Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #98

December 14, 2010

TOP OF THE NEWS

UAE Authorities Can Decrypt BlackBerry Communications With Court Order
Connecticut AG Demands Google Street View Data
US Could Seek Assange Extradition
Judge Denies Request for Default Judgments Against Alleged Copyright Violators

THE REST OF THE WEEK'S NEWS

Irish Authorities and Microsoft Warn of Phony Virus Calls
McDonald's Customer Information Compromised in Security Breach
Gawker Database Hacked
Online Ad Networks Serving Up Malware
Former Goldman Sachs Employee Guilty of Trading Software Source Code Theft
Mozilla Updates Firefox and Thunderbird
US Military Implements Strict Data Transfer Rules
New Scoring System Coming for Measuring the Security of Software


******************* Sponsored By Athena Security *********************** Athena FirePAC: The single must-have solution for your Cisco, Check Point and Netscreen firewalls: For audit and managing security risk: http://www.sans.org/info/68133 For keeping your rule documentation up to date: http://www.sans.org/info/68138 For cleaning and optimizing the rulebase: http://www.sans.org/info/68143 For PCI compliance: http://www.sans.org/info/68148 For migrating firewall platforms: http://www.sans.org/info/68153 *************************************************************************
TRAINING UPDATE
New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Washington DC in December or in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

- -- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security
http://www.sans.org/security-east-2011/

- -- North American SCADA 2011, Lake Buena Vista, FL, February 23-March 2, 2011
http://www.sans.org/north-american-scada-2011/

- -- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Atlanta, San Francisco, Bangalore and Phoenix all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ****************************************************************************

TOP OF THE NEWS

UAE Authorities Can Decrypt BlackBerry Communications With Court Order (December 12, 2010)

The United Arab Emirates' Telecommunications Regulatory Authority now has the key for Blackberry services; this means that the authorities can decrypt and monitor Blackberry communications after obtaining a court order. BlackBerry parent company Research in Motion (RIM) has reached a similar agreement with authorities in India.
-http://www.alarabiya.net/articles/2010/12/12/129379.html

Connecticut AG Demands Google Street View Data (December 11 & 13, 2010)

Connecticut Attorney General Richard Blumenthal is demanding that Google turn over to his office the personal data gathered from unprotected Wi-Fi networks while the company was obtaining images and other information for Street View. Blumenthal issued a civil investigative demand, which is like a subpoena. Blumenthal says that his office needs the data to determine what penalty to impose on Google. Google has until December 17 to turn over the data.
-http://www.eweek.com/c/a/Security/Connecticut-AG-Demands-Google-Street-View-WiFi
-Data-234961/

US Could Seek Assange Extradition (December 10 & 13, 2010)

US authorities may seek the extradition of WikiLeaks founder Julian Assange once he is extradited to Sweden. Assange is currently in custody in the UK after having surrendered to authorities there last week; he is being held without bail to face charges of rape and molestation in Swedish court. A federal grand jury in Alexandria, Virginia is considering possible criminal charges against Assange. He could be charged under the Espionage Act, which would raise certain First Amendment issues, or he could face a conspiracy charge under the Computer Fraud and Abuse Act, which would make moot issues related to the First Amendment of the US Bill of Rights.
-http://www.wired.com/threatlevel/2010/12/assange-grand-jury/
-http://www.computerworld.com/s/article/9200764/U.S._indictment_of_WikiLeaks_Assa
nge_reportedly_imminent_?taxonomyId=144

-http://www.computerworld.com/s/article/9200698/Prosecuting_WikiLeaks_Assange_cou
ld_be_difficult_case?taxonomyId=144

[Editor's Note (Schultz): This potential legal case must be considered novel (at least to a large degree), but in my estimation it more than anything else really serves more as a prototype of similar future cases. The movement to make all kinds of information available to everyone in the world currently has so much momentum that it is going to be difficult to stop, even in the legal arena. At some not-too-distant point in time massive leakage of sensitive government and other documents is likely to become so commonplace that individuals who obtain and post such information are unlikely to be charged with violation of any statute, at least in countries in which individuals are afforded a high degree of freedom.
(Ranum): They shouldn't be speculating about this to the press. Charge him, or don't. Make your case, or don't. But playing it to the media just makes the government look weak and indecisive. ]

