Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #41

May 24, 2011

Just 8 days until the early registration deadline for SANSFIRE 2011
(Washington, DC) saving you $400. 27 full-week immersion courses and a
dozen new short courses. Plus the free SANS @NIGHT presentations at
SANSFIRE are better than regular presentations at most other conferences
because they provide "what we have just learned" updates from the
incident handlers at the Internet Storm Center.
Info at:


Another 64-bit Windows Rootkit Detected
Facebook Adds Security Feature
Judge Freezes Righthaven Copyright Suits to Examine Company's Legal Standing
Firefox Extension Collects Surfing Habit Data


Sony BMG Site Attacked
PSN Account Management System Back Online
Qakbot Behind Massachusetts Data Theft
Apple Reportedly Not Helpful with Scareware Infection
Microsoft IE9 Security Claims Questioned
NASA Confirms FTP Server Breach



-- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011
7 courses. Bonus evening presentations include SANS Hacklab and Why
End Users are Your Weakest Link

-- SANSFIRE 2011, Washington, DC, July 15-24, 2011
40 courses. Bonus evening presentations include Ninja developers:
Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?

-- SANS Boston 2011, Boston, MA, August 8-15, 2011
12 courses. Bonus evening presentations include Cost Effectively
Implementing PCI through the Critical Controls; and More Practical
Insights on the 20 Critical Controls

-- SANS Virginia Beach 2011, August 22- September 2, 2011
11 courses. Bonus evening presentations include SANS Hacklab;
Offensive Countermeasures; and Evolving VoIP Threats

-- SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011
5 courses. Bonus evening presentations include DNS Sinkhole: Peer
Into Your Network While You Sleep; and I See What You Did There:
Forensic Time Line Analysis

-- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011
43 courses. Bonus evening presentations include Securing the Kids;
Who is Watching the Watchers?; and Emerging Trends in the Law of
information Security and Investigations

-- Looking for training in your own community?

Save on On-Demand training (30 full
courses) - See samples at

Plus London, Austin, and Canberra all in the next 90 days.
For a list of all upcoming events, on-line and live:

************** SPONSORED BY Raytheon Trusted Computer Solutions ***********

Automate the OS hardening process with Security Blanket. Realize
significant time savings and know your systems are hardened to industry
standards such as DISA STIGs, CIS, PCI, or SANS CAG Top 20 Critical
Controls. Managing your enterprise security is easy with 'one click'
lock down. Try it for FREE today!



Another 64-bit Windows Rootkit Detected (May 23, 20110

A rootkit that can infect 64-bit Windows has been found to be harvesting online banking credentials of Brazilian users. The malware ferrets its way into systems through a vulnerability in outdated versions of Java. It disables the Windows Users Account Control, installs phony root certificates and makes other modifications so that online banking customers are redirected to a phishing site.

Facebook Adds Security Feature (May 23, 2011)

Facebook has introduced an added layer of security to prevent account hijacking. Users must opt-in to the two-factor authentication feature, called Login Approvals, which requires supplying Facebook with a mobile phone number to which a one-time security authentication code will be sent when users try to login to Facebook from new devices. A new code will be required every time users attempt to login from a device that they have not designated as safe.
[Editor's Note (Shcultz): Facebook's having introduced this stronger authentication method is a significant step forward for this company and also for the Facebook user community. ]

Judge Freezes Righthaven Copyright Suits to Examine Company's Legal Standing (May 20 & 21, 2011)

A federal judge in Colorado has stayed proceedings in 35 pending lawsuits in that state brought by Righthaven against alleged copyright violators. The Las Vegas, Nevada-based company has built a reputation for itself by using a loophole in copyright law to sue blogs for copyright infringement when they post excerpts of previously published material. Righthaven says it is suing on behalf of the copyright holders. The judge says that before allowing the cases to proceed, he wants to be sure that Righthaven has the legal standing to bring the lawsuits.

[Editor's Comment (Northcutt): This is worth reading and taking seriously if your organization posts or handles a lot of information that is accessible on the Internet. Apparently, if you fill out a one page form and file a $105.00 filing fee to the Register of Copyrights, you can avoid a lot of trouble. There is some confusion about exactly what types of sites can receive Safe Harbor protection, but given the cost and level of difficulty to sign up, it seems to make sense.

