SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #60

July 31, 2009

Two Cyber Career Questions:
(1) Part of making cyber security careers cool is showing there are places where salaries are phenomenal. We are collecting anecdotal evidence of young professionals whose careers have accelerated quickly (no names needed) that we can use as examples. If you know of examples where people have gotten rapid increases in salary (particularly in
supporting national defense missions), please send me a note at apaller@sans.org.

(2) If you have been working on defining cyber warrior and cyber guardian career paths, please join the group that is working on building consensus on the common skills and specialized skills the nation needs.
(again mbrown@sans.org)



Alan

---

TOP OF THE NEWS

P2P Leaks of Government Data Prompt Promise of Legislation
Smart Grid Grant Applicants Must Demonstrate They Take Security Seriously
AT&T Blocked 4chan to Prevent DDoS Attack From Spreading
Research Shows Digital Certificate Warnings are Ineffective

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS & SENTENCES
Dutch Spammer Fined
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Center for Democracy & Technology Seeks Information About Computer Monitoring System
VULNERABILITIES
Fixes Available for BIND Vulnerability
UPDATES AND PATCHES
Adobe Releases Flash Player Security Update
Typo Responsible for Out-of-Cycle Microsoft Patch
Microsoft Issues Two Out-of-Cycle Bulletins
MALWARE
Clampi Trojan Steals Account Data
STUDIES AND STATISTICS
Scareware Purveyors are Turning a Hefty Profit
MISCELLANEOUS
Undersea Cable Damage Causes Internet Outages in West Africa
INVITATION TO PARTICIPATE IN NATIONAL DIALOGUE FOR QUADRENNIAL HOMELAND SECURITY REVIEW

---

************************* Sponsored By Symantec *************************

Ponemon Report: Data Loss During Downsizing According to a research study conducted by the Ponemon Institute, more than half of ex-employees admit to stealing company data. Download this report to view survey results and to see how you can protect your organization from being so vulnerable.
Download report at https://www.sans.org/info/46728

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition https://www.sans.org/ns2009
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days https://www.sans.org/info/43118
Looking for training in your own community? https://sans.org/community
- - Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

P2P Leaks of Government Data Prompt Promise of Legislation (July 29 & 30, 2009)

US Representative Edolphus Towns (D-NY) plans to introduce legislation prohibiting the use of peer-to-peer (PP2) filesharing software on government and government contractor computers. Representative Towns also said he may launch an investigation into whether P2P software providers "should be held accountable for users' failure to implement safeguards." Poorly configured P2P programs can allow sharing of files that users did not intend to share. P2P programs have reportedly inadvertently shared information about presidential motorcade routes, a Secret Service safe house for former first lady Laura Bush, and personal information of more than 220,000 soldiers and hospital patients.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/07/29/AR2009072902273_
pf.html
-http://voices.washingtonpost.com/securityfix/2009/07/report_locations_of_all_us_
nuc.html
-http://www.computerworld.com/s/article/9136053/Details_on_presidential_motorcade
s_safe_house_for_First_Family_leak_via_P2P?taxonomyId=17
-http://www.smh.com.au/technology/technology-news/topsecret-obama-safe-house-leak
ed-on-limewire-20090730-e267.html
-http://www.nextgov.com/nextgov/ng_20090729_2566.php?oref=topnews
-http://www.nextgov.com/nextgov/ng_20090729_3555.php?oref=topnews
-http://www.reuters.com/article/technologyNews/idUSTRE56S4T420090729
-http://www.internetnews.com/government/article.php/3832556/Data+of+Soldiers+Hosp
ital+Patients+Found+on+P2P.htm
[Editor's Comment (Pescatore): Very rarely do good things happen when technologists try to make public policy *or* when politicians try to dictate technology. In just about every incident cited, the use of file sharing software was already a policy violation - the incidents pointed out failures in security programs and technical controls that were not in place to *implement* the policy. In many cases, yet another over reliance on "well, we told them not to do that."
(Northcutt): Hats off to NewsBites complier Kathy Moss Bradford; that is stellar research. Does anyone remember the web site "See what you share on P2P". I was told once the US Govt paid him to quit posting to it because he was embarrassing them so badly, but that is probably an urban legend. What is fact however, is that just forbidding P2P with legislation is probably not the right answer, collaboration tools use this technology and BitTorrent is an awesome protocol for moving a pile of data from one place to another. Instead, we need to control what can run, I think the best way to do this is Whitelist endpoint security tools like Bit9, CoreTrace and Savant Protection. If you are using an endpoint security tool and you feel it has (or has not) given you control at the application level I would love to hear from you, stephen@sans.edu
(Ranum): It's ridiculous to try to hold P2P service providers responsible for government agencies' inability to build and manage secure networks. If Representative Towns would like to actually see progress made in this area, he should introduce legislation holding agency management and staff responsible for the failures of their agencies.]

