SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #62

August 07, 2009

TOP OF THE NEWS

Weak Passwords Allow Congressional Web Site Defacements
US Marines Bans Social Networking Sites on its Networks
Twitter Downed by DDoS

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS & SENTENCES
Jail Time for Internet Bank Fraud
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
National Cybersecurity Coordinator Role Watered Down
Stolen Laptop Holds Army National Guard Data
VULNERABILITIES
XML Library Flaws Affect Numerous Applications
UPDATES AND PATCHES
Apple Releases Mac OS X Update
Mozilla Issues Firefox Update
DATA BREACHES, LOSS & EXPOSURE
Mozilla Closes Online Store After Third-Party Intrusion
ATTACKS & ACTIVE EXPLOITS
Latvian ISP Cut Off Over Allegations of Hosting Botnet Command and Control Servers
MALWARE
Blue Screen of Death Scareware

---

********************* SPONSORED BY SANS V-LIVE! ***********************

SANS vLive! delivers live instruction via the Web to make the student's online learning experience as fun and engaging as possible. Courses starting in the next 90 days:

8/11 to 9/24 SPECIAL: DIACAP + Validation: In-Depth
8/25 to 9/17 DEV541: Secure Coding in Java/JEE: Developing Defensible Applications
9/2 to 11/18 SEC617: Wireless Ethical Hacking Penetration Testing and Defenses
9/22 to 12/3 AUD423: SANS(r) +S(tm) Training for the CISA(r) Certification Exam
9/28 to 10/2 SEC440: 20 Critical Security Controls: Planning Implementing and Auditing
9/29 to 11/5 SEC501: Advanced Security Essentials - Enterprise Defender
9/29 to 12/15 SEC301: Intro to Information Security
10/5 to 10/14 SEC564: Security Architecture for Systems Administrators
10/6 to 10/29 DEV544: Secure Coding in .NET: Developing Defensible Applications
10/19 to 11/18 SEC709: Developing Exploits for Penetration Testers and Security Researchers
10/27 to 12/19 DEV422: Defending Web Applications Security Essentials
Details & Registration at:
https://www.sans.org/vlive/courses.php

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition https://www.sans.org/ns2009
- - SANS Virginia Beach August 28 - Sept. 4. 11 full-length courses plus short courses:
https://www.sans.org/vabeach09/
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days https://www.sans.org/info/43118
Looking for training in your own community? https://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
https://www.sans.org/ondemand
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Weak Passwords Allow Congressional Web Site Defacements (August 6, 2009)

A rash of digital graffiti on the websites of at least 18 US Representatives has been blamed on weak administrative passwords established by a third party vendor. The defacements have been cleaned up and no real damage was done to the sites; some have established stronger passwords as a result of the incident. The attacks occurred during the first week of August. The House's Chief Administrative Officer Dan Beard has called for a review of the relationship with the Alexandria, Va.-based vendor, GovTrends.
-http://voices.washingtonpost.com/securityfix/2009/08/hackers_target_housegov_sit
es.html
[Editor's Note (Weatherford): All this proves is that our jobs are never done. We've been preaching about strong passwords for years and it's a part of almost every talk I give yet people still don't get it and still believe "it can't happen to me." ]

US Marines Bans Social Networking Sites on its Networks (August 4, 2009)

An August 3 order bans US Marines from accessing social networking tools, including Facebook and Twitter, due to security concerns. The order states that the sites "are a proven haven for malicious actors and content and are particularly high risk due to information exposure, user generated content and targeting by adversaries." Marines are banned from accessing the sites via the Marine Corps Enterprise Network, the Non-Secure Internet Protocol Router Network or virtual private network connections. Personnel may, however, access Defense Department-sponsored social networking sites that are hosted on internal networks. Personnel are also permitted to access the sites from their personal computers while they are not working.
-http://www.msnbc.msn.com/id/32283587/ns/technology_and_science-security/
-http://fcw.com/articles/2009/08/04/marines-ban-social-networking.aspx
-http://www.marines.mil/news/messages/Pages/MARADMIN0458-09.aspx

Twitter Downed by DDoS (August 6, 2009)