Judge Denies Request for Default Judgments Against Alleged Copyright Violators (December 10 & 13, 2010)

A judge has denied ACS:Law's request for default judgments against eight individuals it alleges have violated copyright laws. Judge Birss said that the intellectual property cases are too complex to allow default judgments. Judge Birss also noted that there was no evidence the legal notice had been served against the eight people and that a copyright violation case may be brought only by the copyright holder "or an exclusive licensee."
-http://www.zdnet.co.uk/blogs/security-bullet-in-10000166/acslaw-fails-in-default
-judgement-attempt-10021288/

-http://www.networkworld.com/news/2010/121310-acslaws-first-illegal-download-case
s.html


THE REST OF THE WEEK'S NEWS

Irish Authorities and Microsoft Warn of Phony Virus Calls (December 13, 2010)

Microsoft and the Irish National Consumer Agency (NCA) have issued a warning about scammers posing as representatives of Microsoft, or other legitimate technology companies, and calling people to tell them they have malware on their computers. The targets are instructed to download a file from a certain website that gives the attacker access to their machines. Some of the thieves also ask for credit card information.
-http://www.irishexaminer.com/breakingnews/ireland/warning-over-cybercrime-scam-4
85504.html

-http://www.siliconrepublic.com/digital-life/item/19608-microsoft-and-consumer/

McDonald's Customer Information Compromised in Security Breach (December 13, 2010)

McDonald's has released a statement disclosing that a recent cyber attack compromised personal customer data. The information was collected as part of a promotional campaign or through a website. The breach occurred on a system belonging to Arc Worldwide, a McDonald's business partner. The compromised data includes names, addresses and birth dates, but no credit card or other personal information. The breach affects people who signed up to receive emails from McDonald's. Law enforcement authorities are investigating.
-http://www.pcmag.com/article2/0,2817,2374253,00.asp
-http://latimesblogs.latimes.com/technology/2010/12/mcdonalds-databases-hacked-cu
stomer-data-stolen.html

Gawker Database Hacked (December 12 & 13, 2010)

Hackers have gained access to Gawker Media servers, compromising users' accounts. The intruders claimed to have accessed user names and passwords; they also published some Gawker staff member passwords as well as a file that they say contains Gawker source code. Gawker was the target of distributed denial-of-service (DDoS) attacks in July because of its negative coverage of 4Chan. The Gawker breach has been linked to a recent spate of spam sent over Twitter advertising the Acai berry diet.
-http://www.wired.com/threatlevel/2010/12/gawker-hacked/
-http://www.computerworld.com/s/article/9200978/Update_Gawker_Media_hacked_firm_w
arns_users_to_change_passwords?taxonomyId=17

-http://www.theregister.co.uk/2010/12/13/gawker_hacked/
-http://www.nytimes.com/2010/12/13/business/media/13gawker.html
-http://www.scmagazineus.com/twitter-spam-campaign-linked-to-gawker-breach/articl
e/192643/

-http://www.darkreading.com/database-security/167901020/security/application-secu
rity/228800288/hack-of-gawker-media-sites-puts-1-3-million-passwords-at-risk.htm
l

[Editor's Note (Honan): There is a very interesting analysis of the Gawker breach by Daniel Kennedy and lessons learnt from it on the Forbes website at
-http://blogs.forbes.com/firewall/2010/12/13/the-lessons-of-gawkers-security-mess
/
]

Online Ad Networks Serving Up Malware (December 10 & 13, 2010)

