SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #70

September 04, 2009

Update on the European SCADA Security Summit (Stockholm October 27-30): Newly added sessions provide real-world case studies of smart metering and virtualization in control systems with insights into the security repercussions of both. Also the US Department of Homeland Security Control Systems Security Program is offering free courses and tools.

Info and registration at
http://www.sans.org/euscada09_summit/



Alan

---

TOP OF THE NEWS

Judge Allows Couple to Sue Bank for Inadequate Data Security
TJX Reaches Settlement with Banks Over Breach
Five Indicted in International Card Fraud Scheme

THE REST OF THE WEEK'S NEWS

Microsoft to Issue Five Bulletins on September 8
Snow Leopard Installs Older, Unsecure Version of Flash
UK ISP O2 Acknowledges and Provides Fix for Router Vulnerability
Firefox Will Warn Users Running Out-of-Date Versions of Flash
Missing Navy Hospital Laptop Holds Personally Identifiable Information of 38,000
Microsoft Acknowledges IIS Vulnerability
Eircom Will Block Access to The Pirate Bay; UPC Will Not
Spyware Aimed at Firefox Users
Judge Denies Bail Reduction for San Francisco City Network Admin

---

************************* Sponsored By Oracle ***************************

Live Webcast: Centralized User Lifecycle Management for Databases September 16th and September 29th

Register today for a complimentary webcast to learn how you can centrally manage, automate and audit database user accounts and access, to improve privileged users productivity, while enforcing security and compliance across your entire database infrastructure.

Sept. 16th: https://www.sans.org/info/48118
Sept. 29th: https://www.sans.org/info/48123

*************************************************************************

TRAINING UPDATE

- - - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference.
https://www.sans.org/ns2009
- - - SCADA Security Summit, Stockholm, Oct. 27-30
https://www.sans.org/euscada09_summit/
- - - SANS Chicago North Shore, Oct. 26-Nov. 7
https://www.sans.org/chicago09/
- - - SANS San Francisco, November 9-14
https://www.sans.org/sanfrancisco09
- - - SANS CDI, Washington DC, Dec. 11-18
https://www.sans.org/cyber-defense-initiative-2009
- - - Looking for training in your own community?
https://sans.org/community/
- - - Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand
- - - For a list of all upcoming events, on-line and live:
http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Judge Allows Couple to Sue Bank for Inadequate Data Security (September 2, 2009)

A District Court Judge in Illinois has ruled that an Indiana couple may sue Citizens Financial Bank for negligence. The suit brought by Marsha and Michael Shames-Yeakel alleges the bank was negligent for failing to use the most current security measures to protect the couple's information. Inadequate user authentication measures allegedly allowed thieves to steal more than US $26,000 from the couple's home equity line of credit. Citizens' Financial Bank had requested to have the claim dismissed.
-http://www.computerworld.com/s/article/9137451/Court_allows_suit_against_bank_fo
r_lax_security?source=rss_security

TJX Reaches Settlement with Banks Over Breach (September 2 & 3, 2009)

TJX Cos. has agreed to pay US $525,000 to settle a class action lawsuit brought by four banks against the company for the massive data security breach disclosed in 2007 that compromised 94 million payment cards. The banks filed the lawsuit to recover losses incurred from reissuing compromised cards and monitoring affected accounts for fraud. The agreement does not admit any wrongdoing on the part of TJX. The settlement covers only part of the banks' expenses.
-http://online.wsj.com/article/BT-CO-20090902-711269.html
-http://www.computerworld.com/s/article/9137491/TJX_agrees_to_settle_another_brea
ch_lawsuit_for_525_000
-http://www.scmagazineus.com/TJX-settles-for-525K-with-four-banks-over-breach/art
icle/148095/
[Editor's Note (Schultz): TJX should consider itself lucky in that it got off rather lightly in the case of the class action lawsuit. However, TJX's woes as the result of the massive data security breaches are by no means over. TJX will be dealing with the consequences of these breaches for years to come. ]

