SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #69

September 01, 2009

On the C-SPAN broadcast (two weeks ago) on cyber security and cyber warfare, SAIC was singled out as the contractor that would win the biggest share of the contracts supporting the US Cyber Command and other military initiatives in computer network defense and offense. Many energetic counter arguments followed, but the bottom line is that SAIC is in the right place to win that competition because SAIC is the only major defense contractor that is able to deliver large numbers of people with advanced technical security skills. The military leaders know that in cyberspace, the only effective weapons are people with advanced technical skills, not packaged tools. That means the winning contractors will deliver people with proven skills in intrusion detection, forensics vulnerability analysis and exploit development, reverse engineering malware, advanced penetration testing - especially application penetration testing, perimeter leakage and protection and similar skills.


Alan

---

TOP OF THE NEWS

Revised Legislation Still Gives President Power to Shut Down Portions of the Internet
Facebook Will Strengthen Privacy Practices
Phishing Attacks Diminishing (Study)

THE REST OF THE WEEK'S NEWS

Gonzalez Reaches Plea Agreement But Still Faces Additional Charges
Four Arrested in Connection with Chinese Internet Outage
Directives Clarify Some Laptop Border Search Policies
Proof-of-Concept Code Published for IIS Vulnerability
Microsoft to Push out Mandatory Live Messenger Upgrades
Apache.org Offline Due to SSH Remote Administration Key Compromise
Social Engineering Pen Test Prompts National Warning

---

****************** Sponsored By IBM Rational AppScan *******************

IBM Security Management Solutions

74% of Web app vulnerabilities found in 2008 had no fix by year's end. Learn more at the Service Management Resource Center.

https://www.sans.org/info/47979

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference.
https://www.sans.org/ns2009
- - SCADA Security Summit, Stockholm, Oct. 27-30,
https://www.sans.org/euscada09_summit/
- - SANS Chicago North Shore, Oct. 26-Nov. 7, https://www.sans.org/chicago09/
- - SANS San Francisco, November 9-14
https://www.sans.org/sanfrancisco09
- - SANS CDI, Washington DC, Dec. 11-18, https://www.sans.org/cyber-defense-initiative-2009
- - Looking for training in your own community?
https://sans.org/community/
- - Save on On-Demand training (30 full courses) - See samples at
https://www.sans.org/ondemand/
For a list of all upcoming events, on-line and live:
http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Revised Legislation Still Gives President Power to Shut Down Portions of the Internet (August 28 & 31, 2009)

Proposed legislation introduced in April gave the President the power to "declare a cybersecurity emergency and order the limitation or shutdown of internet traffic to and from a compromised federal government or critical infrastructure information system or network." Despite concern from Internet companies and civil liberties groups about the power granted, a revised version of the bill still grants the President the power to take control of information systems, but the new language is even more vague. The revised bill also proposes establishing a federal cyber security professional certification program and require that only people with the certification be permitted to manage certain private system networks.
-http://www.scmagazineus.com/Can-the-president-shut-down-the-internet/article/147
799/
-http://news.cnet.com/8301-13578_3-10320096-38.html
-http://fcw.com/Articles/2009/08/28/Cybersecurity-bill-presidential-power.aspx
-http://www.computerworld.com/s/article/9137294/Bill_giving_Obama_power_to_shut_W
eb_takes_on_new_tone?taxonomyId=62&pageNumber=1
[Editor's Note (Pescatore): There is actually only one sentence about "shutting down" the Internet in the draft bill - if sanity prevails that will get X-ed out. The language requiring the Department of Commerce to set up a licensing and certification program for cybersecurity professionals also needs similar delete key activity. The rest of the bill actually has some good ideas but lots of pork barrel projects, too.

