OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #75

September 22, 2009


FCC Chair Introduces Proposed Net Neutrality Rules
Justice Dept. Review Says Einstein 2 Does Not Violate Users' Privacy


Microsoft Issues Workaround for SMB Vulnerability
Bank Suing Google to Discover Identity of Accidental eMail Recipient
Facebook Will Shutter Beacon as Part of Lawsuit Settlement
Jail Time for Test Deposit Scammer
Microsoft Files Five Suits Against Malvertisers
Malware Purveyors Monkey Around with PBS Show Site
Attackers Exploit Web Application Flaw to Hijack Yahoo Mail Accounts
Software Company Fined for Trading with the Enemy
India Wants Internet Telephony Ban
Maine Heating Company Loses US $150,000 Through Social Engineering Attack

************************ Sponsored By HP *******************************

Participate in a 24-hour live hacking challenge! Join application security experts from around the world at HP's virtual conference Sept 29-30.

Attend live and on-demand sessions, chat with experts and download the latest information on application security, cloud security, Web 2.0 and more. "HP Functionality, Performance & Security Testing in today's application realities."

Register Now.



-- SANS Chicago North Shore, Oct. 26-Nov. 2 https://www.sans.org/chicago09/
-- SCADA Security Summit, Stockholm, Oct. 27-30 https://www.sans.org/euscada09_summit/
-- SANS San Francisco, November 9-14
-- SANS Sydney, Nov.9-14
-- SANS London, UK, Nov.28-Dec. 9
-- SANS CDI, Washington DC, Dec. 11-18 https://www.sans.org/cyber-defense-initiative-2009
-- Looking for training in your own community? http://sans.org/community/
-- Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand/
-- For a list of all upcoming events, on-line and live: http://www.sans.org



FCC Chair Introduces Proposed Net Neutrality Rules (September 21, 2009)

In a speech at the Brookings Institution on Monday, September 21, Federal Communications Commission (FCC) Chairman Julius Genachowski proposed a set of rules that would prohibit Internet service providers from slowing down competitors' Internet traffic on their networks. Genachowski is proposing starting the rulemaking process to codify neutrality principles introduced in 2005 while incorporating the additional proposed rules. The impact for consumers would be that providers could block access to or slow down traffic from video and phone services. Companies could potentially charge subscribers for using excessive amounts of bandwidth. Providers would also need to have transparent network management policies. The proposed rules have a broader reach than expected, as they would apply to all broadband connections, including smartphone data connections. Some providers believe that the government should not decide how they run their networks. US Senator Kay Bailey Hutchinson (R-Texas) has already introduced legislation to block net neutrality rules.



[Editor's Note (Pescatore): The old principles made it clear that ISPs could block access to or carriage of "non-lawful" content and could block devices that might "harm the network". While those are squishy term, it does provide justification for blocking access to malware sites and in-bound attacks - as long as there is an acceptable definition of "non-lawful" and "harm." ]

Justice Dept. Review Says Einstein 2 Does Not Violate Users' Privacy (September 18, 2009)

A US Justice Department (DOJ) review of Einstein 2 surveillance program concluded that the program, which monitors federal workers' Internet traffic, does not violate their privacy rights or those of the people who communicate with them. Einstein 2's purpose is to detect attacks on government networks. Employees are warned when they log in that their activity will be monitored, thereby "eliminat(ing their) legitimate expectations of privacy." A privacy advocacy group has expressed concern that the report does not go far enough into explaining how Einstein 2 works.
[Editor's Note (Pescatore): The ability of employers in the US to monitor employee Internet, and the lack of "reasonable expectations of privacy" for employees using the corporate network have long been established. ]

************************ Sponsored Links: ****************************

1) IBM Security Management & Compliance Solutions In the US nearly 114,000 regulations have been introduced since 1981. Learn more at the Service Management Resource Center.


2) WEBCAST: Defending against Web 2.0 and Browser Hacks & Attacks. Can SaaS Web Security Deliver Higher Protection & Lower Cost? Keynote by Peter Firstbrook of Gartner


3) View new Top Layer Security Intrusion Prevention System Demo and learn about Free IPS Program




Microsoft Issues Workaround for SMB Vulnerability (September 21, 2009)

Microsoft has issued a workaround to protect users from a critical vulnerability in Server Message Block (SMB) version 2. The remote code execution flaw was disclosed earlier this month. The workaround disables the network print and file sharing protocol to protect users until a fix is released. The flaw affects Microsoft Windows Vista, Windows Server 2008 and Windows 7 release candidates. The original security advisory (975497, originally issued September 7, 2009) includes a link to the workaround.


[Editor's Note (Ullrich): It is important to note that the "FixIt" released by Microsoft does not actually fix the problem. It just turns off the vulnerable feature (SMBv2). Affected systems will still be able to share files using SMBv1. ]

Bank Suing Google to Discover Identity of Accidental eMail Recipient (September 21, 2009)

A Wyoming bank is suing Google to discover the identity of a Gmail user to whom the bank accidentally sent confidential information. A Rocky Mountain Bank customer asked the bank to send loan documents to a third party, but a bank employee sent the email to the wrong Gmail address. To compound the situation, the employee also inadvertently attached a document containing sensitive information that should never have been sent at all. The attachment contained the names, addresses, tax identification or Social Security numbers (SSNs) and loan data of 1,325 businesses and individuals. Upon realizing the mistake, the employee emailed the unknown Gmail user, asking that the previous email be destroyed and that the recipient contact the bank, but no return communication has been received. The court is considering a request from the bank to issue an order requiring Google to disclose the recipient's identity.

