SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #65

August 18, 2009

TOP OF THE NEWS

Suit Alleges Facebook Violates California Privacy Laws
Report Says Georgian Cyber Attacks Conducted by Civilians

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS & SENTENCES
TJX Suspect Indicted in Hannaford and Heartland Breach
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
New Irish Cyber Security Policy Expected by Year's End
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Man Fined for Selling Illegally Copied Software
VULNERABILITIES
Adobe Advisory Warns of Flaws in ColdFusion and JRun
UPDATES AND PATCHES
Linux Developers Release Updated Versions of Kernel to Address Critical Flaw
ATTACKS & ACTIVE EXPLOITS
Twitter-Controlled Botnet Detected
STUDIES AND STATISTICS
IE8 Has Blocked 80 Million Instances of Malware

---

************************* Sponsored By Bit9 *****************************

Webinar: SANS Instructor Chris Brenton on Proactive Cyber Defense

August 27th - 2:00pm EDT

Register for this FREE webinar; understand how to eliminate malware and close the security gap that threatens our nation's infrastructure.

Chris will cover:
* What makes systems vulnerable
* Why we are losing the malware battle
* How to win the war

https://www.sans.org/info/47388

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition
https://www.sans.org/ns2009
- - SANS Virginia Beach August 28 - Sept. 4. 11 full-length courses plus short courses:
https://www.sans.org/vabeach09/
- - Looking for training in your own community?
https://sans.org/community/
- - Save on On-Demand training (30 full courses)
See samples at:
https://www.sans.org/ondemand/spring09.php
- - For a list of all upcoming events, on-line and live:
http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Suit Alleges Facebook Violates California Privacy Laws (August 17 & 18, 2009)

A handful of Facebook users filed a civil suit against the company in a California court. The suit alleges that the social networking site violates California privacy law and gives the wrong impression about how users' personal information is being used. Specifically, the suit alleges that Facebook shares members' personal information with third parties and employs data harvesting and mining techniques that are not adequately explained to members. The suit seeks damages and asks for a jury trial. Facebook maintains that the suit has no merit and plans to fight it.

-http://livenews.com.au/geek/facebook-users-sue-site-over-privacy-breach/2009/8/1
8/216525
-http://online.wsj.com/article/SB125055132349838441.html?mod=googlenews_wsj


[Editor's Note (Pescatore): It really is time to make some movement forward on moving from opt-out to opt-in. All these advertising support sites are not free, unless you think personal and business information put on those sites is value-less.

(Schultz): Subscribers place considerable trust in social networking sites, but at the same time these individuals are setting themselves up for negative outcomes that they never could have comprehended. ]

Report Says Georgian Cyber Attacks Conducted by Civilians (August 17 & 18, 2009)

According to a report from the US Cyber Consequences Unit (US-CCU), the cyber attacks launched against Georgian-government websites last summer were carried out by Russian civilians with close ties to organized crime. Most of those conducting the attacks were Russian, but sympathizers from outside the country joined them. While the Russian government and military were not directly involved with the attack, the attackers did have advance knowledge of the Russian military's plan to invade Georgia. The report also found that the cyber attackers stole American identities and tools to help carry out the attacks. The report predicts that military conflicts are now likely to include cyber attacks.

-http://www.scmagazineus.com/Civilians-cyberattacked-Georgia-in-2008-war/article/
146640/
-http://www.theregister.co.uk/2009/08/18/georgian_cyber_attacks/
-http://online.wsj.com/article/SB125046431841935299.html
-http://www.cio.com/article/499763/Georgia_Cyberattacks_Linked_to_Russian_Organiz
ed_Crime?source=rss_news
-http://www.cnn.com/2009/US/08/17/cyber.warfare/index.html

[Editor's Note (Northcutt): This squares with the best data I have seen. There is a term, cyber militia. To me the closest analog is pirates and privateers, where a privateer is a legal or at least allowable private. The core of this seems to be the Russian Business Network. No matter what you feel about the data, the conclusion of the report, that cyber attacks will be part of future conflicts, is certainly spot on. Here are a couple links, I cannot attest to the accuracy, but they are directionally correct:

-http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php
-http://www.wired.com/dangerroom/2009/01/cyber-militia-t/

(Schultz): SANS 512 course reaches the same conclusions. ]

---

*************************** Sponsored Link: ***************************

1) US Military Command Thwarts Targeted Attack with Application Whitelisting

http://www.sans.org/info/47393

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

TJX Suspect Indicted in Hannaford and Heartland Breach (August 17, 2009)

A federal grand jury in New Jersey has indicted Albert Gonzalez on charges of breaking into computers at Heartland Payment Systems, Hannaford Bros., 7-Eleven and two other unnamed retailers. Gonzalez was formerly a US Secret Service informant and is awaiting trial on charges related to his alleged involvement with the TJX data security breach. Two unnamed Russian co-conspirators have been indicted as well.

-http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/
-http://www.theregister.co.uk/2009/08/17/heartland_payment_suspect/
-http://www.computerworld.com/s/article/9136742/Miami_man_indicted_for_massive_cr
edit_hack?source=rss_security
-http://www.msnbc.msn.com/id/32450595/ns/technology_and_science-security/
-http://www.washingtonpost.com/wp-dyn/content/article/2009/08/17/AR2009081701915_
pf.html

[Editor's Note (Weatherford): A former member of Shadowcrew and undercover Secret Service informant? What does this tell us about the wisdom of hiring "reformed" black hats?

(Honan): It appears that SQL Injection attacks were the vector used in these attacks. It is not the sexy and shiny 0 day exploit that will most likely get you, it is bad programming and not adhering to the mundane and standard security practices and secure configuration guidelines. ]

New Irish Cyber Security Policy Expected by Year's End (August 16, 2009)

Citing the "need to be alert to and prepared for attacks," Ireland's Minister for Communications says he has commissioned a report on the country's current ability to defend itself against a cyber attack. The report will include an assessment of current best practices around the world and how oversight of governmental cyber attack response should be structured. The report will be the first step in developing a national cyber security strategy, which is expected by the end of the year.

-http://www.irishtimes.com/newspaper/breaking/2009/0816/breaking148.htm

[Editor's Note (Honan): Having campaigned for years for Ireland to up its Internet security defenses and eventually setting up Ireland's first CERT I see this as a welcome first step.

(Schultz): The term "best practices" is sadly outdated. "Exemplary practices" is a much better substitute. ]

Man Fined for Selling Illegally Copied Software (August 17, 2009)

A Delaware man has been fined more than US $210,000 for selling pirated copies of software over the Internet. The fine covers damages and court costs. Matthew Miller allegedly sold unauthorized copies of Adobe, Autodesk and Microsoft software for US $8 to US $12 on iOffer, an Internet auction site. Miller has also been ordered to destroy any remaining copies of the pirated software. The suit was brought by the Business Software Alliance (BSA) and its member companies. BSA does not usually pursue cases against individuals, but determined that Miller's alleged activity warranted action.

-http://www.computerworld.com/s/article/9136725/Court_fines_man_210_000_for_selli
ng_software_copies?source=rss_security

Adobe Advisory Warns of Flaws in ColdFusion and JRun (August 17, 2009)

Adobe has issued an advisory warning of seven critical flaws in ColdFusion and JRun. "Adobe is not currently aware of any exploits in the wild for the security vulnerabilities fixed in this release." The vulnerabilities affect ColdFusion version 8.0.1 and earlier and JRun 4.0. The Cold Fusion flaws could lead to information disclosure and privilege escalation; the JRun flaws could lead to information disclosure or code execution. Adobe has released hotfixes for both products.

-http://www.scmagazineus.com/Adobe-ColdFusion-JRun-updated-for-critical-issues/ar
ticle/146635/
-http://www.adobe.com/support/security/bulletins/apsb09-12.html

Linux Developers Release Updated Versions of Kernel to Address Critical Flaw (August 17, 2009)

Linux developers have released versions 2.6.27.30 and 2.6.30.5 of the kernel to address a critical flaw disclosed last week. The flaw affects all 2.4 and 2.6 series Linux kernels released since 2001 on all architectures. An exploit for the flaw has been released and could be used to gain root privileges on vulnerable systems.

-http://www.zdnetasia.com/news/security/0,39044215,62056937,00.htm
-http://www.h-online.com/security/Linux-kernel-vulnerability-fixes--/news/114021
-http://www.h-online.com/security/Critical-vulnerability-in-the-Linux-kernel-affe
cts-all-versions-since-2001--/news/114004

Twitter-Controlled Botnet Detected (August 14, 2009)

A researcher looking into the recent attack on Twitter discovered that someone was using a Twitter account to send commands to a botnet. The account has been shut down. The same person was apparently running a similar scheme through Google's Jaiku service; that account has also been shut down. The botnet-controlling accounts appear to be unrelated to the attack that took Twitter down earlier this month.

-http://www.msnbc.msn.com/id/32421408/ns/technology_and_science-security/
-http://news.cnet.com/8301-13577_3-10310168-36.html?part=rss&subj=news&ta
g=2547-1009_3-0-20
-http://www.securityfocus.com/brief/995
-http://www.h-online.com/security/Bot-network-uses-Twitter--/news/114005



[Editor's Note (Pescatore): We've been seeing bot clients use alternate communication methods (like odd search queries that the bot client uses to find executable code placed on a compromised web site or blog comment field) for almost two years now. Detecting and stopping bot communications is not as simple as blocking communications to known bot command and control center URLs or IP addresses. ]

IE8 Has Blocked 80 Million Instances of Malware (August 14 & 16, 2009)

According to one test, Microsoft's Internet Explorer 8 (IE9) browser blocked 81 percent of malware-infected websites. Other statistics indicate that IE8's Smart Screen Filter has delivered more than 70 million malware blocks over the past four months. When the totals are combined with the pre-release version of IE8, the figure rises to 80 million - an average of one block a week for every 40 users. Approximately one of every 200 downloads was blocked as potentially malicious. The Phishing Filter in IE7 and IE8 has delivered 125 phishing attack blocks.

-http://www.v3.co.uk/v3/news/2247880/ie8-carries-80-million-malware
-http://www.pcworld.com/article/170260/microsofts_browser_best_at_beating_malware
.html?tk=rss_news


[Editor's Note (Pescatore): If you add up the malware detection and warning Google has built in to its search engine and what Microsoft has built into IE8, there are definitely more safety barriers between the casual surfer and web malware. We're almost to the point where there are now "Walk/Don't Walk" signs at the known dangerous intersections - those who ignore the flashing red lights will still get hurt, but anyone who wants to be safer can be. Things can be even better if the other search engine and browser firms compete to raise the bar.

(Weatherford): This is important news and further justification for anyone who has delayed upgrading from IE6. ]

---

**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/