SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #56

July 17, 2009

---

TOP OF THE NEWS

Researchers Find IP Address of Command Server Used in US and South Korea Cyber Attacks
Proposed Legislation Would Require State Dept. to Work on Global Cyber Crime Response
Top Cyber Analysts See Denial of Service Attacks As Very Minor

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS & SENTENCES
Construction Blacklist Database Administrator Fined
Former IT Director Sentenced for Cyber Damage
Former Admin Sentenced for Cyber Attack
DATA PROTECTION & PRIVACY
Five NHS Trusts Sign Undertakings to Comply with Data Protection Act
VULNERABILITIES
Critical Flaw in Firefox 3.5
MALWARE
Blackberry Update Found to Contain Spyware
UPDATES AND PATCHES
Oracles Quarterly Security Release
Microsoft Issues Six Security Bulletins
ATTACKS & ACTIVE EXPLOITS
Twitter Company Data Compromised
Eircom Investigating Attack
STUDIES AND STATISTICS
Survey Finds One-Third of Users Respond to Spam
Cisco 2009 Midyear Security Report
MISCELLANEOUS
Is Virtual Desktop Infrastructure (VDI) Right for Me? -- By Tim Proffitt and Emilio Valente

---

********************** Sponsored By Cisco Systems ***********************

The Cisco 2009 Midyear Security Report presents an update on global security threats and trends. This overview of Cisco security intelligence highlights threat information and trends from the first half of 2009. The report also includes recommendations from Cisco security experts and predictions of how identified trends will evolve. Please click thru for the report. http://www.sans.org/info/46114

*************************************************************************

TRAINING UPDATE

- SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition http://www.sans.org/ns2009
- SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days http://www.sans.org/info/43118
Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php
Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Researchers Find IP Address of Command Server Used in US and South Korea Cyber Attacks (July 14, 2009)

A Vietnamese security company has reportedly identified the Internet protocol (IP) address of the command server that controlled the botnet responsible for the cyber attacks on US and South Korean government and commercial websites. The IP address is registered in the UK. The estimated 167,000 PCs that were used to launch the attacks had instructions to get information from one of eight random servers to learn the targets of the attacks; those random servers received their information from the command server. The fact that the command server has been located in no way indicates that the attackers are in the UK, because it is not known who controls the servers.
-http://www.v3.co.uk/v3/news/2245988/authorities-close-south-korea
-http://www.scmagazineus.com/Investigation-of-government-DDoS-attacks-deepens/art
icle/140011/
-http://www.computerworld.com/s/article/9135532/Probe_into_cyberattacks_stretches
_around_the_globe?source=rss_security

Proposed Legislation Would Require State Dept. to Work on Global Cyber Crime Response (July 14, 2009)

In response to the recent cyber attacks on government and commercial web sites in the US and South Korea, US Senator Kirsten Gillibrand (D-NY) has introduced legislation that would require the Department of State to work with governments around the world to foster a united response to cyber attacks. The State Department would be required to encourage international cooperation in improving cyber security on a global basis; push for a set of international agreements and law enforcement cooperation to stop cyber attacks and cyber crime; and develop appropriate safeguards for the protection of privacy, freedom of speech, and commercial transactions to be included in any agreements or other activities designed to safeguard cyber space. The Secretary of State would have nine months from the date the bill passes to submit a report to Congress detailing those efforts. The proposed legislation echoes the Obama administrations cyberspace policy review, published earlier this year, which states that International norms are critical to establishing a secure and thriving digital infrastructure.
-http://fcw.com/articles/2009/07/14/web-senate-bill-cybersecurity-international-c
ooperation.aspx
-http://gillibrand.senate.gov/newsroom/press/release/?id=b46b179a-d3ac-4cad-a11c-
a3c869d8a7df
[Editor's Note (Schultz): The only sane solution to the US government's continued susceptibility to barrages of attacks from abroad is to abandon the strategy of "trying to go it alone" and instead work in close cooperation with other countries. The proposed legislation thus makes considerable sense.]

Top Cyber Analysts See Denial of Service Attacks As Very Minor (July 16, 2009)

"The physical equivalent of this would have been an attack using hot-air balloons," said CSIS's Jim Lewis. Others echoed his remarks. Most of the U.S. sites targeted were only marginally affected, but those of some government agencies, including the Federal Trade Commission and the Secret Service, were temporarily knocked offline.
-http://www.washingtontimes.com/news/2009/jul/16/july-4-cyberattack-called-very-m
inor/

---

*************************** SPONSORED LINKS******************************

1) Be Sure to Register for the Managing Change and Event Monitoring for Sustainable NERC CIP Compliance Webcast w/ CoreTrace & NitroSecurity http://www.sans.org/info/46119
2) Be sure to Register for the Thursday, July 23rd Webcast: HP Tackles Cloud Application Security http://www.sans.org/info/46124

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Construction Blacklist Database Administrator Fined (July 16, 2009)

The man who maintained a blacklist database of builders in Britain has been fined GBP 5,000 (US $8,219) by the Crown Court. Ian Kerr kept information on more than 3,200 workers in the building industry; the workers were not aware of the databases existence. Companies paid a service fee of GBP 3,000 (US $4,931) annually for access to the database, plus an additional GBP 2.20 (US $3.62) for each name accessed. The Information Commissioners Office (ICO) intends to take enforcement action against the construction companies that used the database.
-http://www.theregister.co.uk/2009/07/16/blacklist_builders_ico/
-http://news.bbc.co.uk/2/hi/uk_news/england/8153754.stm

Former IT Director Sentenced for Cyber Damage (July 15, 2009)

Danielle Duann of Houston, TX has been sentenced to two years in prison for a cyber attack on her former employer's computer network. Duann was fired from her position as IT director at LifeGift Organ Donation Center on November 7, 2005. Starting that evening and continuing throughout the following day, Duann repeatedly accessed the LifeGift network from her home without authorization and deleted database files, software applications and backup files. Duann also admitted to disabling logging functions on some servers and erasing logs that contained evidence of her unauthorized access. Upon completion of her prison term, Duann will serve three years of supervised release; she has also been ordered to pay US $94,222 in restitution.
-http://houston.fbi.gov/dojpressrel/pressrel09/ho071509.htm

Former Admin Sentenced for Cyber Attack (July 15, 2009)

Lesmany Nunez was sentenced to one year in prison for a cyber attack on his former employers computer network. Nunez was employed as a support administrator at Quantum Technology Partners from August 2006 until May 2007. In August 2007, Nunez accessed Quantum's network using an administrator password. He then proceeded to change all IT admin passwords, shut down servers, and delete files. Quantums network was shut down for nearly a week. Nunez will serve three years of supervised release following his prison term; during the supervised release, he will be required to perform 100 hours of community service teaching young people about the dangers of hacking. He was also ordered to pay US $31,560 in restitution.
-http://www.theregister.co.uk/2009/07/15/it_admin_sentenced/
-http://miami.fbi.gov/dojpressrel/pressrel09/mm071409.htm

Five NHS Trusts Sign Undertakings to Comply with Data Protection Act (July 14 & 16, 2009)

Five NHS Trusts have signed formal undertakings with the Information Commissioner's Office (ICO) in which they agree to comply with the seventh data protection principle of the Data Protection Act, which states that appropriate technical and organisational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The incidents that prompted the undertakings include a stolen unencrypted memory stick; insecurely stored hospital records; stolen unencrypted laptops; and the loss of an unencrypted computer disk.
-http://news.zdnet.co.uk/security/0,1000000189,39684306,00.htm
-http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx
-http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_9

Critical Flaw in Firefox 3.5 (July 14 & 15, 2009)

