Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #99

December 18, 2009


SANS 2010 (Orlando; March 6-15) just went live for registrations and offers great group rates for teams that are upgrading their security skills together. 38 hands-on, up-to-date immersion courses. More Info at:

https://www.sans.org/sans-2010/

TOP OF THE NEWS

US Military Drone Surveillance Video Intercepted
EPIC Files FTC Complaint Over Facebook Privacy Changes

THE REST OF THE WEEK'S NEWS

Eleven Sentenced to Jail For Stealing Online Gaming Account Credentials
Conficker on 6.5 Million Machines Worldwide
Conficker Infects New Zealand Hospital Computer System
Heartland Will Pay American Express US $3.6 Million to Settle Breach-Related Charges
House Ethics Committee Data Leak Prompts Security Policy Changes
Stolen Laptop Holds Military and DoD Employee Information
Facebook Sues Alleged Spammers
Adobe Will Patch Critical Reader and Acrobat Flaw in January
Mozilla Updates Firefox
Minnesota Public Radio and Reporter May Face Legal Action Over Data Access


*********************** Sponsored By Trend Micro ************************

Trend Micro Ranked #1

In Real-World Independent Testing of Endpoint Malware Protection Conventional anti-malware testing methods don't deliver optimal protection. Get proven endpoint protection with OfficeScan.

https://www.sans.org/info/52283

*************************************************************************

TRAINING UPDATE

-- SANS Security East 2010, New Orleans, January 10-18, 2010
19 courses, bonus evening presentations: Top 7 Trends in Incident Response and Computer Forensics, Advanced Forensic Techniques and more
https://www.sans.org/security-east-2010/
-- SANS AppSec 2010, San Francisco, January 29-February 5, 2010
https://www.sans.org/appsec-2010/
-- SANS Phoenix, February 14 -February 20, 2010
https://www.sans.org/phoenix-2010/
-- SANS 2010, Orlando, March 6 - March 15, 2010
38 courses and bonus evening presentations, including Software Security Street Fighting Style
https://www.sans.org/sans-2010/
-- SANS Northern Virginia Bootcamp 2010, April 6-13
https://www.sans.org/reston-2010/
-- SANS Security West 2010, San Diego, May 7-15, 2010
https://www.sans.org/security-west-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
Plus Tokyo, Bangalore, Oslo and Dublin all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

TOP OF THE NEWS

US Military Drone Surveillance Video Intercepted (December 17, 2009)

With the help of hackers and USD 26 piece of software, Iraqi militants have reportedly managed to intercept live video feeds from US Predator drones. There is no evidence to indicate that the hackers or militants gained control of the unmanned aircraft, but the attack does provide them with information about where the US military is conducting surveillance. The issue was discovered in late 2008 when US military personnel found files of the intercepted surveillance on the laptop of a Shiite militant who had been apprehended. The US is reportedly working on encrypting its drone video feeds from Iran, Pakistan and Afghanistan. The vulnerability being exploited is in an unencrypted download link. The US military has known about the vulnerability for more than a decade, but assumed its adversaries would not be able to exploit it.
-http://online.wsj.com/article/SB126102247889095011.html?mod=googlenews_wsj
-http://www.wired.com/dangerroom/2009/12/insurgents-intercept-drone-video-in-king
-sized-security-breach/

-http://www.msnbc.msn.com/id/34465420/ns/technology_and_science-security/
Reuter's reports the problem was fixed after being discovered a year ago:
-http://www.reuters.com/article/idUSTRE5BG3RM20091217
In a separate story, the US military plans to purchase additional unmanned aircraft to bolster the planned troop surge in Afghanistan.
-http://www.nextgov.com/nextgov/ng_20091217_6329.php?oref=topstory
[Editor's Note (Pescatore): There will join the Hall of Shame with many similar bad decisions about not encrypting, or weakly encrypting in mobile environments. Back in 2006, Visa, Mastercard and Amex issued credit cards with RFID chips for "no swipe" use - and University of Massachusetts researchers found they hadn't turned on the advertised encryption. In 1999 it came out that in Windows CE Microsoft was "encrypting" the user password by simply XORing it with the word PEGASUS spelled backwards. As the talking Barbie doll said "Encryption is *hard*..." ]

EPIC Files FTC Complaint Over Facebook Privacy Changes (December 17, 2009)

The Electronic Privacy Information Center (EPIC) has filed a formal complaint with the US Federal Trade Commission (FTC) over Facebook's recent decision to change its default privacy settings to make more information about Facebook members public; if users want to limit who can see information about them, they must make those changes manually. Facebook maintains the change is aimed at making it easier for users to control who can see their information. The complaint alleges that Facebook's changes violate consumer protection laws.
-http://www.informationweek.com/news/security/app-security/showArticle.jhtml?arti
cleID=222002613