Five Indicted in International Card Fraud Scheme (September 1 & 2, 2009)

Five men have been indicted in connection with the theft of more than US $4 million using nearly 100,000 stolen payment card numbers. The five, all of whom are from Eastern Europe, are the last of 17 individuals to be indicted as part of a four-year investigation involving law enforcement authorities in the US and Europe. Two of the five men have been arrested and extradited to the US; a third has been arrested and is awaiting extradition. Two others remain at large.
-http://www.computerworld.com/s/article/9137403/Five_indicted_in_long_running_cyb
ercrime_operation?source=rss_security
-http://www.theregister.co.uk/2009/09/01/international_payment_card_ring/
-http://www.scmagazineus.com/New-busts-in-global-identity-theft-ring/article/1479
66/

---

************************ Sponsored Links: ****************************

1) IBM Security Management Solutions

54.9% of all disclosed vulnerabilities were Web app flaws in 2008. Learn more at the Service Management Resource Center.
https://www.sans.org/info/48128

2) Be sure to register NOW for the WhatWorks Webcast: WhatWorks in Intrusion Detection and Prevention: Securing Servers for PCI Compliance
https://www.sans.org/info/48133

3) REGISTER NOW for the Tool Talk Webcast: SIEM and DLP - Strength in Integration
https://www.sans.org/info/48138

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft to Issue Five Bulletins on September 8 (September 3, 2009)

Microsoft will release five security bulletins on Tuesday, September 8. All of the bulletins have maximum severity ratings of critical. The Microsoft Security Bulletin Advance Notification provides few clues as to the bulletins' content; all are listed as addressing remote code execution vulnerabilities, and all affect Windows. There is some speculation that at least one of the bulletins will address Active Template Library (ATL) flaws.
-http://www.computerworld.com/s/article/9137493/Microsoft_to_deliver_five_critica
l_Windows_patches_next_week?source=rss_security
-http://www.microsoft.com/technet/security/bulletin/ms09-sep.mspx

Snow Leopard Installs Older, Unsecure Version of Flash (September 3, 2009)

Apple's recently released Mac OS X 10.6, Snow Leopard, installs an older version of Adobe Flash player that has known security flaws. Adobe released Flash version 10.0.32.18 at the end of July to fix a dozen vulnerabilities; Snow leopard installs Flash version 10.0.23.1. The new install also downgrades secure versions of Flash to the older, unsecure version.
-http://www.techweb.com/article/showArticle?articleID=219501258§ion=News
-http://www.computerworld.com/s/article/9137481/Snow_Leopard_downgrades_Flash_to_
vulnerable_version?source=rss_security
-http://www.theregister.co.uk/2009/09/03/snow_leopard_forced_flash_downgrade/
-http://isc.sans.org/diary.html?storyid=7069

UK ISP O2 Acknowledges and Provides Fix for Router Vulnerability (September 3, 2009)

A security flaw in routers provided to customers of UK Internet service provider (ISP) O2 could be exploited to gain access to these devices and make configuration changes that allow attackers access to computers on the network. The vulnerability, known as cross-site request forgery, can be exploited to gain nearly total control over the router, including accessing the wireless encryption key. O2 has issued a statement that notes "We have identified a solution and will be applying this remotely to all of our customers' O2 wireless boxes. This means that customers will not have to take any action themselves."
-http://www.theregister.co.uk/2009/09/01/buggy_o2_routers/
-http://news.zdnet.co.uk/security/0,1000000189,39738008,00.htm

Firefox Will Warn Users Running Out-of-Date Versions of Flash (September 3, 2009)

Firefox 3.5.3 and Firefox 3.0.14, both of which are currently in beta, will warn users if their Adobe Flash player plug-in is out of date. The new browser feature will check which version users are running; according to one source, 80 percent of users are running versions of Flash that are known to have flaws.
-http://www.h-online.com/security/Mozilla-to-protect-Adobe-Flash-users--/news/114
157