A critical memory corruption flaw in the Just-in-time JavaScript compiler in Firefox could be exploited to take control of vulnerable computers. The flaw affects Firefox 3.5, the most recent version of the browser; earlier versions do not appear to be affected. The compiler is part of the TraceMonkey JavaScript engine. Mozilla has suggested workarounds for users to protect their computers until a fix is available. Users are also urged to avoid untrusted websites and links.
-http://www.theregister.co.uk/2009/07/14/unpatched_firefox_bug/
-http://www.computerworld.com/s/article/9135549/Firefox_3.5_s_first_vulnerability
_self_inflicted_says_scientist?source=rss_security
-http://news.cnet.com/8301-1009_3-10287172-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.h-online.com/security/Mozilla-confirms-critical-vulnerability-in-Fire
fox-3-5--/news/113772
-http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_fi
ref.html
-http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in
-firefox-35/
[Editor's Note (Northcutt): or just run the NoScript plugin for Firefox and sleep soundly at night:
-http://noscript.net/]

Blackberry Update Found to Contain Spyware (July 14, 2009)

A United Arab Emirates service provider pushed out a BlackBerry update that contains spyware capable of intercepting user's email and text messages and sending them back to the server. The performance-enhancement patch was sent as a WAP Push message to 100,000 users. Its spyware capabilities were discovered only after one user took a closer look at the update because it appeared to be draining the device's battery. The battery was being drained because the application was trying to register with a central server that became overwhelmed with the traffic, so the devices repeatedly tried to make contact.
-http://www.theregister.co.uk/2009/07/14/blackberry_snooping/
-http://www.wired.com/threatlevel/2009/07/blackberry-spies/

Oracles Quarterly Security Release (July 16, 2009)

Oracle has issued its quarterly Critical Patch Update to address 30 security flaws in seven product lines. The affected products include Oracle Database; Oracle Application Server; Oracle E-Business Suite and Applications; Oracle Enterprise Manager; Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne; Oracle Siebel Enterprise; and BEA Product Suite. The update also addresses non-security issues that arise as a result of interdependencies between the patches. Users are urged to apply the updates as soon as possible.
-http://www.scmagazineus.com/Oracle-issues-security-patches-across-seven-product-
lines/article/140106/
-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul20
09.html

Microsoft Issues Six Security Bulletins (July 14 & 15, 2009)

On Tuesday, July 14, Microsoft released six security bulletins to address flaws in a variety of the company's products, including Windows, Microsoft Office, Internet Security and Acceleration Server, Virtual PC and Virtual Server. Three of the bulletins have maximum severity ratings of critical; the other three were rated important. One of the vulnerabilities, a remote code execution flaw in DirectShow, is being actively exploited. A flaw for which Microsoft issued an advisory earlier this week remains unpatched.
-http://www.h-online.com/security/Six-patches-on-Microsoft-s-July-patch-day--/new
s/113767
-http://www.computerworld.com/s/article/9135517/Microsoft_patches_9_bugs_leaves_o
ne_open_for_hackers?taxonomyId=17
-http://gcn.com/Articles/2009/07/15/Microsoft-plugs-ActiveX-security-holes.aspx
">
-http://gcn.com/Articles/2009/07/15/Microsoft-plugs-ActiveX-security-holes.aspx

-http://news.cnet.com/8301-27080_3-10286526-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.scmagazineus.com/Microsoft-distributes-six-patches-for-nine-vulnerabi
lities/article/140057/
-http://gcn.com/Articles/2009/07/15/Microsoft-plugs-ActiveX-security-holes.aspx
">
-http://gcn.com/Articles/2009/07/15/Microsoft-plugs-ActiveX-security-holes.aspx

-http://www.securityfocus.com/brief/986
-http://voices.washingtonpost.com/securityfix/2009/07/microsoft_patches_nine_secu
rit.html
-http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx

Twitter Company Data Compromised (July 15 & 16, 2009)

Twitter is consulting its legal team following a cyber attack that exposed internal documents. The intruder gained access to the system by breaking into a Twitter employee's email account and sent documents containing information about Twitter's finances and future plans to two blogs. Twitter says the documents do not contain information about users accounts, but Twitter employee credit card numbers were compromised, as were the Amazon, PayPal and other Internet accounts belonging to Twitter CEO Evan Williams.
-http://www.siliconrepublic.com/news/article/13433/digital-life/twitter-talks-to-
lawyers-over-hack-attack
-http://www.techweb.com/article/showArticle?articleID=218500870§ion=News
-http://www.securecomputing.net.au/News/150239,email-hack-brings-big-data-breach-
for-twitter.aspx
-http://www.scmagazineus.com/Intellectual-property-belonging-to-Twitter-exposed-i
n-hack/article/140157/
-http://www.nytimes.com/2009/07/16/technology/internet/16twitter.html?_r=1&re
f=technology
-http://bits.blogs.nytimes.com/2009/07/15/the-debate-over-publishing-stolen-twitt
er-documents/?ref=technology
-http://news.bbc.co.uk/2/hi/technology/8153122.stm
-http://news.cnet.com/8301-17939_109-10287558-2.html?part=rss&subj=news&t
ag=2547-1009_3-0-20