Firefox Extension Collects Surfing Habit Data (May 20, 2011)

A popular Firefox add-on has been found to collect data about every website the user visits through that browser. The extension, called Ant Video Downloader and Player, has been downloaded more than 7 million times. The tracking occurs even when users have turned on the browser's private browsing mode or are using anonymity services. A Mozilla spokesperson said that the company vets every non-experimental public extension against a list of criteria. She acknowledged that Ant Video Player collects "information about websites users visit in order to power its ranking feature ... and also includes a unique identifier in this communication." She added that the practice was not disclosed in the extension's description and that Mozilla has contacted that company and asked them to amend the description.

******************************* SPONSORED LINKS **************************

1) Love Thy Logs. Get true, enterprise-class log management from ArcSight ... absolutely FREE! What's not to love?

2) Be one of the first to download the Symantec Endpoint Protection 12 Beta. Click Here



Sony BMG Site Attacked (May 23, 2011)

The extensive media coverage of the massive PlayStation Network (PSN) data breach has proven to be a lure for other hackers, as evidenced by continuing attacks against various Sony sites. Attackers have apparently stolen data from Sony BMG Greece. The information that was uploaded to the Internet came from a customer database and includes names and email addresses. The attackers claim to have obtained phone numbers and password hashes as well, but they did not upload that information. The data thieves used an SQL injection attack to gain access to the database. In another incident, Sony subsidiary So-net discovered that an intruder had stolen about US $1,225 in virtual cash.

[Editor's Note (Pescatore): This is like saying publicity about a forest fire caused other forest fires. If you are storing customer data, there are criminals out there trying to steal that data so they can sell it. ]

PSN Account Management System Back Online (May 20, 2011)

The web servers that Sony uses to manage accounts are now operational after being taken offline to fix a security issue that could have been exploited to hijack accounts. The issue affected Sony PSN and Qriocity users, who can once again sign in to their accounts online. The flaw allowed anyone with a user's registered email address and date of birth to reset the password for that user's account.

Qakbot Behind Massachusetts Data Theft (May 20 & 23, 2011)

The Qakbot worm is believed to be responsible for the theft of more than 200,000 unemployment compensation claimants in Massachusetts. Qakbot infected machines operated by the state of Massachusetts and stole more than a gigabyte of data in a ten-day span. The number of machines infected with the Qakbot worm has grown significantly since the beginning of April. The rapid spread of the malware has prompted security warnings.


Apple Reportedly Not Helpful with Scareware Infection (May 20, 2011)

Reports indicate that Apple is shying away from providing customers with support regarding malware infections on Mac devices. In the past few weeks, Mac users have been targeted with scareware; a phony security product calling itself Mac Defender, Mac Protector or Mac Security pops up messages telling users their computers are infected with malware and that they should download certain software to fix the problem. A leaked internal document from Apple indicates that AppleCare employees have been instructed not to "confirm or deny" that users' machines are infected. Apple operating systems have been perceived as more secure than Windows due to security through obscurity - the number of Windows users far outweighs the number of Mac OS X users, making Windows a more appealing target for cyber criminals. However, Apple's increasing presence in the market has heightened its appeal as a target for cyber criminals.



[Editor's Note (Pescatore): I'm not sure Microsoft provided great advice on malware on Windows PCs, nor did Sun on Solaris or RedHat on Linux - why would anyone think Apple would? That is why the third party security market exists. Depending on the infrastructure to protect the infrastructure hasn't worked yet, won't work any time soon. ]

Microsoft IE9 Security Claims Questioned (May 20, 2011)

A security researcher is questioning Microsoft's claims that Internet Explorer 9 (IE9) blocks a significant percentage of attacks. The questions arose in response to a blog posting from Microsoft SmartScreen technology program manager lead Jeb Haber, which listed statistics that showed IE9 blocking a large percentage of attempted malicious downloads onto Windows 7 and Vista machines. The researcher says that the post with Microsoft's claims of successful blocking do not address the fact that IE9 cannot block exploits that target Adobe Reader and Flash, iTunes, or Java.

NASA Confirms FTP Server Breach (May 20, 2011)

NASA has confirmed that an attacker successfully breached security on a Goddard Flight Center FTP server. The same person, a Romanian who uses the online moniker TinKode, breached security at a European Space Agency network in April. TinKode refused requests to discuss the details of the network vulnerability he exploited in the intrusion, but did say that he has not been contacted by NASA. TinKode said he was able to access confidential satellite data.


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit