Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #3

January 12, 2010


Really useful security meeting coming up in early February: Application Security Summit in San Francisco February 4-5. Focusing on the new attack vectors that will do the most damage in 2010, PCI Compliance in application security, which tools actually work, more, plus the new Secure Coding in .NET class along with Secure coding in JAVA and PHP and Web Penetration Testing and Web Defense. http://www.sans.org/appsec-2010/summit.php

TOP OF THE NEWS

Judge Says RealDVD is "Almost Certainly Illegal"
Full Body Scanners Used by TSA Present Privacy Concerns
Heartland and Visa Reach Settlement

THE REST OF THE WEEK'S NEWS

South Korean Military to Ban USB Drives
USB Flaws Prompt NIST Review of Cryptographic Module Certification Process
Incident Handling Certification Now The Top For Premium Security Pay
Questionable Applications Removed From Android Marketplace
Facebook Group Page Has Links to Malware-Laced Sites
Oracle's Critical Patch Update Will Offer 24 Fixes
Proof-of-Concept Code Posted for Mac OS X Flaw
Panel Questions FCC's Authority to Enforce Net Neutrality
Wide-Reaching Spear Phishing Campaign Claims to be Outlook Alert


******************** Sponsored By AccelOps ********************************

AccelOps is offering a Competitive Upgrade Package exclusively for Cisco CS-MARS security appliance customers and resellers seeking greater SIEM functionality, interoperability and investment protection. Upgrade to AccelOps at your current MARS maintenance fee and receive a full year of maintenance & support. Learn about AccelOps SIEM 2.0 and obtain your Free "SOC/NOC Convergence" report by Spire Research.
https://www.sans.org/info/53263

*************************************************************************

TRAINING UPDATE

- -- SANS AppSec 2010, San Francisco, January 29-February 5, 2010
https://www.sans.org/appsec-2010/
- -- SANS Phoenix, February 14 -February 20, 2010
https://www.sans.org/phoenix-2010/
- -- SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style
https://www.sans.org/sans-2010/
- -- SANS Northern Virginia Bootcamp 2010, April 6-13
https://www.sans.org/reston-2010/
- -- SANS Security West, San Diego, May 7-15, 2010 23 courses and bonus evening presentations
https://www.sans.org/security-west-2010/
Looking for training in your own community? https://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand/spring09.php
Plus Tokyo, Bangalore, Oslo and Dublin all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

TOP OF THE NEWS

Judge Says RealDVD is "Almost Certainly Illegal" (January 11, 2010)

US District Judge Marilyn Patel has rejected RealNetworks' argument that the Motion Picture Association of America (MPAA) is a "price-fixing cartel" that prevents the distribution of products capable of decrypting DVDs. RealNetworks made the argument in an attempt to convince the judge to lift a distribution ban on its RealDVD software, which allows users to copy DVDs to their hard drives. The MPAA and other plaintiffs brought the suit against RealNetworks more than a year ago, alleging that the RealDVD software is illegal because it circumvents legitimate copyright protection technology. In rejecting RealNetworks' claim, Judge Patel wrote that its "purported injury stems from its own decision to manufacture and traffic in a device that is almost certainly illegal under the DMCA (Digital Millennium Copyright Act)." The US legal system has never directly addressed consumers' rights to make copies of DVDs they purchase legitimately; the court cases have focused instead on the technology developers and purveyors.
-http://www.wired.com/threatlevel/2010/01/judge-slams-mpaa-cartel-allegations/

Full Body Scanners Used by TSA Present Privacy Concerns (January 11, 2010)

According to documents obtained by the Electronic Privacy Information Center (EPIC) under a Freedom of Information Act (FOIA) lawsuit, the full body scanners currently being used by the Transportation Security Administration (TSA) are capable of retaining and transmitting images. The documents indicate that the Windows XP-based machines may be vulnerable to tampering. According to the Department of Homeland Security (DGS) website, the machines are delivered to airports without the ability to store, print or transmit images. The ability to store and send images was reportedly enabled only during the machines' testing period. The scanners are not connected to each other, nor are they connected to the Internet. The machines are currently used in about 20 airports nation-wide; the TSA plans to deploy them at all major airports.
-http://www.computerworld.com/s/article/9143838/Documents_refute_TSA_privacy_clai
ms_on__body_scanners_group_says

-http://www.wired.com/threatlevel/2010/01/airport-scannersbody_scanners_group_say
s?source=rss_security


[Editor's Note (Pescatore): This issue is sort of similar to voting machines: the review of the security of the system should be done in the open to enable wide trust of the technology.