Smart Grid Grant Applicants Must Demonstrate They Take Security Seriously (July 28, 2009)

The US Department of Energy says that companies hoping for federal grants designated for the country's smart grid will first need to demonstrate that they have implemented policies and procedures to protect their systems from cyber attacks. The government has designated US $3.9 billion for smart grid grants as part of the federal stimulus package. The goal is to create new jobs while making the country's power supply more efficient and reliable.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/07/27/AR2009072702988_
pf.html
[Editor's Note (Pescatore): Just like making security a top rated evaluation criterion in all RFPs, this *can* be a good thing. Should be more than demonstrate policies and procedures - demonstrate security is baked-in to the actual smart grid.
(Northcutt): This is a bit confusing. "We haven't described how to address the requirements, because we're trying to leave the door to innovation open," said Hank Kenchington, a senior manager with the Energy Department's Office of Electric Delivery and Energy Reliability. "But we do say -- even if an award scored 'A' grades on all aspects but doesn't address cyber - we reserve right to not go forward with that grant." ]

AT&T Blocked 4chan to Prevent DDoS Attack From Spreading (July 28, 2009)

AT&T says it blocked access to parts of the 4chan website to prevent a distributed denial-of-service (DDoS) attack from spreading and affecting service for other AT&T customers. Earlier reports suggested that the decision to block portions of the site was due to content, but AT&T issued a statement saying that "this action was in no way related to the content at img.4chan.org; our focus was on protecting our customers from malicious traffic." 4chan founder Christopher Poole said the site had been under attack for several weeks, but that AT&T did not contact him before making the decision to block access.
-http://www.informationweek.com/news/internet/security/showArticle.jhtml?articleI
D=218700145
[Editor's Note (Pescatore): Just like Google making it much harder for you to go to a malware site when it turns up on your search list, what AT&T did is a good thing. However, the evolving definition of "net neutrality" does need to include some definition of standard means to define blocking known malicious sites. ]

Research Shows Digital Certificate Warnings are Ineffective (July 28 & 29, 2009)

Researchers at Carnegie Mellon found that digital certificate warnings are not an effective security tool. The majority of the more than 400 study participants said they would ignore a warning about an expired Secure Sockets Layer (SSL) certificate. In fact, the more knowledgeable the users were about technology, the more likely they were to ignore the warning. While certificates usually expire for reasons that do not present serious concerns, an expired certificate can indicate a man-in-the-middle attack. A second study of just 100 users found that Firefox users are least likely to ignore expired certificate warnings. The researchers recommended doing away with expired certificate warnings and instead preventing users from making unsafe connections.
-http://news.cnet.com/8301-1009_3-10297264-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.h-online.com/security/Study-says-SSL-certficate-warnings-are-as-good-
as-useless--/news/113879
[Editor's Note (Pescatore): The problem is that the vast majority of expired certificates do *not* represent "unsafe" connections. The real problem is that SSL use does *NOT* represent a safe connection at all. Standard SSL certs don't give you any assurance that you are connecting to whom you think you are.
So, two things:
(1) companies need to do a better job of certificate management to renew their certs before they expire; and (2) the members of the CA/Browser Forum need to invest a whole lot more in raising the awareness of Extended Validation certificates and the green URL bar *and* in making sure that the CA industry doesn't lower the bar in the rigor of issuing EV certs. Of course, then a study will show people ignore *that* but hey - may people just turn up the volume on their radio when their car engine makes funny noises, too.
(Ranum): As the caption says "certificates usually expire for reasons that do not indicate serious concerns" - that's WHY most knowledgeable users ignore them. Because we understand how little integrity there actually is in web transactions and don't get unduly bent out of shape about it. ]

