iPad Air 2, Samsung Galaxy Tab A, or $350 Off with SANS Online Training Right Now!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #97

December 10, 2010

TOP OF THE NEWS

16-Year-Old Arrested in Netherlands in Connection with WikiLeaks Attacks
WikiLeaks Supporters Blast "Hostile" Sites with DDoS Attacks
A Sputnik Approach to Cyber Security
IE 9 Will Incorporate Do Not Track Technology

THE REST OF THE WEEK'S NEWS

Microsoft's December Security Update to Address 40 Vulnerabilities
Microsoft Issues Fix for Flaws in Office for Mac 2008
Apple Fixes Flaws in QuickTime for OS X and Windows
NASA Auditor Finds Computers Sold Without Adequate Data Scrubbing
Facebook and Twitter Close WikiLeaks Attack Related Accounts
Naval Officer Arrested for Allegedly Trying to Sell Top Secret Documents
Alleged Internet Bully Merchant Arrested


*************************** Sponsored By Intel **************************

REGISTER NOW, for the upcoming webcast: Securing Services at the Network Edge - Combining Security Enforcement and Governance. WHEN: Monday, December 20th at 1:00 PM EST FEATURING: Sachin Gadre & Blake Dournaee Join Blake Dournaee of Intel and Sachin Gadre of Software AG to learn how enterprises can ensure consistent enforcement of security policies across heterogenous infrastructure and security domains. http://www.sans.org/info/67883

************************************************************************* TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Washington DC in December or in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security
http://www.sans.org/security-east-2011/

-- North American SCADA 2011, Lake Buena Vista, FL, February 23-March 2, 2011
http://www.sans.org/north-american-scada-2011/

-- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Atlanta, San Francisco, Bangalore and Phoenix all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ****************************************************************************

TOP OF THE NEWS

16-Year-Old Arrested in Netherlands in Connection with WikiLeaks Attacks (December 9, 2010)

Authorities in the Netherlands have arrested a 16-year-old boy in connection with the DDoS attacks on sites that have severed business ties with WikiLeaks. The boy has allegedly admitted to being involved in the attacks on payment processing companies; his computer equipment was seized. He is believed to be part of a group involved in the attacks.
-http://online.wsj.com/article/SB10001424052748704720804576009723632691988.html?K
EYWORDS=cassell

-http://www.csmonitor.com/USA/2010/1209/Anonymous-How-dangerous-is-hacker-network
-defending-WikiLeaks

-http://www.csmonitor.com/USA/2010/1209/How-pro-WikiLeaks-hackers-wage-cyberwar-w
ithout-hijacking-your-computer

-http://www.computerworld.com/s/article/9200641/Dutch_arrest_16_year_old_related_
to_WikiLeaks_attacks?taxonomyId=82

-http://www.dutchnews.nl/news/archives/2010/12/dutch_police_arrest_16yearold.php
-http://www.wired.com/threatlevel/2010/12/wikileaks_anonymous_arrests/
[Editor's Note (Honan): And the website for the Dutch Police is now under attack
-http://www.breakingnews.ie/world/hackers-attack-dutch-police-website-485170.html]

WikiLeaks Supporters Blast "Hostile" Sites with DDoS Attacks (December 8 & 9, 2010)

Supporters of whistle-blowing website WikiLeaks have taken action against the websites of companies that have severed business ties with the organization. Among the companies targeted by distributed denial-of-service (DDoS) attacks are Amazon.com, PayPal, MasterCard and VISA. Amazon removed WikiLeaks from its servers for a breach in Amazon's Terms of Service after the site had come to the company after being targeted by distributed denial-of-service (DDoS) attacks. PayPal stopped accepting donations for WikiLeaks, and MasterCard stopped processing WikiLeaks donations. WikiLeaks' Iceland-based payment processor says it may sue MasterCard and Visa for stopping service. The group Anonymous, which has claimed responsibility for attacks against anti-piracy websites earlier this year, is believed to be the organizing force behind the pro-WikiLeaks attacks.
-http://www.computerworld.com/s/article/9200598/Group_used_30_000_node_botnet_in_
MasterCard_PayPal_attacks?taxonomyId=17

-http://www.nytimes.com/2010/12/09/world/09wiki.html?_r=1&partner=rss&emc
=rss

-http://www.theregister.co.uk/2010/12/08/datacell_vows_visa_lawsuit/
-http://www.wired.com/threatlevel/2010/12/pro-wikileaks-vigilantes-down-visa-com/
-http://www.computerworld.com/s/article/9200521/Update_MasterCard_Visa_others_hit
_by_DDoS_attacks_over_WikiLeaks?taxonomyId=17