(Honan): The proposed use of these scanners are raising a lot of concerns within Europe. Not only from the privacy point of view
-http://news.bbc.co.uk/2/hi/europe/8446604.stm
. Indeed the incoming EU Justice Affairs Commissioner, Viviane Reding, says "our citizens are not objects. They are human beings."
-http://www.nytimes.com/aponline/2010/01/12/world/AP-EU-Privacy.html?_r=2
. Also during trials of the scanners at Manchester airport in the UK it was discovered that the scanners may be in breach of child protection laws. That trial only went ahead once assurances were given that those under 18 would be exempt from the full body scanners.
-http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/6933898/Full-body-sca
nners-may-break-child-pornography-laws.html

-http://www.guardian.co.uk/politics/2010/jan/04/new-scanners-child-porn-laws]

Heartland and Visa Reach Settlement (January 8 & 9, 2010)

Heartland Payment Systems will pay up to US $60 million to Visa payment card issuers affected by Heartland's 2008 data security breach. The Visa settlement will go into effect once 80 percent of affected card issuers accept it. By agreeing to the terms of the settlement, the card issuers release Heartland and Visa from future liability. Heartland reached a similar deal with American Express last month. Several people implicated in the breach, including alleged ringleader Albert Gonzalez, have been charged.
-http://www.computerworld.com/s/article/9143480/Heartland_to_pay_up_to_60M_to_Vis
a_over_breach?source=rss_security

-http://www.v3.co.uk/v3/news/2255864/heartland-60m-settlement-visa
-http://www.scmagazineus.com/heartland-settles-with-visa-funds-to-go-to-issuing-b
anks/article/160943/



******************** Stephen Northcutt is teaching leadership online ********************************

Stephen Northcutt is teaching leadership online
February 16 - 18, 2010

This is the course I wish I had taken 30 years ago. Folks, it doesn't make sense to wait till you are in a management position to focus on your management and leadership skills. Leadership is a race of endurance, not a sprint; you want to start early and be persistent. If you can improve one or two percent in a year, that is a major achievement. This course will set you on the path. It is a solid blend of tons of research as well as personal experience from a number of leaders in information security.

https://www.sans.org/vlive/details.php?nid=21223

**********************************************************************

THE REST OF THE WEEK'S NEWS

South Korean Military to Ban USB Drives (January 11, 2010)

The South Korean military says it will ban the use of USB drives. The South Korean military is building a new data transfer system; once that system is complete, use of USB drives will no longer be permitted. The decision comes in the wake of attempts to infiltrate South Korean military computer systems. Last year, information about a joint South Korea/US military contingency plan was compromised due to the use of a portable storage device.
-http://gcn.com/articles/2010/01/11/korea-bans-flash-drives.aspx

[Editor's Note (Ullrich): Data sharing is always a question of trust. If you can't trust the origin of the data, or the origin of the devices used to share the data, the transfer mechanism doesn't matter. ]

USB Flaws Prompt NIST Review of Cryptographic Module Certification Process (January 8 & 11, 2010)

The National Institute of Standards and Technology (NIST) is investigating security flaws in several brands of USB drives that were thought to be secure. The vulnerability can reportedly be exploited to allow attackers to read data on drives protected by the 256-bit Advanced Encryption Standard. The vulnerabilities lie not in the cryptographic module, but in the software that authorizes decryption. NIST will be considering whether it should make changes to its validation process, as the USB drives in question all met the criteria. SanDisk, Verbatim and Kingston, the three companies that acknowledged the vulnerabilities in their devices, have issued fixes for the problem.
-http://isc.sans.org/diary.html?storyid=7894
-http://www.securityfocus.com/brief/1058
-http://gcn.com/articles/2010/01/11/usb-vulnerabilities.aspx
-http://www.computerworld.com/s/article/9143504/More_flash_drive_firms_warn_of_se
curity_flaw_NIST_investigates?source=rss_security

-https://blogs.sans.org/appsecstreetfighter/2010/01/07/client-side-input-validati
on-is-evil/


[Editor's Note (Ullrich): The USB flaw disclosure misses an important detail. The reliance on software to unlock the key was only part of the problem. The (maybe worse) fact is that all USB devices of this type use one and the same key to encrypt data. It is not clear what people will receive who exchange these USB devices. Maybe a set of new devices who will again all have the same but different key? ]

Incident Handling Certification Now The Top For Premium Security Pay (January 12, 2009)

The American National Standards Institute has accredited the GIAC Certified Incident Handler certification, and the same certification was recently ranked as the No. 1 security certification that organizations pay a salary premium for, according to IT employment analysts with Foote Partners. Government security service providers that have invested in SANS training and GIAC certification for their employees or who have hired employees who already have GIAC certifications will be able to use those credentials to differentiate their services from others. Last week three of the major GIAC tracks were accredited under the ANSI/ISO/IEC 17024 Personnel Certification program.
-http://www.channelinsider.com/c/a/Careers/Three-GIAC-Security-Certifications-Gai
n-More-Clout--198225/

Questionable Applications Removed From Android Marketplace (January 11, 2010)

Suspected phishing applications were found and removed from the Android Marketplace. The appearance of the suspicious applications raises the question of whether Google should vet applications offered in the Android marketplace before they are made available. Researchers have not been able to prove that the applications in question were malicious. Instead, there is some speculation that rather than having malicious intent, the developer simply wanted to make a fast buck by charging people for putting shortcuts on their Androids. The applications claimed to simplify users' access to various online banking sites. Android users who have downloaded apps posted by Droid09 are encouraged to remove those applications from their devices.
-http://isc.sans.org/diary.html?storyid=7936
-http://www.theregister.co.uk/2010/01/11/android_phishing_app/
-http://www.h-online.com/security/news/item/Android-app-steals-bank-login-details
-901895.html

