Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #97

December 11, 2009


Judge Dismisses Shareholder Suit Against Heartland
UK ICO Launches Online Privacy Code of Practice Consultation
House Passes Electronic Data Breach Notification Bill
Germany to Tackle Botnet Infestations


New SQL Injection Attack Loads Invisible iFrame
Verizon Report Details Top Cyber Attack Vectors of 2009
Microsoft Issues Six Security Bulletins, Fixes Critical IE Vulnerability
TSA Employees on Administrative Leave Following Information Leak
Gonzalez to Enter Guilty Plea in Connection with 7-Eleven, Heartland and Hannaford Breaches
Adobe Patches Seven Vulnerabilities in Flash Player

************************ Sponsored By Q1 Labs ***************************

*** FREE WEBINAR DECEMBER 15 - Stranded by Cisco? There's an alternative to MARS *** Cisco MARS has ceased expansion of support for third-party devices. Now what?

REGISTER TODAY: https://www.sans.org/info/52103



- -- SANS CDI, Washington DC, December 11-18
24 courses, bonus evening presentations, including Future Trends in Network Security
- -- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses, bonus evening presentations: Top 7 Trends in Incident Response and Computer Forensics, Advanced Forensic Techniques and more
- -- SANS AppSec 2010, San Francisco, January 29-February 5, 2010
- -- SANS Phoenix, February 14 -February 20, 2010
- -- SANS 2010, Orlando, March 6 - March 15, 2010
38 courses and bonus evening presentations, including Software Security Street Fighting Style
- -- SANS Northern Virginia Bootcamp 2010, April 6-13
Looking for training in your own community?
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
Plus Tokyo, Bangalore, Oslo and Dublin all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org



Judge Dismisses Shareholder Suit Against Heartland (December 9 & 10, 2009)

A US District Court Judge has granted a motion by Heartland Payment Systems to dismiss a class-action lawsuit filed by company shareholders. The lawsuit was filed after Heartland disclosed a data security breach that compromised as many as 100 million records. The breach occurred in 2007, but was not detected until later. The suit alleged Heartland made "false and/or misleading statements and failed to disclose material adverse facts about the company's business, operations and prospects" and that the company's cyber security measures were "inadequate and ineffective." Heartland stock lost nearly 80 percent of its value following the breach disclosure. Heartland disclosed the breach in January 2009. Judge Anne Thompson said there was no evidence that Heartland executives were not "paying proper attention to
[the company's ]
security problems."


[Editor's Note (Liston): The really important class action suits in this case (one by the affected cardholders, and one by the affected banks) have yet to be heard. Those two cases could potentially lead to some much needed change in the payment card industry.

(Schultz): This is a very significant ruling. The fact that Heartland Payment Systems had passed a PCI-DSS audit not all that long before the massive data security breach would in my judgment show that this company had exercised due care with respect to its security practices. Interestingly, this company's stock value plummeted after the news of the breach reached the public. The same thing has happened numerous times before. This is the kind of information that CISOs need to share with the other C-level managers of their organizations. ]

UK ICO Launches Online Privacy Code of Practice Consultation (November 10, 2009)

The UK Information Commissioner's Office (ICO) has launched a consultation for a code of practice for online privacy. The draft document asks that organizations give consumers choice and control over how their personal information is used. It describes what kind of activities the code addresses: collecting information through online application forms; creating profiles of website visitors; collecting data to use in targeted advertising; processing data with cloud computing services; and other types of profiling. The document is designed to help organizations comply with the requirements of The Data Protection Act. The European Commission recently said it would investigate the UK for the way it handled Phorm - a deep packet inspection targeted advertising company that ran trials without web users' permission or knowledge. The consultation began on December 9, 2009 and runs through March 5, 2010.


House Passes Electronic Data Breach Notification Bill (December 9 & 10, 2009)

The US House of Representatives has passed HR 2221, the Data Accountability and Trust Act, which would establish national standards and rules for notification following breaches of electronically stored personally identifiable data. Organizations would be exempt from the requirements if they discern no "reasonable risk of identity theft, fraud, or other unlawful conduct." The new standards would supersede all current state data breach notification laws. A federal law would simplify breach notification processes for organizations conducting businesses in multiple states. The bill now goes before the Senate.


[Editor's Note (Pescatore): The language in this bill seems more reasonable, with much less risk of a bureaucracy explosion where the cure would be worse than the problem. The FTC actually does a pretty good job at this already under existing regulations. This bill does go beyond notification and into some other needed areas like the quality of data collected and stored.