[Editor's Note (Honan): The Spanish Anti-Virus company, Panda Security Labs, has a very good blog outlining both sides of the attacks relating to WikiLeaks at
-http://pandalabs.pandasecurity.com/tis-the-season-of-ddos-wikileaks-editio/.
It would be prudent for you to check your network traffic logs to ensure that the LOIC tool (the DDOS tool used by the Anonymous Group) is not being used on your network to attack any of the sites. ]

A Sputnik Approach to Cyber Security (December 8, 2010)

The author, the former Associate Director of National Intelligence at the Office of the Director of National Intelligence, Patrick Gorman, argues that the US needs to reframe its approach to cyber security as eSputnik rather than a digital Pearl Harbor or 9/11. Patrick Gorman notes that the shift is important because "metaphors ... affect the way people contemplate a challenge," and affect important strategic decisions. When the Soviet Union beat the US to be the first country to send a man into space in 1957, it sparked significant investments in science education that helped bolster the country's national security and economy. With regard to cyber security, the US needs to take steps to producing enough qualified experts in the field.
-http://www.govexec.com/story_page.cfm?filepath=/dailyfed/1210/120810mm.htm&o
ref=search

[Editor's Note (Schultz): I agree only in part with Mr. Gorman. The problem is much deeper. Recently announced test scores for children from nations around the world show that the U.S. has taken a back seat when it comes to education in general. I would think that the first priority of the U.S. would be to have a much better educated populace. The next logical step would be to help technically inclined people to become cyber security experts.
(Northcutt): Mildly interesting article, but not well researched. Sputnik 1 launched when I was two, but I still remember being in second grade and when my teacher was telling the class about Sputnik, the fear in her eyes was starkly evident and I see that image even today. I still remember the bomb shelter in our house, my father, a salesman, kept his samples in it. What is the closest analog to a bomb shelter today? Maybe it is a month's worth of food and water? In any case, a bomb shelter seems closer to digital Pearl Harbor or 9/11 than eSputnik. The article mentions NDEA and NASA, both important, but it forgets that the most important direct result of Sputnik was the creation of ARPA and their mission statement was to "prevent technical surprise"; so that second grade teachers would never again have to have that level of fear. And today we are gutting NASA, and NDEA is a ghost of the distant past. If you have read Rising Above the Coming Storm Revisited, then you know the odds of the NDEA type approach being successful lessen every day that goes by. I do not agree with everything it says, but a thinking person should consider the message (it is a lot easier to read by buying the book, but free text is available on the site):
-http://www.nap.edu/catalog.php?record_id=12999]

IE 9 Will Incorporate Do Not Track Technology (December 7 & 8, 2010)

Microsoft plans to include Do Not Track technology called Tracking Protection in Internet Explorer 9 (IE 9). The technology involves user created tracking protection lists that allows them control over what information third-party websites may collect. IE 9 is scheduled to ship in early 2011; a beta version was released in September. Tracking detection is off by default; users must deliberately enable it. Many internet users are unaware that the sites they visit share the information they collect with third party sites.
-http://www.bbc.co.uk/news/technology-11939223
-http://www.computerworld.com/s/article/9200298/Microsoft_spells_out_anti_trackin
g_tool_in_IE9?taxonomyId=84

-http://www.scmagazineus.com/internet-explorer-9-to-include-privacy-opt-in-featur
e/article/192345/

-http://www.nextgov.com/nextgov/ng_20101208_2770.php?oref=topnews
-http://www.nytimes.com/2010/12/08/business/media/08soft.html?_r=2&nl=todaysh
eadlines&emc=a26

[Editor's Note (Pescatore): There are way too many still on IE6, use this as yet another reason to get IT to move to more secure, more modern browsers. ]


************************* SPONSORED LINK ***************************

(1) Don't miss the LIVE Simulcast Core Security Lunch & Learn, direct from SANS Cyber Defense Initiative. http://www.sans.org/info/67888

**********************************************************************

THE REST OF THE WEEK'S NEWS

Microsoft's December Security Update to Address 40 Vulnerabilities (December 9, 2010)

On Tuesday, December 14, Microsoft plans to issue 17 security bulletins to patch a total of 40 vulnerabilities in Windows, Internet Explorer (IE), Office, SharePoint and Exchange. Just two of the bulletins have been given a maximum severity rating of critical; these address flaws in Windows and IE. Among the vulnerabilities fixed in the updates are a critical flaw affecting IE 6, 7 and 8, and the last four vulnerabilities exploited by Stuxnet.
-http://www.computerworld.com/s/article/9200642/Microsoft_slates_another_monster_
Patch_Tuesday?taxonomyId=82

-http://news.cnet.com/8301-27080_3-20025204-245.html?tag=mncol;title
-http://www.microsoft.com/technet/security/Bulletin/MS10-dec.mspx