---

*************************** SPONSORED LINKS******************************

1) ***NEW*** SANS Free Vendor Audio Casts! Visit the SANS Reading Room and click on the Free Vendor Audio Casts link. http://www.sans.org/info/46729
2) WEBCAST: How Browser Exploits Lead to Web 2.0 Hacking with keynote from IDC http://www.sans.org/info/46734
3) Be Sure to Register for the upcoming webcast: AV Migration - Should You Stay or Should You Go? http://www.sans.org/info/46739

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Dutch Spammer Fined (July 28 & 29, 2009)

A Dutch spammer has been fined 250,000 euro (US $353,000) by the Dutch Independent Post and Telecommunications Authority (OPTA). Reinier Schenkhuizen allegedly did not provide recipients of the unsolicited commercial emails a way to unsubscribe. OPTA said that Schenkhuizen is a "persistent spammer." The fine will increase by 5,000 euros (US $7,059) each day Schenkhuizen continues to send spam to a maximum of 100,000 euros (US $141,000). Schenkhuizen maintains he is merely a software developer who happens to maintain a mailing portal.
-http://www.theregister.co.uk/2009/07/28/dutch_spam_fine/
-http://news.softpedia.com/news/Dutch-Software-Developer-Fined-a-Quarter-Million-
Euros-for-Spam-117841.shtml

Center for Democracy & Technology Seeks Information About Computer Monitoring System (July 28, 2009)

The Center for Democracy & Technology (CDT) has published a report calling for the US government to release information about the Einstein computer monitoring system. The report specifically asks for information on the National Security Agency's (NSA) role in the Einstein program, the legal authority for Einstein, and the privacy impact Einstein poses for those communicating through government systems. Einstein is purportedly an intrusion detection system that scans government networks for malicious code or suspicious activity. The Department of Homeland Security (DHS) currently uses Einstein 2. Einstein 3, which is still under development, reportedly has the capability to read the contents of Internet traffic, including email.
-http://cdt.org/security/20090728_einstein_rpt.pdf
-http://www.commondreams.org/newswire/2009/07/28-17

Fixes Available for BIND Vulnerability (July 29, 2009)

The Internet Software Consortium has issued an urgent alert warning of a security flaw in BIND that can be exploited to crash vulnerable Domain Name System (DNS) servers using a single maliciously crafted dynamic update packet. The flaw is already being actively exploited. ISC urges system administrators to upgrade to versions 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1. The vulnerability affects BIND servers that act as masters; slave systems are not affected.
-https://www.isc.org/node/474
-http://www.theregister.co.uk/2009/07/29/bind_flaw/
-http://www.h-online.com/security/BIND-name-server-vulnerable-to-DoS-attacks--/ne
ws/113872

Adobe Releases Flash Player Security Update (July 30, 2009)

Adobe has issued security updates to fix a critical vulnerability in Flash Player. The flaw could be exploited to take control of vulnerable computers. The flaw is reportedly being actively exploited. Adobe issued updates for Flash Player versions 9 and 10 for Windows, Macintosh, and Linux. An update for Solaris has not yet been released. Adobe also said it expects to release updates for Reader and Acrobat for Windows, Macintosh and UNIX by Friday, July 31.
-http://news.cnet.com/8301-1009_3-10300329-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.adobe.com/support/security/bulletins/apsb09-10.html

Typo Responsible for Out-of-Cycle Microsoft Patch (July 29 & 30, 2009)

The critical vulnerability Microsoft addressed in an out-of-cycle security release earlier this week is due to an extra character in the code. The rogue ampersand (&) created a stack-based buffer overrun vulnerability in the Microsoft Active Template Library (ATL) that attackers began exploiting several weeks ago. The buggy ATL library was also used in Microsoft's Visual Studio development tool, which is why Microsoft pushed out updates for both Internet Explorer (IE) and Visual Studio on Tuesday, July 28.
-http://www.networkworld.com/news/2009/072909-extra--in-microsoft-development.htm
l
-http://www.theregister.co.uk/2009/07/30/typo_caused_massive_ms_bug/

Microsoft Issues Two Out-of-Cycle Bulletins (July 28, 2009)