(Schultz): This bill is not really as draconian as those who have reacted so negatively to it would have the public believe. The Internet is so complex and geographically diverse that the notion of having centralized control that allows quick and definitive action on the part of anyone, let alone the US President, is a bit far-fetched. For more see blog.emagined.com ]

Facebook Will Strengthen Privacy Practices (August 27 & 28, 2009)

In response to an investigation launched by Canada's Office of the Privacy Commissioner, Facebook has agreed to give users more control about the information they share with third-party applications. The applications will be required to get permission from users for every category of personal information they want to access. In addition, users will have the option to deactivate or to even to delete their accounts. If users delete their accounts, all information belonging to that user will be deleted from Facebook servers.
-http://www.scmagazineus.com/Facebook-to-modify-privacy-practices-after-investiga
tion/article/147556/
-http://technology.timesonline.co.uk/tol/news/tech_and_web/article6812783.ece

Phishing Attacks Diminishing (Study) (August 27, 2009)

A report from IBM indicates that phishing attacks appear to be declining. Cyber criminals now appear to be leaning toward malicious links and Trojan horse programs designed to steal passwords and other sensitive information. The X-Force report says that in 2008, phishing attacks accounted for 0.5 percent of all spam; during the first half of 2009, that figure fell to 0.1 percent. The report also says that the number of malicious links on the web is up 508 percent in the first half of 2009.
-http://voices.washingtonpost.com/securityfix/2009/08/phishing_attacks_on_the_wan
e.html
-http://www.h-online.com/security/IBM-Report-Phishing-is-going-out-of-style--/new
s/114113

---

************************ Sponsored Links: ****************************

1) Register today for SANS vLive course, Audit 423: SANS(r) +S(tm(tm)) Training for the CISA(r) Certification Exam and receive 10% discount.
http://www.sans.org/info/47984

2) Be sure to register NOW for the Tool Talk Webcast: Mitigating Insider Threats through Proactive Identity Management
http://www.sans.org/info/47989

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Gonzalez Reaches Plea Agreement But Still Faces Additional Charges (August 29, 2009)

Albert Gonzalez has agreed to plead guilty to 19 counts of wire fraud, conspiracy, aggravated identity theft, and money laundering. Gonzalez is believed to have masterminded the largest data thefts in the US; the scheme stole more information on more than 170 million credit and debit card accounts from TJX Companies, Barnes & Noble, Office Max and several other large US companies. According to the terms of the deal, Gonzalez will spend 15 to 25 years in prison and will forfeit more than US $2.8 million. Additional charges filed against Gonzalez are not included in the agreement; the new charges involve the breaches at Heartland Payment Systems, Hannaford Bros. and 7-Eleven and two unnamed companies.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/08/28/AR2009082803779.
html
-http://news.cnet.com/8301-1009_3-10320761-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.computerworld.com/s/article/9137228/Update_Mastermind_of_TJX_Heartlan
d_breaches_to_plead_guilty?source=rss_security

Four Arrested in Connection with Chinese Internet Outage (August 28, 2009)

Police in Foshan, Guangdong Province (China) have arrested four people in connection with a denial-of-service attack that caused Internet outages in parts of the country earlier this year. The attack is believed to have been launched by an Internet game provider retaliating against his competitors who had launched similar attacks against him.
-http://arstechnica.com/web/news/2009/08/game-server-admins-arrested-for-chinese-
dns-attacks.ars
[Editor's Note (Northcutt): There appears to be a bit of a state change in China. Ten years ago people were executed for hacking. Then, as the government tried to develop an advanced cyber capability they overlooked a lot of hacking or recruited the hackers. Now, especially for hackers that attack internal Chinese sites, they are starting to crack down.
-http://www.techspot.com/news/17248-top-hacker-arrested.html
-http://www.rjkoehler.com/2008/05/08/auction-hacker-arrested-in-china/
-http://www.highbeam.com/doc/1G1-155310910.html]

Directives Clarify Some Laptop Border Search Policies (August 27 & 28, 2009)