Twitter is recovering from a distributed denial-of-service (DDoS) that occurred on Thursday. The micro-blogging service was knocked offline for several hours. As of 1:30 PM EDT Thursday, Twitter's status page reads "As we recover (from the DDoS), users will experience some longer load times and slowness. This includes timeouts to API clients. We're working to get back to 100% as quickly as we can." Facebook suffered problems from an apparent DDoS as well.
-http://www.wired.com/epicenter/2009/08/facebook-apparently-attacked-in-addition-
to-twitter/
-http://www.usatoday.com/tech/news/2009-08-06-twitter-attack_N.htm
-http://www.nextgov.com/nextgov/ng_20090806_7624.php?oref=topnews
-http://www.theregister.co.uk/2009/08/06/twitter_outage/
-http://www.siliconrepublic.com/news/article/13562/comms/twitter-suffers-denial-o
f-service-attack
-http://www.computerworld.com/s/article/9136321/Update_Twitter_limps_back_to_life
_after_DDoS_attack?source=rss_security
-http://news.bbc.co.uk/2/hi/technology/8188201.stm
-http://bits.blogs.nytimes.com/2009/08/06/twitter-overwhelmed-by-web-attack/?ref=
technology
-http://www.washingtonpost.com/wp-dyn/content/article/2009/08/06/AR2009080602341_
pf.html
-http://status.twitter.com/
[Editor's Note (Pescatore): Wow, 2 hours without tweets! That's like a car drive to the shore without anyone in the back seat saying "Are we there yet? I see a rock. Is that a seagull? I like saltwater taffy. Shaquille Oneal is really tall. Are we there yet?" the entire trip. ]

---

*************************** SPONSORED LINKS******************************

1) Be Sure to Register for the upcoming webcast: AV Migration - Should You Stay or Should You Go? http://www.sans.org/info/47029
2) ***NEW*** SANS Free Vendor Audio Casts! Visit the SANS Reading Room and click on the Free Vendor Audio Casts link. http://www.sans.org/info/47034

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Jail Time for Internet Bank Fraud (August 5, 2009)

A woman in New Zealand has been sentenced to one year in jail for stealing more than NZ $110,000 (US $73,700)in an Internet banking fraud scheme. Airiana Moana Paul had pleaded guilty to cyber crime charges of dishonestly obtaining a pecuniary advantage. Paul found a loophole in the way Internet banking transactions were conducted at the National Bank and over the course of three months, exploited that loophole 365 times to transfer funds from one account into another. Paul involved other people in the scheme as well.
-http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=105888
33

National Cybersecurity Coordinator Role Watered Down (August 4 & 5, 2009)

Melissa Hathaway, the administration's acting cyber security coordinator, told the Washington Post that she stepped down from the position and removed herself from consideration for the permanent role because she was "not empowered ... to continue to drive the change" deemed necessary by the 60-day review of US cyber security policy she conducted earlier this year. The current description of the position has the national cyber security coordinator reporting to the National Security Council and the National Economic Council, neither of which places significant value of having a powerful national cyber security official.
-http://lastwatchdog.com/melissa-hathaway-steps-consideration-us-cyber-czar/
-http://www.washingtonpost.com/wp-dyn/content/article/2009/08/03/AR2009080302697_
pf.html
-http://news.bbc.co.uk/2/hi/technology/8185699.stm
-http://www.computerworld.com/s/article/9136306/The_cybersecurity_job_no_one_real
ly_wants?taxonomyId=17&pageNumber=1
-http://fcw.com/Articles/2009/08/05/Web-Obama-cyber-coordinator.aspx?Page=1
[Editor's Note (Weatherford): This is terribly unfortunate because it gives credence to the growing feeling that what started with a lot of pomp and circumstance is becoming mired in politics. ]

Stolen Laptop Holds Army National Guard Data (August 4 & 5, 2009)

A laptop computer belonging to an Army National Guard contractor was stolen on July 27; the computer holds personally identifiable information of approximately 131,000 current and former Army National Guard members. The compromised data include names, Social Security numbers (SSNs), and incentive payment amounts. Affected individuals will be notified by letter.
-http://www.wfrv.com/news/local/story/National-Guard-laptop-computer-stolen/PMA-X
tg6o06SgZJ1IbFFfA.cspx
-http://www.msnbc.msn.com/id/32304147/ns/technology_and_science-security/
[Editor's Note (Northcutt): Consequences matter. Without consequences this type of inexcusable behavior will continue. The contract needs to be terminated. ]

XML Library Flaws Affect Numerous Applications (August 6, 2009)