(Liston): Replacing the current patchwork of state-by-state laws would be a good thing. However, under the current version of the bill, enforcement is left to the FTC-- therefore some important data-heavy sectors (the government, financial institutions, insurance companies, non-profits, and institutions of higher education) are exempt from the rules because the FTC has no jurisdiction over these areas. This loophole raises serious questions about the value of this legislation. ]

Germany to Tackle Botnet Infestations (December 8 & 9, 2009)

The German government plans to help computer users rid their machines of botnet malware. Internet service providers (ISPs) will detect machines infected with the malware and contact users. They will be directed to a website that provides advice for cleaning and protecting computers as well as information about a cleanup helpline which is expected to have about 40 staff members. Germany currently has the third highest number of systems infected with malware.

[Editors Note (Ullrich): Several ISPs in the US already take this "walled garden" approach with quite a bit success. It remains to be determined how long the telephone hold will be at the helpline if they will be helping to rid all German PCs of bots.

(Honan): Most European ISPs cite EU Data Protection Laws as one of the reasons they cannot monitor end users' computers for malicious traffic. Germany has one of the toughest set of Data Protection Laws in place. ]

************************ Sponsored Links: ****************************

1) Security Webcast

- ---5 keys to hardening security devices against increasingly sophisticated and frequently missed evasions


2) Participation is needed! Be a part of this years 2010 SANS Log Management Report by completing the survey and have a chance to win a $250 AMEX Card. Click here to complete the survey an be automatically registered."




New SQL Injection Attack Loads Invisible iFrame (December 10, 2009)

A newly-detected SQL injection attack has infected nearly 300,000 web pages with an invisible iframe that gathers malicious code from a series of web sites. The malware seeks vulnerable versions of Adobe Flash, Internet Explorer (IE) and other applications on users' computers and then installs malware that steals online banking credentials.
[Editor' Note (Ullrich): Prepared statements work. Developers who don't know about them should make sure to do so by the end of today. Security managers who want to impact this problem should help make sure the developers all know and use prepared statements.]

Verizon Report Details Top Cyber Attack Vectors of 2009 (December 9 & 10, 2009)

Verizon Business's "An Anatomy of a Data Breach" report lists the top 15 most common cyber attack vectors in 2009. Topping the list are keylogging and spyware; backdoor or command and control malware; and SQL injection. Further down on the list are RAM scrapers, attacks that are designed to seek plaintext data from the random access memory of point-of-sale terminals. They have emerged in the wake of the growing use on encryption in the payment card industry. RAM scrapers are often narrowly targeted attacks because they are often "customized to work with specific vendors' POS systems."



Microsoft Issues Six Security Bulletins, Fixes Critical IE Vulnerability (December 8 & 9, 2009)

Microsoft released its last batch of patches for 2009 on Tuesday, December 8. The release comprises six security bulletins to address a dozen vulnerabilities. Three of the bulletins are rated critical and the other three are rated important. One of the critical bulletins (MS09-072) addresses a critical zero-day flaw in Internet Explorer (IE). The remaining two critical bulletins fix security issues in Windows and Microsoft Project.


TSA Employees on Administrative Leave Following Information Leak (December 9, 2009)

The US Department of Homeland security (DHS) has put five Transportation Security Administration (TSA) employees on administrative leave following the leak of confidential information on the Internet. A manual for document airport passenger screening procedures was posted to a government procurement website without sensitive information properly removed. The document has been removed from that site, but copies still exist. The incident is under investigation.


Gonzalez to Enter Guilty Plea in Connection with 7-Eleven, Heartland and Hannaford Breaches (December 8 & 9, 2009)

Albert Gonzalez has agreed to plead guilty to charges of breaking into computer systems at 7-Eleven, Heartland Payment Systems, and Hannaford Bros., a New England-based grocery store chain. Gonzalez has already pleaded guilty to charges in what has been called the largest known data breach case, which involved data theft from TJX Cos, BJ's Wholesale Club and other national retailers. Gonzalez is believed to be the ringleader of the attacks, which compromised an estimated 130 million payment cards account numbers.


Adobe Patches Seven Vulnerabilities in Flash Player (December 9 & 10, 2009)

On Tuesday, December 8, Adobe released fixes for seven security flaws in Flash Player, six of which are rated critical. The six critical flaws affect Flash Player versions and earlier; users are urged to upgrade to version The updated Flash fixes memory corruption errors, a data injection flaw, and several crash vulnerabilities. Adobe also released Adobe Air 1.5.3. In addition, sometime early next year, Adobe will discontinue support for Flash player on Apple PowerPC-based G3 computers.



[Editor's Note: (Northcutt): I think that many businesses may need to look hard at their use of Adobe products. Adobe applications like Flash are feature rich, but they are putting so much complexity into their applications they probably have a lot of vulnerabilities that yet to be found. In the mean time, for your home Windows systems, install Secunia PSI and keep your Adobe products up to date and never do online banking or stock trading with multiple windows open. I realize these are just stopgap measures. They don't solve the root cause problem, but Band-Aids have a purpose.



The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/