OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #93

November 24, 2009

The CAG list of "User Vetted Tools for Automating the 20 Critical Controls" is now available at


If you know of a tool not on the list, that actually works effectively for automating any of the controls, please email cag@sans.org by December 15. The new CAG has metrics and tests and maps to the NIST guidelines - very cool:


The next step in the 20 critical controls is a nationwide consensus on the specifications needed for buying best of breed automation for each of the controls. We have drafts for Control 1 (Inventory) and 10 (Continuous vulnerability assessment). If you are (really) knowledgeable on either, please ask for one or both to add your input. cag@sans.org



Attacks Against Defense Dept. Systems On the Rise
Pump-and-Dump Spammers Sentenced to Prison
Climate Research Documents Stolen and Posted to Internet


Cross-Site Scripting Flaw in IE 8
Zero-Day Flaw in Internet Explorer 6 and 7
iPhone Worm Steals Banking Data, Enlists Devices in Botnet
Hancock Fabrics Customers Reporting ATM Fraud
Opera Releases Updates Browser
Accident Victim Data Leaked From Las Vegas Hospital

****************** Sponsored By Absolute Software Corp. *****************

Laptop Data Security Webinar

In this webinar, Jack Heine, Research VP, Gartner, and David Holyoak, CIO of accounting firm Grant Thornton, discuss how to facilitate mobility while minimizing the risk of data exposure. These leading experts discuss the limitations of encryption and the critical layer of security provided by web-based tracking and anti-theft capabilities.




-- SANS London, UK, November 28-December 6
16 courses, bonus evening sessions: Hex Factor, Forensics Mini Summit and more
-- SANS CDI, Washington DC, December 11-18
24 courses, bonus evening presentations, including Future Trends in Network Security
-- SANS Security East 2010, New Orleans, January 10-18, 2010. 19 courses, bonus evening presentations: Top 7 Trends in Incident Response and Computer Forensics, Advanced Forensic Techniques and more
-- SANS AppSec 2010, San Francisco, January 29-February 5, 2010
-- SANS Phoenix, February 14 -February 20, 2010
-- SANS 2010, Orlando, March 6 - March 15, 2010
Looking for training in your own community?
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
Plus Ottawa, Tokyo and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org *************************************************************************


Attacks Against Defense Dept. Systems On the Rise (November 20 & 23, 2009)

According to the US-China Economic and Security Review Commission's annual report to Congress, US Defense Department (DoD) computer systems have been the target of cyber incidents 43,785 times in the first half of 2009; if the trend continues, cyber attacks against DoD systems will increase 60 percent over last year. The data regarding the attacks were provided by the US Strategic Command. The report says that a "large body of both circumstantial and forensic evidence strongly indicates Chinese state involvement in" the attacks. A Chinese Foreign Ministry spokesperson has said the report "is full of bias and has ulterior motives."




Pump-and-Dump Spammers Sentenced to Prison (November 23, 2009)

A US District judge in Detroit today handed down prison sentences ranging from 32 months to 51 months to four men involved in a spamming stock fraud scheme. Alan M. Ralsky and his co-conspirators, Scott Bradley, How Wai John Hui, and John S. Brown orchestrated a pump-and-dump scheme in which they manipulated stock prices by sending out fraudulent emails. The scheme reportedly netted US $2.7 million.

Climate Research Documents Stolen and Posted to Internet (November 20 & 21, 2009)

Attackers broke into computers at the Climatic Research Unit of the University of East Anglia in Britain and stole thousands of emails and other documents which they then posted to the Internet. Global warming skeptics say the documents support the notion that researchers have been skewing data to make the situation seem more ominous than it is. Researchers maintain that the information is being taken out of context.



************************ Sponsored Links: ****************************

1) REGISTER NOW for the upcoming webcast: Content-Aware SIEM with Anton Chuvakin


2) SANS Free Audio Cast: Why is Application Security so Hot? Why Smart Organizations are Focusing Security Efforts Here Featuring Jack Danahy, Security Executive, Office of the CTO at IBM.




Cross-Site Scripting Flaw in IE 8 (November 23, 2009)

A cross-site scripting (XSS) vulnerability can be exploited to allow attacks on web pages that are otherwise safe. The vulnerability lies in a XSS filter added by Microsoft developers to help prevent XSS attacks. There is a way for webmasters to override the filter if they are concerned about the flaw being exploited.

Zero-Day Flaw in Internet Explorer 6 and 7 (November 22 & 23, 2009)

Microsoft has acknowledged the existence of a zero-day flaw in older versions of Internet Explorer (IE). Proof-of-concept exploit code for the vulnerability has been posted to the Internet; an attack could crash vulnerable systems or allow arbitrary code execution. The problem lies in the way the browser handles Cascading Style Sheet (CSS) information. Until a patch is available, users are encouraged to disable JavaScript, make sure their antivirus signatures are current, and visit only trusted websites. Upgrading to IE 8 could also help users' machines from this attack.






iPhone Worm Steals Banking Data, Enlists Devices in Botnet (November 23, 2009)

A worm targeting jailbroken iPhones is designed to steal online banking login credentials. (A jailbroken iPhone is one that has been altered so that it can run applications that have not been approved by Apple.) This worm changes the iPhones' root password and then connects to a command-and-control server in Lithuania to download additional files and data and to send back stolen information. iPhones infected with the worm also become part of a botnet.




[Editor's Comment (Northcutt): I think we are all going to need to pay more attention to smart phone/PDA security and iPhone security in particular. What is the risk of someone getting access to your list of contacts? iPhone users are going to need a "plan b", because this is only going to get worse. Hopefully someone will put an endpoint whitelist solution in the iPhone app store soon. In the mean time, consider getting a second cell phone that is SIM compatible with your iPhone for high risk periods. ]

Hancock Fabrics Customers Reporting ATM Fraud (November 23, 2009)

A rash of fraudulent ATM withdrawals is believed to be connected to victims' previous transactions at Hancock Fabrics stores in California, Wisconsin and Missouri. At least one of the stores had recently replaced its point-of-sale machines.

New Version of Opera Browser Addresses Serious Security Issue (November 23, 2009)

Opera has released version 10.10 of its flagship browser to address a known heap buffer overflow vulnerability that could be exploited to crash vulnerable systems and execute arbitrary code. The flaw has already been patched in Chrome, Firefox and SeaMonkey. The underlying problem is a format string vulnerability in third-party implementations of the dtoa C function that is used for string-to-number conversions. Opera 10.10 also fixes two other flaws. Users are urged to upgrade as soon as possible.


Accident Victim Data Leaked From Las Vegas Hospital (November 21, 2009)

The FBI is looking into an alleged breach of privacy law at University Medical Center in Las Vegas, Nevada. Officials have recently learned that an employee allegedly leaked confidential patient data, including Social Security numbers (SSNs), billing data and descriptions of injuries. One news report alleges that the information has been sold. The breach could be a violation of the Health Insurance Portability and Accountability Act (HIPAA).


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/