Facebook Will Shutter Beacon as Part of Lawsuit Settlement (September 19, 2009)

Facebook will close down its Beacon advertising system as part of a settlement of a class action lawsuit. Beacon notified Facebook users' friends of their activities and purchases on other websites. The lawsuit filed just over a year ago alleged that the actions of Facebook and its Beacon affiliates violated the Electronic Communications Privacy Act, the Video Privacy Protection Act and several other laws. The settlement also mandates the establishment of a foundation to promote online privacy, safety and security. A Facebook executive noted that "the Beacon experience ... underscored how critical it is to provide extensive user control over how information is shared."


[Editor's Note (Pescatore): Unfortunately, for consumer oriented sites "extensive user control" always translates to "extensive, hard to find user controls that default to lack of user control unless the user is really, really, really motivated." All the consumer-oriented sides need to take advantage of user data to justify high enough advertising rates to have any chance of ever making a profit. ]

Jail Time for Test Deposit Scammer (September 18, 2009)

Michael Largent, 22, of Plumas Lake, CA, was sentenced to 15 months in prison for an online brokerage scam that netted him US $50,000. Largent opened thousands of accounts with phony information to take advantage of the brokerages' practice of making very small deposits of between $0.01 and US $2 in customers' accounts to test their validity. Largent was also ordered to pay US $200,000 in restitution to the banks he defrauded.

Microsoft Files Five Suits Against Malvertisers (September 17 & 18, 2009)

Microsoft has filed five civil lawsuits against alleged malvertisers, entities that use maliciously crafted advertisements to spread malware. The lawsuits allege that the defendants sent malware that appeared to be legitimate advertisements over Microsoft's AdCenter network. The malware, known as scareware, tells users their computers are infected with malware and directs them to sites where they can purchase products that will purportedly remove the malicious software. The lawsuits have been filed against John Does; Microsoft hopes to use subpoenas to uncover the identities of those responsible for the malware.




Malware Purveyors Monkey Around with PBS Show Site (September 18, 2009)

The PBS.org website says it has fixed a security problem that allowed attackers to compromise the website for the Curious George television show and possibly serve malware to site visitors. The site popped up a phony authentication page; when the login failed, an error page containing malicious JavaScript was served. The attack targeted vulnerabilities in Adobe Acrobat Reader, Apple QuickTime and other.



Attackers Exploit Web Application Flaw to Hijack Yahoo Mail Accounts (September 18, 2009)

Attackers are exploiting a known vulnerability in Yahoo's network to launch brute force attacks against users' Yahoo mail accounts. The attackers are using hijacked mail accounts to send spam. The main Yahoo login page has mechanisms in place that protect accounts from brute force attacks, but the recent attacks have been exploiting a web application that automates the authentication process and does not have the attack protection in place.


[Editor's Note (Ullrich): The attackers are taking advantage of an all too common flaw. The web application will block repeat login attempts using CAPTCHAS, while the web service does not implement similar protections. ]

Software Company Fined for Trading with the Enemy (September 17, 2009)

A Colorado software company has been fined US $14,500 for selling oil and gas exploration software to a company that intended to use it for exploration in Cuban waters. The company pleaded guilty to trading with the enemy. The US has had a trade embargo against Cuba since the 1960s. The software was purchased by a Spanish company. An employee from the Spanish firm arrived in Colorado with data to be used in training. Platte River Associates president Jay Leonard has been sentenced to 12 months of supervised release on an unrelated charge of unauthorized access of a protected computer.


India Wants Internet Telephony Ban (September 17, 2009)

Indian security officials are calling for a ban on international Internet telephony until they have the capability to trace calls on such systems. The move comes in response to the November 2008 attacks in Mumbai in which 166 people were killed. The attackers used satellite phones and Internet telephony to communicate with each other.

Maine Heating Company Loses US $150,000 Through Social Engineering Attack (September 15, 2009)

Downeast Energy and Building Supply in Brunswick, Maine has notified 800 of its customers that some of their sensitive information was compromised in a security breach. The breach affected customers who had signed up for the company's checking account electronic payment option. A company employee received what was apparently a spear phishing message that appeared to come from the company's bank. After clicking on the provided link, the employee entered the company's account access credentials, which the attackers then used to steal US $150,000 from the company's account. Downeast Energy views the incident as "the result of human error," not a computer security problem.
[Editor's Note (Schultz): Regardless of whether Downeast Energy and Building Supply's claim is truthful, this incident once again highlights the disproportionate amount of risk that human error introduces. Numerous studies show that financial loss due to human error is far greater than loss due to security-related risk, yet organizations too often devote few resources to mitigating error-related risk.

(Honan); Sorry Downeast Energy but staff not trained to identify phishing emails or verify source of unsolicited communications before responding IS a security problem and not just "the result of human error." ]

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/