Eircom Investigating Attack (July 14 & 15, 2009)

Irish Internet service provider (ISP) Eircom is investigating an apparent distributed denial-of-service (DDoS) attack that prevented the majority of its 500,000 customers from accessing the Internet for about five hours earlier this week. This is the second disruption Eircom has experienced in as many weeks; last week, a domain name server (DNS) outage redirected Eircom users to websites they did not intend to visit.
-http://www.independent.ie/business/technology/eircom-is-closing-in-on-cyber-atta
ckers-1822003.html
-http://www.siliconrepublic.com/news/article/13409/comms/eircom-hit-by-another-su
spected-hacker-attack
-http://www.irishtimes.com/newspaper/breaking/2009/0714/breaking15.htm
-http://www.theregister.co.uk/2009/07/14/eirocm_downtime_again/
[Editor's Note (Northcutt): Hold the fort, this is the same country that let British Telecom work with Phorm to run secret trials of monitoring people's ISP use and did nothing? Clearly I do not understand why one case is wrong and the other is OK?
-http://en.wikipedia.org/wiki/Phorm
-http://paidcontent.co.uk/topic/bt/P40/
(Honan): Eircom is the largest ISP in Ireland and as such, by default, is part of the nation's critical infrastructure. While the motives behind this attack are still unknown it should serve as a major wake up call to the powers that be in Ireland. Other countries are taking the whole area of cyber security much more seriously and if Ireland is going to build its economy on technology and knowledge industries we need to follow the recent examples of the US, France and the UK in establishing departments dedicated to tackling this issue. ]

Survey Finds One-Third of Users Respond to Spam (July 16, 2009)

Nearly one-third of 800 people surveyed by the Messaging Anti-Abuse Working Group (MAAWG) said they had responded to messages that were probably spam. While some of the people clicked on links by accident or even out of curiosity, twelve percent of those surveyed said they had responded because they were genuinely interested in the product or service advertised. Eight percent of the respondents said they did not believe it was likely that their computers would be infected with malware and recruited for use in sending spam.
-http://www.theregister.co.uk/2009/07/16/spam_response_survey/

Cisco 2009 Midyear Security Report (July 14, 2009)

Cyber criminals are taking their cues from the business world, according to a new Cisco report. In addition to creating business and marketing plans, cyber criminals are developing new techniques to pace with emerging technology and exploit the ever-shifting winds of interest in popular culture. Criminals are also turning more frequently to SMS text messages to lure victims, and are increasingly using a technique that has been dubbed smishing, in which phishing links are sent to smart phones where a user can click on the link. SMS attacks are also being used to send messages that appear to come from financial institutions and ask the recipients to call a number and verify account information. Cyber criminals have also developed niche services, such as scanning malware to see if it will be blocked, or breaking CAPTCHA tests.
-http://www.csoonline.com/article/print/497120
-http://www.darkreading.com/database_security/security/cybercrime/showArticle.jht
ml?articleID=218500487

Is Virtual Desktop Infrastructure (VDI) Right for Me? By Tim Proffitt and Emilio Valente

Virtual Desktop Infrastructure (VDI) is a solution for server-hosted, virtual desktop computing that leverages thin client architecture and centralizes endpoint images as virtual machines. Although VDI presents numerous and substantial benefits, is it the panacea for all types of environments? Is this technology mature enough to deliver what is virtually promising? The focus of our research is to help companies that plan to evaluate this new technology for deployment. We hope you will find it useful!
-http://www.sans.edu/resources/student_projects/

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/