Missing Navy Hospital Laptop Holds Personally Identifiable Information of 38,000 (September 2, 2009)

A missing US Navy laptop computer contains personally identifiable information of 38,000 individuals. The computer was last seen on August 18. The compromised data include the names, Social Security numbers (SSNs) and dates of birth for people who used the pharmacy service at the Naval Hospital Pensacola (Fla.). Those affected by the breach will be notified by letter in accordance with Navy policy.
-http://www.fox10tv.com/dpp/news/local_news/pensacola/Navy_Laptop_With_Personal_I
nfo_Missing

Microsoft Acknowledges IIS Vulnerability (Update) (September 1 & 2, 2009)

Microsoft has investigated reports of a security flaw in its Internet Information Services (IIS) web server and has said it will release a fix for the remote code execution vulnerability as soon as it is ready. Exploit code for the flaw has already been released. The flaw could be exploited to take control of vulnerable servers. The flaw is exploitable only if IIS has been configured to allow file transfer protocol (FTP); users running Windows 2000 and Windows Small Business Server 2003 are at increased risk because FTP is installed by default. Until the patch becomes available, Microsoft recommends turning off FTP if it is not necessary; disabling the creation of new directories; and disabling the ability of anonymous users to write using IIS settings. It is unlikely that the patch will be ready for Microsoft's scheduled September update, which will be released on Tuesday, September 8.
-http://www.theregister.co.uk/2009/09/02/microsoft_confirms_iis_bug/
-http://www.computerworld.com/s/article/9137438/Microsoft_promises_patch_for_crit
ical_Web_server_bug?source=rss_security
-http://www.microsoft.com/technet/security/advisory/975191.mspx
-http://isc.sans.org/diary.html?storyid=7063
-http://isc.sans.org/diary.html?storyid=7039

Eircom Will Block Access to The Pirate Bay; UPC Will Not (September 1, 2009)

Irish ISP Eircom has acknowledged that as of September 1, subscriber access to The Pirate Bay website and related IP addresses will be blocked. Eircom says the decision to block the site was made in response to a High Court directive, but assures subscribers that it "will not monitor customers' activities at any stage, nor will it place any monitoring equipment or software on its network ... to facilitate this block." Taking a different tack, Broadband provider UPC has said it will not block access to The Pirate Bay, despite learning that major record labels were seeking an injunction ordering it to do so. UPC has issued a statement saying that it is "very supportive of the position that authors and performers are entitled to be remunerated for their artistic efforts" but believe that the request to block the site has no basis in Irish law.
-http://www.siliconrepublic.com/news/article/13744/comms/access-to-the-pirate-bay
-is-denied-eircom-confirms

Spyware Aimed at Firefox Users (September 1, 2009)

Malware that purports to be an update for Adobe Flash Player is actually spyware that logs Firefox users' Google queries. The stolen information is uploaded to a server controlled by attackers. The spyware, dubbed EBOD-A, can also inject advertisements into the Google search results. It is believed to be spreading through forum posts.

-http://www.theregister.co.uk/2009/09/01/firefox_spyware_add_on/

Judge Denies Bail Reduction for San Francisco City Network Admin (August 31, 2009)

A county judge in California has denied a request to reduce bail for a former network administrator being held on charges of locking users out of a city computer network. Former network administrator for the city of San Francisco Terry Childs has been in jail since July 2008. Judge Charles Haines refused the request because of concerns that he could damage the city's computer network and also poses a flight risk. The US$5 million bail is unusually high, especially for a crime of this sort. Childs allegedly held the city's computer network hostage because he did not believe his superiors were qualified to run the network. Childs surrendered the necessary passwords to San Francisco Mayor Gavin Newsom several days after he was arrested.
-http://www.networkworld.com/news/2009/083109-judge-wont-lower-5m-bail.html

---

**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/