Two new directives from the US Department of Homeland Security (DHS) regarding laptop border searches do not address the issue of whether laptop owners can be compelled to surrender passwords and encryption keys to allow authorities to examine the devices' contents. Earlier this year, the US Supreme Court chose not to reconsider an appeals court ruling that said laptops are like suitcases and can therefore be searched without reasonable suspicion. The directives specify a five-day search limit for Customs and Border Patrol; Immigration and Customs Enforcement Special Agents have a 30-day limit for searches of electronic devices. All must obtain a supervisor's approval before confiscating devices and travelers must be told where confiscated devices are being kept.
-http://www.techweb.com/article/showArticle?articleID=219500468§ion=News
-http://www.nextgov.com/nextgov/ng_20090828_7022.php?oref=topnews
-http://fcw.com/Articles/2009/08/28/DHS-sets-new-policy-on-computer-searches-at-b
order.aspx
-http://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdf
-http://www.dhs.gov/xlibrary/assets/ice_border_search_electronic_devices.pdf

Proof-of-Concept Code Published for IIS Vulnerability (August 31, 2009)

Proof-of-concept exploit code has been published for a vulnerability in Microsoft's Internet Information Services (IIS) server. The exploit could allow attackers to gain root access to servers running IIS version 5 on Windows 2000 with Service Pack 4. The vulnerability also reportedly affects IIS version 6. The vulnerability lies in IIS's File Transfer Protocol (FTP) software; for an attack to be successful, users would need to have FTP enabled. Microsoft is investigating the reports of the vulnerability; the company says it is not aware of any active attacks that exploit the flaw.
-http://www.theregister.co.uk/2009/08/31/iis_bug_reported/
-http://www.computerworld.com/s/article/9137305/Unpatched_flaw_could_take_down_Mi
crosoft_s_IIS_server?source=rss_security
-http://www.h-online.com/security/FTP-service-of-Microsoft-IIS-5-and-6-vulnerable
-to-attacks--/news/114127
-http://news.cnet.com/8301-13860_3-10322459-56.html?part=rss&subj=news&ta
g=2547-1009_3-0-20
-http://isc.sans.org/diary.html?storyid=7039

Microsoft to Push out Mandatory Live Messenger Upgrades (August 31, 2009)

In September, Microsoft plans to push out a mandatory upgrade for certain Windows Live Messenger users to fix a vulnerability in an Active Template Library (ATL). Users running Messenger 8.1 and 8.5 will be required to install the upgrade if they want to continue to use the instant messaging service. Messenger 8.1 and 8.5 users have already been sent notifications about the mandatory upgrade. Users running a build of Messenger 14 will get mandatory upgrades in October, with notifications being sent earlier in the month. Microsoft has already issued fixes for a number of other products that use the affected ATL.
-http://www.computerworld.com/s/article/9137307/Microsoft_Upgrade_Messenger_or_el
se?source=rss_security

Apache.org Offline Due to SSH Remote Administration Key Compromise (August 28, 2009)

The Apache.org website was offline for several hours late last week after the SSH remote administration key for one of its servers was compromised. It is not yet known if the site's downloads were affected by the intrusion. Initial reports from the investigation indicate that the attackers were not able to gain elevated privileges on the server.
-http://www.theregister.co.uk/2009/08/28/apache_hack/
-http://www.h-online.com/security/SSH-Key-compromise-takes-Apache-org-offline-Upd
ate-2--/news/114115
-http://isc.sans.org/diary.html?storyid=7030

Social Engineering Pen Test Prompts National Warning (August 28, 2009)

A social engineering portion of a sanctioned penetration test of computer systems at an unnamed credit union prompted the National Credit Union Administration (NCUA) to issue a warning to all federally insured credit unions. The warning said that a credit union had received a letter that purported to be from the NCUA and included two CDs that were touted as containing anti-fraud training materials. The NCUA says the test involved "an unauthorized and improper use of the NCUA logo." Despite the confusion, the credit union being tested did the right thing by reporting it to the NCUA.
-http://www.cutimes.com/News/2009/8/Pages/NCUA-Chastises-Computer-Security-Test.a
spx
-http://www.computerworld.com/s/article/9137215/Security_test_prompts_federal_fra
ud_alert?source=rss_security

---

**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/