Microsoft released two out-of-cycle security bulletins to address a critical remote code execution flaw in the Microsoft Active Template Library (ATL). The updates affect IE and Microsoft Visual Studio. The flaw also affects third party applications that use the buggy code; Adobe has acknowledged that IE users running the company's Flash and Shockwave Players are vulnerable to attack. Sun and Google are also believed to have components that use the code in question.
-http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx
-http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
-http://www.microsoft.com/technet/security/advisory/973882.mspx
-http://news.cnet.com/8301-27080_3-10297328-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.scmagazineus.com/Emergency-patches-issued-for-IE-and-Visual-Studio/ar
ticle/140737/
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=218700195
-http://software.silicon.com/security/0,39024655,39470593,00.htm
-http://www.computerworld.com/s/article/9136049/Adobe_confirms_Flash_contains_Mic
rosoft_dev_code_bug?source=rss_security

Clampi Trojan Steals Account Data (July 29, 2009)

The Clampi Trojan horse program has proven it is capable of stealing account information related to more 4,600 companies around the world. It focuses on extracting data from websites that can be used for monetary gain, often withdrawing funds from accounts. The scheme is run by a cyber crime group based in Eastern Europe. Clampi is adept at avoiding detection by anti-virus software. It has also been called Ligats, Ilomo and Rscan.
-http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?
articleID=218800077
-http://news.cnet.com/8301-27080_3-10298233-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.computerworld.com/s/article/9136056/Researcher_reveals_massive_profes
sional_thieving_botnet

Scareware Purveyors are Turning a Hefty Profit (July 29, 2009)

According to statistics from Panda Security, an estimated 35 million computers are infected with scareware, also known as rogueware, every month. The phony software worms its way onto computers, then pops up messages telling users that their computers are infected with malware, and that the situation can be remedied if they purchase an anti-virus product; most of the phony products cost between US $50 and US $80. Sales of the useless software are reportedly totaling US $34 million a month.
-http://www.techweb.com/article/showArticle?articleID=218800178§ion=News
[Editor's Note (Schultz): Just yesterday I quite accidentally visited one such site. A dialog box informed me that anti-malware code had infected my Mac and that the problem was being fixed. A progress indicator informed me how far the alleged "disinfection" process had gotten. I immediately closed my Web browser, and by all appearances the my computer has not again visited the phonyware site. ]

Undersea Cable Damage Causes Internet Outages in West Africa (July 30, 2009)

A cable disruption of an unknown nature has caused Internet connectivity problems in West Africa. The problem is believed to stem from damage to the 15,000 km (9,300 mile) long undersea SAT-3 cable, which runs from the Iberian Peninsula to South Africa along the continent's west coast. "SAT-3 is currently the only fibre optic cable service West Africa," forcing companies in Benin, Togo, Niger and Nigeria to turn to alternatives, such as satellite links. Telekom South Africa said "a cable fault on the Benin branch ... is being investigated."
-http://news.bbc.co.uk/2/hi/technology/8176014.stm
-http://www.digitaljournal.com/article/276694

INVITATION TO PARTICIPATE IN NATIONAL DIALOGUE FOR QUADRENNIAL HOMELAND SECURITY REVIEW

The Department of Homeland Security is in the process of completing the first ever congressionally- mandated Quadrennial Homeland Security Review (QHSR), a top-to-bottom review that will inform the Department of Homeland Security's policies and priorities for the next four years. Because DHS wants to ensure maximum participation of its vast array of stakeholders in this process, it is offering an interactive, web based dialogue opportunity. This series of three iterative dialogues beginning this August, entitled the National Dialogue on the Quadrennial Homeland Security Review (QHSR), will be hosted by the National Academy of Public Administration.

The National Dialogue on QHSR makes it possible for all voices and points of view from the vast and diverse homeland security community to be heard-but success depends on individuals such as you registering and participating. I urge you to participate and ensure that your views and those of your sector help inform the development of the QHSR. Sign up today to receive information about registration at www.HomelandSecurityDialogue.org
This dialogue will take place across three sessions, with each session building on the last, over the following dates. Please mark your calendars:

- -- August 3rd through August 9th
- -- August 31st through September 6th
- -- September 28th through October 4th

---

**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/