Microsoft Issues Fix for Flaws in Office for Mac 2008 (December 9, 2010)

On Wednesday, December 9 Microsoft released a security update for Office for Mac 2008. The update addresses four vulnerabilities that were disclosed a month ago. On November 9, Microsoft issued a security update for Office for Mac 2011 to fix the vulnerabilities. The same vulnerabilities affect Office for Mac 2004, but there is no update available, and Microsoft has not indicated when one could be expected.
-http://www.computerworld.com/s/article/9200618/Microsoft_ships_delayed_patches_f
or_Office_for_Mac_2008?taxonomyId=17

Apple Fixes Flaws in QuickTime for OS X and Windows (December 7 & 8, 2010)

Apple has issued a fix for QuickTime media player for Windows and Mac OS X 10.5. The fix addresses 15 vulnerabilities, none of which were fixed in an update to Mac OS X 10.6.5 last month. The fix also addresses the unpatched flaws in OS X 10.6.5. Apple rated 14 of the 15 flaws critical. The current version of Quick Time is now 7.6.9.
-http://www.theregister.co.uk/2010/12/09/apple_patches_quicktime_again/
-http://reviews.cnet.com/8301-13727_7-20024946-263.html
-http://www.computerworld.com/s/article/9200519/Apple_patches_15_QuickTime_bugs_i
n_Leopard_Windows?taxonomyId=85

NASA Auditor Finds Computers Sold Without Adequate Data Scrubbing (December 8 & 9, 2010)

According to an audit report from NASA Inspector General, the space agency sold 10 computers that had not passed tests to verify that the data they contained had been removed. Four additional computers that had not undergone data sanitization were slated to be sold. The report found "significant weaknesses in the sanitization and disposition processes" at two space centers and two research centers. The equipment being sold was used in the Space Shuttle program, which is being phased out.
-http://news.cnet.com/8301-13639_3-20025161-42.html?tag=mncol;title
-http://www.theregister.co.uk/2010/12/08/nasa_disk_wiping_failure/
-http://techinsider.nextgov.com/2010/12/nasa_sells_computers_with_senstive_info_o
n_them.php

-http://www.v3.co.uk/v3/news/2273824/nasa-pcs-security-risk
[Editor's Note (Pescatore): The OIG reports show what appears to be at least 2 laptops of the 4 that were slated to be sold. The report does not mention encryption at all - all government laptops are supposed to have encryption on the hard drive, which could be a mitigating factor. By the way, this exact scenario is by far the major risk of using smartphones for email and corporate access - they get sold (or lost or stolen) all the time with sensitive information on them. ]

Facebook and Twitter Close WikiLeaks Attack Related Accounts (December 9, 2010)

Facebook and Twitter have deleted accounts that were being used to promote DDoS attacks against websites that have blocked or been visibly opposed to WikiLeaks. Facebook acknowledged deleting the Operation Payback account on December 9.
-http://www.zdnet.com/news/wikileaks-hackers-attack-visa-get-banned-by-facebook-t
witter/490442

-http://www.msnbc.msn.com/id/40589611/ns/technology_and_science-security/

Naval Petty Officer Arrested for Allegedly Trying to Sell Top Secret Documents (December 7, 2010)

US Naval authorities have arrested Petty Officer Bryan Minkyu Martin for allegedly stealing and attempting to sell top secret military documents. Martin worked at the Special Operations Command at Fort Bragg. He allegedly attempted to sell stolen documents to an undercover FBI agent who was posing as an intelligence officer from a foreign country. Martin has not yet been charged, but is being investigated under some of the same Espionage Act statutes used to investigate Pfc. Bradley Manning, who allegedly leaked classified military information to WikiLeaks.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/12/06/AR2010120607294.
html

-http://www.fayobserver.com/articles/2010/12/07/1053735?sac=Home

Alleged Internet Bully Merchant Arrested (December 6, 2010)

Authorities have arrested Vitaly Borker, the Internet entrepreneur profiled in a recent New York Times article about using negative publicity to generate sales. Borker faces charges of fraud, cyberstalking and harassment and could face up to 20 years in prison. The Federal Trade Commission (FTC) has more than 200 complaints recorded about Borker's online business, Decormyeyes.com. Borker allegedly treated his customers poorly, even going so far as to threaten one of them with physical harm when she complained about the shoddy quality of the glasses she purchased through the site. He maintained that the negative buzz generated by his offensive activity raised his site to the top of Internet searches for eyewear. Google has altered its algorithm to help prevent this from recurring.
-http://www.computerworld.com/s/article/9200058/Retailer_accused_of_inflating_Goo
gle_ranking_is_arrested?taxonomyId=82



**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Adv isory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/