-http://www.computerworld.com/s/article/9143830/Fishy_Android_apps_may_have_been_
malware_says_researcher?source=rss_security


[Editor's Note (Pescatore): These closed "marketplaces" like on the iPhone and Android phones have great potential to be a boon to security. They are essentially whitelisting that users don't complain about - because there are so many application choices, it doesn't feel like lockdown to the users. However, the marketplaces do need to raise the bar on application certification to include stronger security analysis. But just the fact that an app can be quickly removed from the marketplace is a huge advance over wide open operating systems like Windows and Linux. ]

Facebook Group Page Has Links to Malware-Laced Sites (January 11, 2010)

Miscreants intent on spreading malware appear to be preying on people's unfounded fears that Facebook plans to begin charging users for its services. A Facebook group that appears to offer a place for people to protest the rumored fees has been shown to contain malware. The group pages themselves appear to be clean, but link to suspicious sites. Snopes.com has posted a warning about the deceptive groups and associated pages.
-http://www.theregister.co.uk/2010/01/11/facebook_charging_rumour_malfeasance/
-http://www.snopes.com/computer/internet/fbcharge.asp

Oracle's Critical Patch Update Will Offer 24 Fixes (January 11, 2010)

On Tuesday, January 12, Oracle plans to release its monthly/quarterly Critical Patch Update that will include 24 fixes, some of which affect multiple products. Vulnerabilities in Oracle Database Server, Oracle Secure Backup, and Oracle JRockit have been given CVSS 2.0 base scores of 10.0. The Oracle update will be released on the same day that Microsoft and Adobe have scheduled their security updates. Microsoft is releasing just one security bulletin; Adobe will address a critical flaw that is being actively exploited.
-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan20
10.html

-http://www.securecomputing.net.au/News/164329,oracle-starts-year-with-hefty-patc
h-update.aspx

Proof-of-Concept Code Posted for Mac OS X Flaw (January 8 & 12, 2010)

Proof-of-concept exploit code for a vulnerability in Mac OS X has been posted on the Internet. The buffer overflow flaw affects versions 10.5 and 10.6 of the Apple operating system and can be exploited remotely. The flaw lies in the libc/gdtoa code in a variety of software products. Apple has known about the vulnerability for seven months, but has not fixed it yet. It has already been fixed in OpenBSD, FreeBSD, NetBSD, Google and Mozilla.
-http://isc.sans.org/diary.html?storyid=7942
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=222300150

-http://www.theregister.co.uk/2010/01/12/critical_osx_security_bug/

Panel Questions FCC's Authority to Enforce Net Neutrality Rules (January 8 & 11, 2010)

A federal appeals court panel is questioning the Federal Communications Commission's (FCC) authority to impose net neutrality rules on Comcast. The telecommunications company is challenging a 2008 FCC order that prohibited the company from blocking its broadband users from using BitTorrent. Internet companies are in favor of net neutrality rules, maintaining that without them, the broadband providers would give preference to traffic from customers who pay premiums and could potentially block or slow traffic from sites that compete with the providers' offerings. The providers say they are entitled to seek returns on their investments by offering premium services, and that by blocking services like BitTorrent, they prevent excessive amounts of bandwidth from being consumed and degrading service for others.
-http://www.informationweek.com/news/security/management/showArticle.jhtml?articl
eID=222300255

-http://www.msnbc.msn.com/id/34766389/ns/technology_and_science-security/

Wide-Reaching Spear Phishing Campaign Claims to be Outlook Alert (January 8, 2010)

A recently detected spear phishing scheme is spreading in the guise of a Microsoft Outlook alert. This particular attack is targeting a large number of domain names in the hope of tricking more users into clicking on a link that will download a variant of the Zbot banking Trojan horse program onto their computers. The attack also personalizes the emails in an attempt to gain users' trust.
-http://content.usatoday.com/communities/technologylive/post/2010/01/faked-outloo
k-updates-spreading-banking-trojans/1

-http://www.darkreading.com/vulnerability_management/security/app-security/showAr
ticle.jhtml?articleID=222300161&subSection=Application+Security

-http://isc.sans.org/diary.html?storyid=7918

[Editor's Note (Ullrich): To defend against this and other attacks, DNS sinkholes can be helpful. See
-http://isc.sans.org/diary.html?storyid=7930
for details on how to setup such a sinkhole. ]


Stephen Northcutt is teaching leadership online
February 16 - 18, 2010
This is the course I wish I had taken 30 years ago. Folks, it doesn't make sense to wait till you are in a management position to focus on your management and leadership skills. Leadership is a race of endurance, not a sprint; you want to start early and be persistent. If you can improve one or two percent in a year, that is a major achievement. This course will set you on the path. It is a solid blend of tons of research as well as personal experience from a number of leaders in information security. http://www.sans.org/vlive/details.php?nid=21223

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, http://www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/