Two major Internet advertisement service networks - DoubleClick and rad.msn.com - have been found to be serving malware from banner ads on some websites. Users who visit the sites with the malware-laced ads become infected simply by visiting the sites; no action is required. The infected ads exploit at least seven known vulnerabilities in Adobe Reader, Microsoft Internet Explorer and Oracle Java.
-http://www.theregister.co.uk/2010/12/13/doubleclick_msn_malware_attacks/
-http://www.wired.com/threatlevel/2010/12/doubleclick/
[Editor's Note (Northcutt): Uggg, well it is a well known piece of malware so most AV systems will probably have definitions for it. If you have the following registry entries you are probably infected: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "<random>" HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "<random>.exe" I looked through a couple removal instructions online and this appears to be the best one:
-http://www.bleepingcomputer.com/virus-removal/remove-hdd-plus]

Former Goldman Sachs Employee Guilty of Trading Software Source Code Theft (December 10, 2010)

Former Goldman Sachs computer programmer Sergey Aleynikov has been found guilty of stealing trade secrets. Aleynikov stole high-speed trading proprietary software source code from his former employer after accepting a position at a competing company. Aleynikov downloaded the source code shortly before leaving the company in late spring 2009; he stored it on a German-hosted website and attempted to remove his tracks from Goldman Sachs systems.
-http://www.wired.com/threatlevel/2010/12/aleynikov-guilty/

Mozilla Updates Firefox and Thunderbird (December 10, 2010)

Mozilla has issued updates for Firefox and Thunderbird. The Firefox update addresses 12 vulnerabilities, 10 of which have been rated critical. One of the patched flaws is a "re-do" of a fix issued earlier this year that has been found to be incomplete. Users are urged to ensure they are running the most current versions of Firefox, 3.6.13 and 3.5.16.
-http://www.computerworld.com/s/article/9200741/Mozilla_patches_13_Firefox_securi
ty_bugs?taxonomyId=85

-http://www.h-online.com/security/news/item/Mozilla-releases-Firefox-Thunderbird-
security-updates-1150934.html

-http://www.theregister.co.uk/2010/12/10/mozilla_firefox_thunderbird_updates/

US Military Implements Strict Data Transfer Rules (December 9 &amp; 10, 2010)

In the wake of WikiLeaks' release of tens of thousands of diplomatic cables, the US military is prohibiting the use of removable data storage media to prevent further leaks of secret information. The directive applies to all devices connected to SIPRNET. More than half of US military computers are connected to a security system that detects anomalous behavior. Other security measures include limiting the systems that can be used to transfer data to unclassified systems and requiring that two people be involved with data transfers. Those who fail to comply with the directive could face court-martial.
-http://www.wired.com/dangerroom/2010/12/military-bans-disks-threatens-courts-mar
tials-to-stop-new-leaks/

-http://www.eweek.com/c/a/Security/WikiLeaks-Disclosures-Prompts-Defense-Departme
nt-Ban-on-USB-Drives-227599/

[Editor's Note (Honan): This seems to be a case of reactive security, or in layman's terms "closing the stable door after the horse has bolted." Instead of banning devices better management of the controls in place would be more effective. Especially as it appears that the US Army is now going to issue every soldier with a smartphone
-http://www.theregister.co.uk/2010/12/14/us_army_smartphones_4_all/
(Schultz): Once again we are seeing how major information security control improvements occur only after catastrophic security-related incidents have occurred. ]

New Scoring System Coming for Measuring the Security of Software (December 14, 2010)

Several of the top vulnerability and attack researchers in the US and in other countries have cooperated to develop a draft of a way to score software security that would allow purchasers and developers of software to reliably measure the quality (defined here as an absence of security-related programming weaknesses) of code they are buying or creating. They used five sample scenarios to validate the measurement system: (Web based retailer, Financial/trading/transactional, SCADA-based flow control, Human resources, Social networking). Then they identified the principal security-related things that could go wrong and scored each so that the value of a programming flaw can be scored. Within a few months this work will be woven into testing tools that are available from multiple vendors that would result in consistent scoring of software, but before that happens, a broader consensus of experts needs to validate and enhance the work. They are convening a panel (virtual) to do that oversight and are seeking application pen testers and application security experts to participate. If you are interested, send a note to SoftwareSecurityScoring@sans.org and we'll forward it to the right people. Please include information about your qualifications.

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Adv isory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/