Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #72

September 11, 2009

Tuesday at noon EDT a new Top Cyber Risks report will be released summarizing current data from the largest network of intrusion prevention sensors and the largest network of vulnerability testers (millions of systems). It shows that the top two cyber risks are far more critical than previously thought, and at the same time that enterprises are acting very slowly to mitigate the risks. In fact the data show that enterprises are investing in less important risks and skimping on the important ones. This is the first time a threat report has been based on a combination of these two data sources on a global scale. Very cool because the findings are authoritative (and were vetted by the Storm Center folks and SANS' top instructors). If you have wanted to get your organization to fix the key problems, you'll find this report to be a powerful tool to move executive decision making forward. If you are a press person and want to be included in the press conference call, please email and tell me which publication.



Microsoft Issues Advisory Regarding Zero-Day SMB Vulnerability
Microsoft and Cisco Fix TCP Stack Vulnerability


Musicians Oppose UK's Plan to Cut Filesharers Off from Internet
Four Indicted in Piracy Case
Apple Releases iPhone and QuickTime Updates
Snow Leopard Update Fixes Flash Player Downgrade Issue
Firefox Update Addresses Security and Stability Issues
Guilty Plea in Phishing Case
Scientist Sued for Trade Secret Theft
Microsoft Releases Five Critical Security Bulletins
SQL Injection Flaw Exposes Carpoolers' Personal Information
Server Reliability Study

******************** Sponsored by BigFix, Inc. *************************

Staying Ahead of the Latest Endpoint Security Threats Featuring highlights from the IBM X-Force 2009 Mid-year Trend and Risk Report

Attend this session to hear highlights from the IBM X-Force 2009 Mid-year Trend and Risk Report. We'll also cover how to stay ahead of the latest endpoint security threats through:

* Unified management of endpoint security technologies
* Continuous configuration management - even for your roaming laptops
* Integrated assessment and remediation - within minutes, across your enterprise



- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference.
- - SCADA Security Summit, Stockholm, Oct. 27-30
- - SANS Chicago North Shore, Oct. 26-Nov. 2
- - SANS San Francisco, November 9-14
- - SANS CDI, Washington DC, Dec. 11-18
Looking for training in your own community?
Save on On-Demand training (30 full courses)
- See samples at
For a list of all upcoming events, on-line and live:



Microsoft Issues Advisory Regarding Zero-Day SMB Vulnerability (September 8 & 9, 2009)

Microsoft has issued an advisory regarding a zero-day flaw in Windows Vista and Windows Server 2008. The vulnerability lies in the Microsoft Server Message Block (SMB) implementation; it could be exploited to gain control of vulnerable systems. While the vulnerability does affect the release candidate version of Windows 7, the final version of Windows 7 is not affected. Microsoft is less than pleased that the vulnerability was disclosed without allowing sufficient time for the company to prepare a fix. Until a patch is available, Microsoft suggests deactivating SMB2 in the registry or blocking ports 139 and 445 as workarounds.



Microsoft and Cisco Fix TCP Stack Vulnerability (September 9, 2009)

Microsoft and Cisco have issued updates to address a vulnerability in the transmission control protocol (TCP) that could be exploited to cause denial-of-service conditions. The flaw was discovered in 2005 and made public last year. Microsoft's fix was part of its scheduled monthly security update for September. Cisco's update addresses the problem in several of the company's products. Other companies whose products are affected by the flaw are beginning to issue advisories as well. What is particularly concerning about this vulnerability is that it requires a relatively small amount of malicious traffic to exploit.


************************ Sponsored Links: ****************************

(1) Register today to get 10% off tuition on SANS vLive course SEC542, Web App Penetration Testing and Ethical Hacking, Nov. 2-Nov. 9.

Use the code @Risk542 when registering. (2) Be sure to register for the upcoming webcast: SIEM and DLP - Strength in Integration Sponsored by: RSA

(3) WEBCAST: Defending against Web 2.0 and Browser Hacks & Attacks. Can SaaS Web Security Deliver Higher Protection & Lower Cost? Keynote by Peter Firstbrook of Gartner.



Musicians Oppose UK's Plan to Cut Filesharers Off from Internet (September 10, 2009)

Members of the music industry say they "vehemently oppose" the UK's proposal to boot illegal filesharers off the Internet. The Featured Artists Coalition (FAC), which represents musicians, song writers, and producers, acknowledged that filesharing takes a bite out of their profits, but cautioned that "what's going on is a huge paradigm shift." FAC noted that filesharing can actually encourage people to buy music for themselves and attend concerts. Members are concerned that fans will become disenchanted with the music industry and say that "the sensible thing to do is to see how we can monetize all this filesharing activity."