Researchers have uncovered a significant number of flaws in Extensible Markup Language (XML) libraries that could be exploited to crash machines and execute malicious code. The flaws affect large numbers of applications that use the libraries in question. Sun Microsystems, Apache, and Python products are known to be vulnerable.
-http://www.securecomputing.net.au/News/152193,researchers-find-largescale-xml-li
brary-flaws.aspx
-http://www.theregister.co.uk/2009/08/06/xml_flaws/
-http://voices.washingtonpost.com/securityfix/2009/08/researchers_xml_security_fl
aw.html
[Editor's Note (Northcutt): Uh Oh. This is not good. XML is behind the scenes in almost everything. I wonder whether XML gateways could be used to mitigate the problem to some extent. ]

Apple Releases Mac OS X Update (August 6, 2009)

Apple has released Mac OS X version 10.5.8 to address 18 security flaws, including seven that could be exploited to take control of vulnerable computers simply by manipulating users into viewing maliciously constructed images. The flaws arise from uninitialized memory errors, uninitialized pointer issues, and heap, stack, and integer overflow errors. The update also fixes code execution flaws in the operating system's kernel, login window and other components.
-http://www.theregister.co.uk/2009/08/06/apple_mac_osx_patches/
-http://www.computerworld.com/s/article/9136311/Apple_patches_18_Mac_vulnerabilit
ies_ships_OS_X_10.5.8?source=rss_security
-http://news.cnet.com/8301-27080_3-10304342-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.h-online.com/security/Apple-releases-Mac-OS-X-10-5-8--/news/113941
-http://www.scmagazineus.com/Mac-OS-X-1058-update-fixes-18-flaws/article/141269/
-http://support.apple.com/kb/HT3757

Mozilla Issues Firefox Update (August 4, 2009)

On Monday, August 3, Mozilla issued an update for Firefox to address a number of critical security flaws. One of the vulnerabilities allows attackers to spoof SSL certificates. Users are urged to upgrade to Firefox 3.5.2 as soon as possible. Other vulnerabilities addressed in the update include a memory corruption flaw, a heap overflow flaw and a privilege escalation flaw. The SSL flaw also affects Mozilla's Thunderbird, SeaMonkey and NSS products; fixes for those products are likely to be available soon.
-http://www.theregister.co.uk/2009/08/04/firefox_critical_update/
-http://www.h-online.com/security/Firefox-3-5-2-and-3-0-13-fix-security-vulnerabi
lities--/news/113922
-http://blog.mozilla.com/blog/2009/08/03/firefox-3-5-2-and-3-0-13-security-update
s-now-available-for-download/

Mozilla Closes Online Store After Third-Party Intrusion (August 5, 2009)

Mozilla shut down its online store after learning that a third-party company it had hired to run the site's back-end operations had experienced a breach. Mozilla has asked St. Louis-based GatewayCDI to notify all affected customers about the breach. The company will reopen the online store when it has "a satisfactory assurance of ongoing login security and data privacy."
-http://www.theregister.co.uk/2009/08/05/mozilla_stores_shuttered/
-http://www.computerworld.com/s/article/9136264/Mozilla_shuts_Firefox_e_store_aft
er_security_breach?taxonomyId=17

Latvian ISP Cut Off Over Allegations of Hosting Botnet Command and Control Servers (August 4 & 5, 2009)

Latvian Internet service provider (ISP) Real Host has been disconnected from the Internet after its upstream provider, Junik, cut off service. Swedish telecommunications company TeliaSonera informed Junik that Real Host was home to servers used to commit cyber crime and gave Junik the options of cutting off service or facing sanctions. Real Host is believed to be home to command and control servers for the Zeus botnet.
-http://www.theregister.co.uk/2009/08/05/cybercrime_takedown/
-http://www.pcworld.com/businesscenter/article/169635/after_links_to_cybercrime_l
atvian_isp_is_cut_off.html
-http://www.ft.com/cms/s/0/058167ee-8081-11de-bf04-00144feabdc0.html

Blue Screen of Death Scareware (August 4 & 5, 2009)

A new scareware variant exploits the pit-of-the-stomach feeling that accompanies the Windows Blue Screen of Death. The malware displays what appears to be the blue screen indicative of a Windows system crash along with an alert window urging users to download software to fix the alleged problem. The phony antivirus package is called SystemSecurity.
-http://blogs.zdnet.com/security/?p=3912
-http://www.theregister.co.uk/2009/08/04/bsod_scareware/

---

**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/