blogging Software Vulnerable to Worm Attack
Amazon Offers to Restore Animal Farm and 1984 to Kindle Users' Devices
Some Web Monitoring Software Collects and Sells Chat Contents
Australian Man Will be Tried for Cyber Crimes
Infected USB Drive Wreaks Havoc on London Area Council IT Systems
Apple Releases Java Update
Canadian Privacy Commissioner Wants Bell Canada to be Forthright About Data Collection



--- SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference.
--- SCADA Security Summit, Stockholm, Oct. 27-30
--- SANS Chicago North Shore, Oct. 26-Nov. 2
--- SANS San Francisco, November 9-14
--- SANS CDI, Washington DC, Dec. 11-18
Looking for training in your own community?
Save on On-Demand training (30 full courses) - See samples at: https://www.sans.org/ondemand/
For a list of all upcoming events, on-line and live:



Security Company in China Will Make Gigantic Malware Database Available to Others

KnownSec, a Chinese security company, has developed a gigantic database containing information about malware and malware infections in China available to others. The data are gathered by a crawler that visits almost two million sites each day. KnownSec keeps a history of events that occur at each site, a list of all infected sites at any time, and information about each virus and worm that is discovered. CEO Zhao Wei has announced that KnownSec will share information in this database with incident response teams.

Apache Issues Incident Report About Recent Attack (August 28 & September 3, 2009)

Administrators at Apache Software Foundation have posted a detailed account of a security breach that forced them to temporarily shut down their website. The attackers gained root access to a particular server and destroyed logs, so the admins had to piece together what happened from other evidence. The attackers appear to have gained access to the server by exploiting a known vulnerability in the Linux kernel; the flaw was addressed in a recent release, but it had not yet been applied to this server. The incident report indicates that among the problems the incident illuminated were that SSH keys were not appropriately restricted and bad data backup procedures were being used. Among the practices that worked well were "redundant services in two locations allow(ing them) to run services from an alternate location" and "a non-uniform set of compromised machines (that) made it difficult for the attackers to escalate privileges on multiple machines." As a result of the intrusion, Apache plans to generate new keys with a minimum length of 4096 bits for hosts and also possibly to introduce centralized logging.
[Editor's Note (Ullrich and Honan): This is an excellent analysis of how the attack happened and how other systems can be used by attackers to target your core systems. Thanks Apache. We wish we would see more reports like this to be able to learn from other's experiences. ]

H1N1 Pandemic Preparedness Papers from SANS Technology Institute degree Candidates

If you are trying to decide how prepared you and your IT systems are for an H1N1 pandemic, you'll want to read the mini-thesis submitted by Jim Beechey and Rob VandenBrink as part of their candidacy for Master of Science in Security Engineering at the SANS Technology Institute. It's really well done and has an associated PowerPoint presentation you will find useful for educating others.

************************ Sponsored Links: ****************************

1) Be sure to register NOW for the Tool Talk Webcast: SIEM and DLP - Strength in Integration.


2) ***NEW*** SANS Free Vendor Audio Casts! Visit the SANS Reading Room

https://www.sans.org/info/48177 and click on the Free Vendor Audio Casts link.

Here is just one of the Audio Casts you can download:
Carlos Solari, former White House CIO, Featured on Application Security MythBusters Series.



Oracle Quarterly Patch Update Delayed One Week; Adobe's Delayed One Month (September 3 & , 2009)

Oracle has said its scheduled quarterly patch releases slated for October 13 will be delayed. Oracle's delay is due to the OpenWorld 2009 Oracle conference, which runs from October 11 to October 15; sticking with the October 13 release date would mean that administrators would have to choose between attending the conference and installing the updates in a timely manner. Oracle will issue the Critical Patch Update (CPU) on October 20. Adobe plans to delay its scheduled September 8 security update by a month due to the need to address the vulnerabilities in Microsoft's Active Template Library (ATL); the update for Adobe Acrobat and Reader currently appears to be on track for release on October 13.


Chinese News Sites Requiring Commenters to Log On With True Identities (September 6, 2009)

Computer users wishing to make comments on Chinese news websites must log on with their real names and identification numbers; the sites have imposed the requirement to meet a confidential directive from China's State Council Information Office. Previously, users could log in to most news sites anonymously; sites still screened posts and users could be traced through IP addresses associated with their comments. Chinese authorities maintain the change will foster increased "social responsibility" and "civility;" however, news stories about the requirement have been repressed.

[Editor's Note (Northcutt): This seems reasonable to me. We are learning that the new world of "every person is a journalist" needs to come with a sense of responsibility for the words that we post. There are certainly places where anonymous posting needs to be possible, but not necessarily news outlets. ]

Older Versions of WordPress Blogging Software Vulnerable to Worm Attack (September 5 & 7, 2009)

Bloggers using older versions of WordPress blogging software are urged to upgrade to version 2.8.4 as soon as possible to protect them from a worm. The malware has been exploiting a known and patched vulnerability to put comment spam and links to malware on users' blogs. One user who fell prey to the worm lost two months worth of blog entries. The two most recent releases of WordPress, issued on August 3 and August 12, are not vulnerable to the worm.


[Editor's Note (Ullrich): Wordpress is not alone. Web applications like wordpress continue to be a problem. Patching them is frequently hard as they are not covered by regular operating system patch protocols. Finding solutions to inventory and patch them is critical. ]

Amazon Offers to Restore Animal Farm and 1984 to Kindle Users' Devices (September 5, 2009)

Amazon is offering Kindle owners whose copies of Animal Farm and 1984 were removed from their devices without notice earlier this summer the choice of having the books restored or being issued a US $30 credit. Amazon deleted the books from users' devices after it learned that the entity making the editions available did not possess the rights to the works. Amazon chief Jeff Bezos apologized for the way the matter was handled in July, calling it "stupid, thoughtless, and painfully out of line with our principles."

[Editor's Note (Northcutt): Amazon demonstrated a powerful form of censorship. You can buy the book, Amazon can take the book from you at any time. They can track which books you buy, which books you read, what page you are on. Kindle all you like my friends, I am sitting this one out.]

Some Web Monitoring Software Collects and Sells Chat Contents (September 4, 2009)

Certain web monitoring software is collecting the contents of users' chats and selling the data to companies that use it to fine tune their marketing strategies. The software in question is called Sentry and FamilySafe; it is developed by EchoMatrix Inc. While the company allows families that do not want their children's data collected to opt out of the arrangement, that choice is not part of the agreement that accompanies the program when it is downloaded; users must visit the company web site to select that option.

Australian Man Will be Tried for Cyber Crimes (September 4, 2009)

An Australian man has been charged with numerous offenses in connection with allegedly compromising thousands of computers around the world with malware designed to steal financial account information. Anthony Scott Harrison was in the Adelaide Magistrates Court last week, where prosecutors asked for several months to gather evidence in the case against him. Harrison faces four counts of modifying computer data to cause harm or inconvenience, two counts of possession or control of data to commit serious computer offenses, and one count of dishonestly manipulating a machine for benefit, all related to the alleged computer crimes.

Infected USB Drive Wreaks Havoc on London Area Council IT Systems (September 4, 2009)

One infected USB drive cost the Ealing Council more than GBP 500,000 (US $817,000) in lost revenue and repairs. The drive appears to have been infected with Conficker, which exploited a Windows Autorun vulnerability on the council's Windows 2000 machines and spread throughout the council's IT systems. The infection occurred in May and took days to clean up. During that time, the council lost an estimated GBP 90,000 (US $147,000) from parking tickets it was unable to process and an estimated GBP 25,000 (US $40,850) in library fines and fees.

[Editor's Note (Pescatore): For this to happen in May 2009, a lot of patches had to be ignored. This proves that even if you are running oooold Windows operating systems, if you don't patch you will pay.

(Northcutt): UK friends, I need help. In our Security Leadership Essentials class we talk about the importance of a smoking gun, proof that infosec is important and saves money. If you have evidence this event changes the behavior of the Ealing Council going forward, I would love to hear from you, stephen@sans.edu

Apple Releases Java Update (September 3 & 4, 2009)

Apple has released a security update to address vulnerabilities in Java for Apple that could be exploited to elevate privileges, execute arbitrary code, or terminate applications. The update applies to Apple's Leopard OS, Mac OS X 10.5. The problems are already addressed in version 10.6, which was released last week.




Canadian Privacy Commissioner Wants Bell Canada to be Forthright About Data Collection (September 3, 2009)

Canada's Privacy Commissioner Jennifer Stoddart is demanding that Bell Canada inform all of its subscribers that in the process of managing Internet traffic, it collects some identifying information. Earlier this year, Stoddart found that Bell's use of deep packet inspection technology does not comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). Bell collects the Internet protocol (IP) addresses associated with subscribers' computers. While the numbers themselves do not identify individual users, they can be traced to a user ID. Stoddart determined that IP addresses are personal information. Bell Canada uses DPI technology to identify peer-to-peer (P2P) headers on Internet traffic and slow it down.

[Editor's Note (Honan): In 2008 the European Union's Working Group 11 on Data Privacy also stated that an IP address should be regarded as personal information.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/