Four Indicted in Piracy Case (September 10, 2009)

Adil R. Cassim, Bennie Glover, Matthew D. Chow and Edward L. Mohan II have been indicted on charges of conspiracy to commit copyright infringement in connection with an alleged music piracy group. The four men are allegedly members of a music sharing group known as Rapid Neurosis (RNS), which is known for making pirated music, video games, movies and software available for downloading from the Internet. Each of the men faces a maximum prison term of five years, a fine of up to US $250,000 and up to three years of supervised release. Two other alleged RNS members, Patrick L. Saunders and James A. Dockery, have already been charged with conspiracy to commit copyright infringement. Saunders pleaded guilty to the charges against him earlier this week.

Apple Releases iPhone and QuickTime Updates (September 10, 2009)

Apple has released updates for its iPhone and QuickTime player. The iPhone update fixes 10 vulnerabilities, including one that could be exploited to disrupt SMS text messaging. The update also addresses other flaws that could be exploited to expose users' Microsoft Exchange email accounts and access deleted email messages and other sensitive information. The QuickTime player update addresses four critical flaws, all of which lie in the way QuickTime handles file formats.

[Editor's Note (Schultz): As good a product as the iPhone is, it has a disproportionate number of vulnerabilities. The fact that Apple is releasing another set of updates for the iPhone is at least a good sign. ]

Snow Leopard Update Fixes Flash Player Downgrade Issue (September 10, 2009)

Apple has released an update for Mac OS X Snow Leopard to fix a problem with Flash Player. Snow Leopard was released late last month, and it was quickly noted that the new OS installed an outdated version of Adobe Flash Player. Even if users had an updated version of the program installed, Snow Leopard downgraded it to the older version. The updated version of Snow Leopard, 10.6.1, released on Thursday, September 10, updates Flash Player to version, the most recent release.


Firefox Update Addresses Security and Stability Issues (September 9 & 10, 2009)

Mozilla has released Firefox version 3.5.3 for Mac, Windows and Linux to fix several vulnerabilities and stability issues. The flaws could be exploited to execute arbitrary code, spoof URLs or cause denial-of-service. Users still running Firefox 3.0.x also need to update to version 3.0.14 to protect their machines. Mozilla pushes out the updates to users who have its automated update system enabled. The new version of Firefox also checks to see if users are running the most current versions of Adobe Flash Player.




Guilty Plea in Phishing Case (September 9, 2009)

Tien "Tim" Truong Nguyen has pleaded guilty to charges of fraud and identity theft for his role in a phishing scheme in which personal information was stolen and used to establish fraudulent Wal-Mart credit card accounts. Nguyen allegedly worked with Romanian cyber criminals, establishing phishing websites and supplying the stolen personal information that was used to create the accounts. The scheme was uncovered thanks to an anonymous tip that two of Nguyen's alleged accomplices had fraudulently obtained Wal-Mart merchandise stashed in a garage. Nguyen apparently supplied the information in exchange for methamphetamine.

[Editor's Note (Ranum): The story said he "supplied the information in exchange for Methamphetamine." There has to be a good T-shirt in that. Perhaps something about "cloud computing" but I just can't put my finger on it. ]

Scientist Sued for Trade Secret Theft (September 9, 2009)

DuPont is suing a former employee for theft of trade secrets. Hong Meng has been accused of stealing proprietary information from DuPont while employed there as a senior research scientist. Meng, who is a Chinese citizen with permanent US residence status, allegedly accepted a position at Peking University while still employed at DuPont. Shortly before he was scheduled to be transferred to a DuPont facility in China, a standard review of his hard drive revealed an "illicit connection to Peking University." The university is perceived as a research rival because both entities are working on thin computer display technology known as "organic light-emitting diode" (OLED). Information gathered from Meng's company laptop indicated that he had downloaded files pertinent to OLED technology development and copied them to an external drive.


Microsoft Releases Five Critical Security Bulletins (September 8 & 9, 2009)

Microsoft has issued five security bulletins to fix eight vulnerabilities in Windows. All five bulletins have maximum severity ratings of critical; all address flaws that could be exploited to gain access to vulnerable system with no user interaction. The flaws lie in the DHTML Editing Component ActiveX control, Windows TCP/IP, Windows Media Format, Wireless LAN AutoConfig Service, and the Jscript scripting engine.



SQL Injection Flaw Exposes Carpoolers' Personal Information (September 8, 2009)

An SQL injection vulnerability on a website used to coordinate worker carpools in Southern California is exposing site users' personally identifiable information, including names, home addresses, commuting times and some employee numbers. The website's developer was notified of the vulnerability several weeks ago, but the flaw remains active. At least one US military installation uses the website.

Server Reliability Study (September 8, 2009)

An Information Technology Intelligence Corp. (ITIC) study based on a survey of more than 400 C-level executives at a variety of companies worldwide examined data about server outages on various platforms. The study identified three levels of outages: Tier 1 outages can usually be resolved quickly; Tier 2 outages result in between 30 minutes and four hours of downtime; Tier 3 outages last longer than four hours and can result in data loss. IBM AIX UNIX running on the Power series servers garnered the highest reliability rating.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit