SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #100

December 22, 2009

If you are looking for a good news story in cyber security, watch the CNN video about the bright kids who may soon become US cyber guardians. It's the first story in "Rest of the News" and the video can be found here:
http://www.cnn.com/video/#/video/tech/2009/12/21/meserve.hacker.tests.cnn
If you know of young people who have special talent in computers and networks and, yes, hacking, tell them to try their skills in the netwars challenge (www.sans.org/netwars)

PS: The list of user-vetted tools that are actually effective in automating security has been updated with 30 additional products.  Now it is complete enough to use as the short list for most categories of important security automation.
See: https://www.sans.org/critical-security-controls/user-tools.php
Alan

---

TOP OF THE NEWS

White House Names Schmidt as Cybersecurity Coordinator
US Military Drone Video Feeds Will Not Be Encrypted Until At Least 2014
BPI Survey Indicates Filesharing Activity Has Not Waned

THE REST OF THE WEEK'S NEWS

US Cyber Challenge Competition Heats Up
Cyber Security Myths That Need to be Dispelled
Possible Prison Time for Sending Spyware
Netflix Sued for Violating Customer Privacy
WinAmp Update Fixes Five Security Flaws
Adobe Explains Why Critical Fix Will Wait Until January
White House Task Force Makes Agency Information Sharing Recommendations
North Korea Allegedly Stole US/South Korean Military Plans
Attackers Actively Exploiting Adobe Flaws
IE Domain Registry Places Encrypted Copy of its Database With Third Party

---

*********************** Sponsored By Oracle ****************************

REGISTER NOW for the upcoming webcast: Tool Talk: Cybersecurity, Back to the Future
http://www.sans.org/info/52359

*************************************************************************
TRAINING UPDATE

- -- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses.  Bonus evening presentations include Top 7 Trends in Incident Response and Computer Forensics, Advanced Forensic Techniques and more http://www.sans.org/security-east-2010/
- -- SANS AppSec 2010, San Francisco, January 29-February 5, 2010 Bonus evening presentations include Social Zombies and Cross-Site AJAX Security http://www.sans.org/appsec-2010/
- -- SANS Phoenix, February 14 -February 20, 2010 Bonus evening presentations include Advanced Forensic Techniques: Catching Hackers on the Wire http://www.sans.org/phoenix-2010/
- -- SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style http://www.sans.org/sans-2010/
- -- SANS Northern Virginia Bootcamp 2010, April 6-13 http://www.sans.org/reston-2010/ Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Tokyo, Bangalore, Dublin and Oslo all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

White House Expected to Name Schmidt as Cybersecurity Coordinator (December 22, 2009)

The Washington Post and The New York Times are reporting that the White House will name Howard A. Schmidt as Cybersecurity Coordinator on Tuesday, December 22.  Schmidt served as special advisor for cyberspace security in the George W. Bush administration from 2001 to 2003.  Prior to that position, Schmidt worked as Microsoft's chief security officer. He has also served as vice president and chief information security officer at eBay and is currently president of the Information Security Forum.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/12/21/AR2009122103055_
pf.html
-http://www.nytimes.com/2009/12/22/technology/internet/22cyber.html
[Editor's Note (Howard): I'd like to congratulate Howard, a fellow NewsBites editor, on his appointment.  There is much work to do, and I wish him the best in his efforts in improving the information security landscape. ]

US Military Drone Video Feeds Will Not Be Encrypted Until At Least 2014 (December 19, 2009)

According to US Air Force officials, encryption of video feeds from the US military's unmanned Predator and Reaper aircraft will not be complete for at least five more years.   Earlier this week, reports emerged that Iraqi insurgents had managed to access the drones' unencrypted video surveillance feeds with a piece of off-the-shelf software that cost less than US $30.  The military has known of the vulnerability for more than a decade, but said the advantage of having the information the drones provided outweighed the risk of unauthorized access.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/12/18/AR2009121804281.
html
[Editor's Note (Pescatore): it has become popular wisdom to say that today the "need to share" should trump the "need to know." This points out why that is a dangerous philosophy for any information that should not be shared with the those who don't have a need to know.
(Ullich): For a security professional, it is sometimes hard to understand these decisions. But one has to keep in mind that security isn't the goal here, but obtaining meaningful and timely intelligence. Losing some of it to the enemy may be an acceptable risk, like for a retailer, it may be better to lose a few customer records then shutting down shop this week.
(Skoudis): This just feels really wrong to me.  5 years?  And that's on top of the 10 years they've known about the issue.  There are crypto modules readily available that can handle all kinds of streaming or stored formats.  Even if the video is analog (which is doubtful), there are tons of different digitization tools available.  Very curious indeed.
(Schultz): Some individuals are critical that the vulnerability described in the story has not been fixed and will not be fixed for several years. Yet at the same time, the military has weighed costs versus benefits and found that the ratio does not justify fixing this vulnerability right away. This is the way things should work when it comes to remediating vulnerabilities.]

BPI Survey Indicates Filesharing Activity Has Not Waned (December 18 & 20, 2009)

According to statistics from the British Phonographic Industry (BPI), illegal filesharing has not declined despite increased efforts by the government to discourage the practice.  The BPI interviewed 3,442 people between the ages of 16 and 54 in the UK; 1,012 said they engaged in illegal filesharing activity.  According to the survey, the use of web-based filesharing methods is on the rise.
-http://www.v3.co.uk/v3/news/2255317/illegal-file-sharing-rife
-http://news.bbc.co.uk/2/hi/entertainment/8420484.stm
-http://arstechnica.com/tech-policy/news/2009/12/music-damn-the-numbers-we-need-l
aws.ars
-http://www.guardian.co.uk/business/2009/dec/18/bpi-survey-filesharing-piracy-thr
iving
[Editor's Note (Pescatore): There was probably a headline in about 1972: "Survey Indicates Cassette Taping of Radio Music Broadcasts Has Not Waned." The toothpaste is not going back in the tube. Actually, this is a good example of what happens when "need to share (or distribute)" is thought of without thinking through "need to know (have.)"
(Ullrich): The question shouldn't be how we prevent file sharing, but how much file sharing the industry can afford, and how to find usable systems to keep the file sharing below this limit. I just purchased a DVD which came with an "electronic copy" of the movie, and have to say that it took "hacking skills" to legally activate the movie. Security has to be usable. Movies that are not sold because of cumbersome DRM will make as little money as movies shared illegally ]

---

************************  Sponsored Links:  ****************************

1) Participation is needed! Help with this year's 2010 SANS Log Management Report by completing the survey, and have a chance to win a $250 AMEX Card. Click here to complete the survey and be automatically registered. http://www.sans.org/info/52364

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

US Cyber Challenge Competition Heats Up (December 21, 2009)

A group of young people recently gathered in the Washington DC area to participate in the "all star" round of the US Cyber Challenge. Described as a national talent search for people with the skills necessary to defend the country's networks and critical infrastructure against cyber attacks, the competition began earlier this year and winnowed participants down fifteen very talented young people.  The goal of the challenge is to identify and the top US talent in cyber security and nurture them to help bolster the US's cyberspace profile. CNN Video:  
-http://www.cnn.com/video/#/video/tech/2009/12/21/meserve.hacker.tests.cnn?iref=a
llsearch
-http://www.cnn.com/2009/TECH/12/21/cyber.challenge.hackers/index.html
[Editor's Note (Skoudis): This is an exciting competition that emphasizes technical excellence, and helps people further build their skills.  Kudos to the participants, as well as to Jim Shewmaker, the technical mastermind orchestrating the NetWars challenge. ]

Cyber Security Myths That Need to be Dispelled (December 21, 2009)

Melissa Hathaway, who earlier this year prepared the Cyberspace Policy Review for the Obama administration, says that we as individuals, organizations, governments and a nation need to shatter long-held myths about cyber space security and take steps to mitigate threats.  Some of the myths behind which these threats lurk include the notion that firewalls and antivirus software offer adequate protection from breaches; the idea that the government has solutions for cyber security problems; and the idea that "laws are keeping pace with technological innovation."
-http://blog.executivebiz.com/five-myths-about-cybersecurity/6102

Possible Prison Time for Sending Spyware (December 21, 2009)

An Ohio man could face time in prison for sending spyware to a woman's computer.  Scott Graham sent the spyware surreptitiously as an email attachment; the recipient opened the mail on two computers at her workplace: Akron Children's Hospital.  The software harvested confidential medical procedure and financial information.  The spyware was discovered because it was slowing down the hospital's computer system.  The software is legal to use on computers owned by the person who purchases it.  Graham has pleaded guilty to one felony charge of intercepting electronic communications.
-http://www.coshoctontribune.com/article/20091221/NEWS01/912210309/1002/NEWS01/Cl
eveland-man-faces-prison-on-e-mail-spying-charge

Netflix Sued for Violating Customer Privacy (December 21, 2009)

An Ohio woman is suing Netflix for invading her privacy.  The suit stems from a contest in which Netflix offered US $1 million for the best new system for improving its movie recommendations for customers.  Netflix provided the contestants with information about the viewing habits of nearly 500,000 customers without the customers' consent.  The suit alleges that the data provided to the contestants were insufficiently anonymized.  The plaintiff, who is identified only as Jane Doe in the suit, is a closeted lesbian and maintains that the information about her viewing habits could reveal her identity.
-http://www.theregister.co.uk/2009/12/21/netflix_privacy_flap/
-http://www.homemediamagazine.com/legal-news/netflix-sued-breach-privacy-17917
[Editor's Note (Ullrich): This is very similar to the AOL search result fiasco. "Anonymized" doesn't mean anonymous if enough data can be correlated. ]

WinAmp Update Fixes Five Security Flaws (December 18 & 21, 2009)

WinAmp users are urged to upgrade to version 5.57 of the media player to protect their computers from attacks through five vulnerabilities that could be exploited to inject code or corrupt memory.  Many of the vulnerabilities are due to boundary errors in the Module Decoder Plug-In.  Attackers would need to manipulate users into opening maliciously crafted media files for exploits to be effective.
-http://www.theregister.co.uk/2009/12/21/winamp_update/
-http://www.h-online.com/security/news/item/Winamp-5-57-eliminates-vulnerabilitie
s-890037.html
-http://blog.winamp.com/2009/12/17/winamp-5-57-is-now-available/
-http://www.winamp.com/help/Version_History#Winamp_5.57_.28Latest.29

Adobe Explains Why Critical Fix Will Wait Until January (December 18, 2009)

Adobe director for product security and privacy Brad Arkin says the company decided to wait until its scheduled January 12, 2010 security update to fix a recently disclosed critical PDF flaw.  Arkin said that releasing an out-of-cycle patch would push the scheduled update out an additional month.  The PDF flaw has been actively exploited since late November.  Adobe has offered a temporary workaround so users can protect their computers until the patch is made available.  The workaround uses the JavaScript Blacklist Framework to protect computers from known vulnerabilities without preventing JavaScript from functioning entirely. Arkin added that rolling out two updates would prove more expensive and time consuming for companies that need to apply the patches.
-http://www.computerworld.com/s/article/9142479/Adobe_explains_PDF_patch_delay?ta
xonomyId=17
[Editor's Note (Pescatore): I think the real issue here is that it seems Adobe was behind the curve in getting started on this patch. Some reports have said attacks were seen in the wild on November 20, while Adobe says it learned of them on December 14th. Getting a better pipeline to legitimate security researchers should be a priority. Next step, given the quantity of vulnerabilities being found in Adobe's products, should be thinking about monthly, not quarterly, patch releases. Then, of course, fix the root cause of the problem.
(Honan): Since when did Adobe start doing free risk assessments for companies?  I am sure many companies "that need to apply the patches" would rather have the patches available and decide in accordance with their own risk management framework whether or not to deploy them. Adobe need to address the security issues with their applications or, courtesy of Didier Stevens
-http://blog.didierstevens.com/,
PDF will become better known as Penetration Document Format.
(Ullrich): Here we are almost to the day 4 years after Microsoft learned a painful lessons with the WMF bug, and Adobe is struggling with the same issues. A regular patch cycle is great and preferred. But it can't mean that you leave customers hanging defenseless against an in-the-wild exploit.
(Skoudis): Adobe's patching process comes into question yet again.  It's been a rough couple years for Adobe security updates, and I don't see it getting better.  I offer three words of advice: COPY MICROSOFT'S APPROACH. ]

White House Task Force Makes Agency Information Sharing Recommendations (December 18, 2009)

A White House task force has recommended that government agencies focus on ways to share sensitive information more effectively before addressing data security issues that accompany data sharing.  There are presently more than 100 classifications for sensitive data among government agencies.  The recommendations say agencies should standardize terminology and data handling procedures and then work on IT security issues.  Agencies can share data even if their security policies are not aligned as long as they are clear with each other about how the information should be handled.
-http://www.nextgov.com/nextgov/ng_20091218_2348.php?oref=topstory
[Editor's Note (Ranum): Distributed data is distributed vulnerability. I'm not saying "don't share," but rather that we shouldn't be surprised if this ushers in a new era of increased leakage.
(Pescatore): Another "need to share" trumps "need to know." Please see the GPO's inadvertent release of a sensitive document on nuclear material storage, the VA losing 27 million veterans records, etc. etc. Not a bad idea to address the problems of the different classifications, but a very bad idea focus on sharing without worrying about exposing PII or other sensitive government information. ]

North Korea Allegedly Stole US/South Korean Military Plans (December 18 & 21, 2009)

The South Korean military has launched an investigation into allegations that North Korean hackers stole joint US/South Korean defense plans describing the countries' strategy in the event of a North Korean pre-emptive strike or other military provocation.  The alleged breach was facilitated by an officer leaving a USB storage device in his machine when he connected to the Internet.
-http://english.chosun.com/site/data/html_dir/2009/12/18/2009121800317.html
-http://www.forbes.com/2009/12/21/korea-hackers-software-technology-cio-network-h
ackers.html

Attackers Actively Exploiting Adobe Flaws (December 18, 2009)

Hackers exploited a vulnerability on a movie review website to redirect visitors to a server containing a maliciously crafted PDF file.  The attackers exploited a vulnerability in a PHP script on one of the movie site's servers.  The PDF file exploits two known and patched Adobe Reader vulnerabilities.   There are also reports that attackers are exploiting a recently disclosed and unpatched flaw in Adobe Reader on an online comic strip syndication service.
-http://www.theregister.co.uk/2009/12/18/aintitcool_malware_attack/
-http://voices.washingtonpost.com/securityfix/2009/12/hackers_exploit_adobe_reade
r_f.html

IE Domain Registry Places Encrypted Copy of its Database With Third Party (December 18, 2009)

The IE Domain Registry has made arrangements to have an encrypted copy of its database held by a third party.  The step is just the latest move by IEDR to ensure the security and stability of the .ie domain; it has been ranked the second safest domain name in the world.
-http://www.siliconrepublic.com/news/article/14733/comms/new-security-safeguards-
to-protect-ie-registry
[Editor's Note (Pescatore): it is a good idea for the TLDs to be absolutely rock solid, DNS is basically the dial tone of the Internet. The recent Twitter DNS redirection points out why any enterprise that makes business use of the Internet needs to make sure its DNS administrative procedures *and* the DNS services it depends on are rock solid, too. ]

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa).  He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/