-http://www.msnbc.msn.com/id/34468521/ns/technology_and_science-tech_and_gadgets/
-http://www.theregister.co.uk/2009/12/17/epic_facebook_privacy_complain/
-http://bits.blogs.nytimes.com/2009/12/17/privacy-group-files-complaint-on-facebo
ok-privacy-changes/?ref=technology

[Editor's Note (Pescatore): Facebook should get smacked around for playing games with consumers private data. However, anyone who trusts consumer-grade services whose revenue is all from selling advertising around users data is probably also putting out milk and cookies for a jolly man who will come down the chimney with really neat toys next week. ]


************************* Sponsored Link: ****************************

1) Participation is needed! Be a part of this years 2010 SANS Log Management Report by completing the survey and have a chance to win a $250 AMEX Card.

Click here to complete the survey an be automatically registered.

https://www.sans.org/info/52288

***********************************************************************

THE REST OF THE WEEK'S NEWS

Eleven Sentenced to Jail For Stealing Online Gaming Account Credentials (December 16 & 17, 2009)

Chinese authorities have jailed 11 people for their roles in a scheme that aimed to steal online gaming login credentials. The group used Trojan horse programs to steal the information from five million profiles. They then sold game artifacts they accessed through the accounts, making a total of 30 million yuan (US $4.4 million). The eleven people received sentences of up to three years; the group was also fined a total of US $120,000. Dozens more people involved in the scheme are expected to be sentenced soon.
-http://www.theregister.co.uk/2009/12/17/china_jails_game_trojan_vxers/
-http://www.pcworld.com/businesscenter/article/184909/china_jails_trojan_virus_au
thors_in_cybercrime_crackdown.html

Conficker on 6.5 Million Machines Worldwide (December 17, 2009)

According to information from Shadowserver, one in seven computers infected with Conficker are hosted on Chinese Internet service provider (ISP) Chinanet. The ISP's infected machines account for 14 percent of all known infected machines, but make up just one percent of the company's network. Other ISPs have infection rates as high as 25 percent. Conficker has infected an estimated 6.5 million computers around the world.
-http://www.computerworld.com/s/article/9142414/Chinese_ISP_hosts_1_in_7_Conficke
r_infections?source=rss_security

-http://www.securityfocus.com/news/11568
-http://voices.washingtonpost.com/securityfix/
[Editor's Note (Schultz): According to the figures I have seen, Conficker has infected over 15 million computers. It is by far the most prolific worm the world has ever seen. All one has to do to prevent a Conficker infection is install patch MS8-067 or disable AutoPlay on a Windows system. ]

Conficker Infects New Zealand Hospital Computer System (December 16 & 17, 2009)

The Conficker worm is believed to be responsible for a malware infestation of computer network at the Waikato District Health Board in New Zealand. The infection necessitated turning off all 3,000 affected PCs; the Waikato hospital laboratory is functioning at 10 percent capacity as a result. Computer technicians noticed anomalies on the network while performing a workstation upgrade. Doctors are being asked refer only patients who need urgent care.
-http://www.nzherald.co.nz/compute/news/article.cfm?c_id=1501832&objectid=106
16074

-http://www.waikatodhb.govt.nz/news/pageid/2145848174/Computer_virus_attacks_Waik
ato_DHB_network

Heartland Will Pay American Express US $3.6 Million to Settle Breach-Related Charges (December 17, 2009)

Heartland Payment Systems has agreed to pay American Express US $3.6 million to settle charges stemming from the 2008 Heartland data security breach. Albert Gonzalez has been charged in connection with that breach and a number of others. Because the card-issuing banks normally bear the cost of replaying compromised payment cards, Heartland is facing several suits. This is the first one that Heartland has settled. The company has also paid fines levied by Visa and MasterCard.
-http://www.computerworld.com/s/article/9142448/Heartland_pays_Amex_3.6M_over_200
8_data_breach?source=rss_security

House Ethics Committee Data Leak Prompts Security Policy Changes (December 16, 2009)

US House of Representatives chief administrative officer Daniel P. Beard has recommended that legislative aides undergo new cyber security training and that the legislature take additional steps to protect sensitive data. The recommendations are the result of a six week review prompted by the inadvertent leak of an Ethics Committee document. The new security policies will be clear in their insistence that all House data remain on House equipment, that the data must be encrypted when they are stored on mobile devices and that they cannot be sent over any public system. Beard is also seeking to implement a requirement that the House's wireless Internet service be password protected. In addition, legislative employees who travel out of the country will have their wireless devices, including laptops, checked both before and after trips.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/12/15/AR2009121505075_
pf.html

-http://www.scmagazineus.com/us-house-to-toughen-internal-cybersecurity-policy/ar
ticle/159785/

[Editor's Note (Pescatore): What they really need is a solution for letting people work securely from their home machines, since they know that is what is going to happen. There are many secure approaches available.

(Honan): Ah yes, nothing like a breach to make people sit up and take notice of security. ]

Stolen Laptop Holds Military and DoD Employee Information (December 16, 2009)

A laptop computer stolen from the home of a Fort Belvoir Family and Morale, Welfare and Recreation Command contains personally identifiable information of more than 42,000 US Army soldiers, US Department of Defense employees and their families. The theft occurred on November 28. The Command learned of the theft on December 1. Affected individuals will be notified of the security breach by letter.
-http://www.scmagazineus.com/thief-steals-us-army-laptop-from-employees-home/arti
cle/159875/

Facebook Sues Alleged Spammers (December 16 & 17, 2009)

Facebook has filed a lawsuit against three men and their associated companies for allegedly using phishing attacks to gain access to Facebook accounts and then using the compromised accounts to send spam. The lawsuit alleges that the defendants, Jeremi Fisher, Philip Porembski, and Ryan Shimeall, launched at least four spam attacks in the last few years. The men are facing charges under the CAN SPAM Act, the Computer Fraud and Abuse Act and California anti-fraud and anti-phishing laws.
-http://news.cnet.com/8301-27080_3-10416265-245.html?part=rss&subj=news&a
mp;amp;tag=2547-1_3-0-20

-http://www.theregister.co.uk/2009/12/17/facebook_sues_spammers/
-http://www.scmagazineus.com/facebook-sues-three-over-alleged-spam-phishing/artic
le/159879/

Adobe Will Patch Critical Reader and Acrobat Flaw in January (December 15, 16 & 17, 2009)

A recently disclosed critical vulnerability in Adobe Reader and Adobe Acrobat has prompted recommendations that users disable JavaScript in both programs until a fix is available. The flaw is being actively exploited through maliciously crafted PDF files. The vulnerability can be exploited to crash vulnerable systems or execute code. Adobe plans to release patches for the vulnerability by January 12, 2010. The flaw affects Adobe Reader 9.2 and earlier for Windows, Mac and Unix and Acrobat 9.2 and earlier for Windows and Mac. Storm Center:
-http://isc.sans.org/diary.html?storyid=7747
-http://www.computerworld.com/s/article/9142326/Kill_JavaScript_in_Adobe_Reader_t
o_ward_off_zero_day_exploit_experts_urge?source=CTWNLE_nlt_pm_2009-12-15

-http://www.eweek.com/c/a/Security/Adobe-Reader-Acrobat-Security-Vulnerability-Pa
tch-Coming-as-Attacks-Continue-637098/

-http://www.h-online.com/security/news/item/Adobe-not-planning-to-close-critical-
vulnerability-in-Reader-until-January-888242.html

-http://www.theregister.co.uk/2009/12/17/adobe_critical_pdf_flaw/

Mozilla Updates Firefox (December 16, 2009)

On Tuesday, December 15, Mozilla released Firefox 3.5.6 to address several security flaws, including three critical vulnerabilities that lie in the rendering and JavaScript engines and in the liboggplay and libtheora video and media libraries. If users are unable to install the update immediately, Mozilla recommends that they disable JavaScript in Firefox until they are able to install the newest version of the browser. Mozilla also released what is likely its final update for Firefox 3.0 to address seven vulnerabilities, two critical; Mozilla plans to discontinue supporting Firefox 3.0 in January 2010. Mozilla may or may not release a fifth beta of Firefox 3.6 before its newest version of the browser ships.
-http://www.h-online.com/security/news/item/Mozilla-addresses-critical-bugs-with-
Firefox-3-5-6-887006.html

-http://www.computerworld.com/s/article/9142359/Mozilla_patches_10_security_bugs_
with_Firefox_3.5.6?source=CTWNLE_nlt_dailyam_2009-12-16

-http://www.mozilla.org/security/announce/
-http://www.mozilla.org/security/announce/
2009/mfsa2009-65.html

Minnesota Public Radio and Reporter May Face Legal Action Over Data Access (December 15, 2009)

A Texas company is threatening to take legal action against a Minnesota Public Radio (MPR) and one of its reporters after they aired a story about security problems at the company that exposed sensitive personal information. Lookout Services, which allows its customers to verify the identities of potential employees, maintains that MPR and Sasha Aslanian broke the law when they accessed databases containing information for five Lookout customers, compromising the personal information of 500 people. Lookout acknowledges that its website was misconfigured in such a way as to allow unauthorized users to view customer information.
-http://www.theregister.co.uk/2009/12/15/lookout_services_security_breach/
-http://www.minnpost.com/braublog/2009/12/15/14315/texas_company_lays_out_hacking
_case_against_minnesota_public_radio



**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/