SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #80

October 09, 2009

If you are one of hundreds of organizations trying to start or improve your application security efforts, there is an interesting new initiative to help see how you compare to your peers. By seeing what works (and what doesn't) for others, the results might help you jump start your efforts. Cigital is collecting the data for the BSIMM Begin model. If you have a software security program and would like to compare your organization or see the results of the survey, you can take it here:

http://bsi-mm.com/begin

SANS is backing a program in UK modeled on the US Cyber Challenge, which aims to identify and nurture the best of the best of emerging cyber security talent.

http://technology.timesonline.co.uk/tol/news/tech_and_web/article6865432.ece

Alan

---

TOP OF THE NEWS

Comcast Testing Malware Alert Service
Japan High Court Acquits Winny Creator of Copyright Violation Charges
Film Companies Take Australian ISP to Court to Failure to Act on Filesharing Information

THE REST OF THE WEEK'S NEWS

Microsoft Will Issue 13 Bulletins on October 13
Adobe Warns of Limited Targeted Attacks on Reader and Acrobat Vulnerability
No More Internet Banking for FBI Director
Convicted Online Trading Hacker Strikes Again
Legislators Seek More Information on JP Morgan Chase Bank Data Breach
Operation Phish Phry Rounds Up 100 Suspects
Stolen Laptop Holds Unencrypted Data of 850,000 Doctors
Microsoft Blocks Hacked Hotmail Accounts; Researcher Says Scope of Attack Suggests Keystroke Loggers
PayPal Suspends Researcher's Account
SPECIAL NOTICE: Protecting Your Business from Online Banking Fraud

---

************************** Sponsored By Q1 Labs ************************

** THE SECURITY MANAGEMENT EVOLUTION: WHATS NEXT? **

GET THE WHITE PAPER NOW:

https://www.sans.org/info/49399

Respected industry analyst firm Enterprise Strategy Group (ESG) provides a unique perspective on the evolution of security information and event management (SIEM) solutions from niche firewall log analyzers to highly strategic security management solutions. How can organizations like yours identify and leverage the newest, most sophisticated tools in the next phase of the Evolution?

************************************************************************

TRAINING UPDATE

- -- SANS Chicago North Shore, Oct. 26-Nov. 2
https://www.sans.org/chicago09/
- -- SCADA Security Summit, Stockholm, Oct. 27-30
https://www.sans.org/euscada09_summit/
- -- SANS San Francisco, November 9-14
https://www.sans.org/sanfrancisco09
- -- SANS Sydney, Nov.9-14
https://sans.org/sydney09/
- -- SANS London, UK, Nov.28-Dec. 9
https://sans.org/london09/
- -- SANS CDI, Washington DC, Dec. 11-18
https://www.sans.org/cyber-defense-initiative-2009
- -- SANS Security East 2010, New Orleans, January 10-18, 2010
19 courses, bonus evening presentations
https://www.sans.org/security-east-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Comcast Testing Malware Alert Service (October 8, 2009)

On Thursday, October 8, Comcast began testing a service that alerts its broadband subscribers with pop-ups if their computers appear to be infected with malware. Among the indicative behaviors that trigger alerts are spikes in overnight traffic, suggesting the machine has been compromised and is being used to send spam. Comcast also uses information supplied by research groups about IP addresses that appear to have been infected with malware. The Comcast test program appears to be the first in which a major Internet service provider (ISP) is taking measures to alert customers to potential security issues. Comcast Constant Guard is being piloted in Denver. The alerts will direct users to Comcast's antivirus center where they can receive help cleaning their machines of malware.
-http://news.cnet.com/8301-27080_3-10370996-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.pcmag.com/article2/0,2817,2354001,00.asp
[Editor's Note (Schultz): Comcast has taken a big step forward. The question now is whether users who are warned about having virus infections will do anything given that over the years they have been bombarded by pop-up ads, Windows Vista User Access Control warnings, and more.]

Japan High Court Acquits Winny Creator of Copyright Violation Charges (October 8, 2009)

A Japanese court has ruled that the creator of the Winny filesharing software is not guilty of helping its users violate copyright law. The Osaka High Court overturned a lower court ruling, and declared Isamu Kaneko innocent of the charges levied against him because he did not promote using the software for illegal purposes. Presiding Judge Masazo Ogura also noted that Winny "has various uses and the technology should be considered value neutral." Prosecutors will study the verdict before deciding whether or not to appeal to the Supreme Court. Kaneko lauded the ruling, saying it will have a positive impact on software development.
-http://www.asahi.com/english/Herald-asahi/TKY200910080350.html
-http://news.smh.com.au/breaking-news-technology/japan-court-acquits-fileshare-so
ftware-creator-20091008-goql.html

Film Companies Take Australian ISP to Court to Failure to Act on Filesharing Information (October 7, 2009)

Australian Internet service provider (ISP) iiNet was in court facing charges that it has not taken action against suspected illegal filesharers. Movie companies sued the ISP for allegedly not disconnecting subscribers that the movie companies maintained were sharing pirated copies of films through BitTorrent. Australia's safe harbor law allows ISPs immunity from prosecution if they "reasonably implement" the practice of cutting off subscribers who are "repeat (copyright) infringers." iiNet stands by its assertion that "allegation of infringement" and "proof of infringement" are not the same thing, and that copyright holders who believe their rights have been infringed upon should seek judgments against the alleged perpetrators in court and present those judgments to iiNet, which will then disconnect that user.
-http://arstechnica.com/tech-policy/news/2009/10/australian-isp-in-court-for-not-
disconnecting-users.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss

---

THE REST OF THE WEEK'S NEWS

Microsoft Will Issue 13 Bulletins on October 13 (October 8, 2009)

According to its Security Bulletin Advance Notification for October 2009, Microsoft plans to release 13 security bulletins on Tuesday, October 13 to address vulnerabilities in Internet Explorer (IE), Microsoft Office, SQL Server, some developer tools, Forefront Security client software and all supported versions of Windows. Eight of the bulletins have been rated critical; the remaining five are rated important. This is the largest number of bulletins Microsoft has issued at one time since it began its scheduled monthly security updates.
-http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx
-http://www.computerworld.com/s/article/9139155/Microsoft_plans_monster_Patch_Tue
sday_next_week?taxonomyId=17

Adobe Warns of Limited Targeted Attacks on Reader and Acrobat Vulnerability (October 8, 2009)

Adobe is warning that attackers are actively exploiting an unpatched flaw in Reader and Acrobat 9.1.3 that could allow them to take control of vulnerable computers. Adobe plans to issue a fix for the vulnerability on Tuesday, October 13. Attackers can exploit the flaw by tricking users into opening maliciously crafted PDF files. Once a computer is compromised, attackers can execute arbitrary code. The "limited targeted attacks" affect users running the vulnerable programs on Windows machines.
-http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html
-http://www.theregister.co.uk/2009/10/08/adobe_reader_vuln_under_attack/
[Editor's Note (Pescatore): By their very nature, targeted attacks are "limited." That actually makes them more dangerous, not less.]

No More Internet Banking for FBI Director (October 7 & 8, 2009)

FBI Director Robert Mueller says he will no longer bank online after he nearly succumbed to a phishing attack. Mueller received a scam email that "looked pretty legitimate" that asked him to verify some personal information; he found himself "just a few clicks away from falling into a classic Internet phishing scam."
-http://www.computerworld.com/s/article/9139106/Citing_cybercrime_FBI_director_do
esn_t_bank_online?source=rss_security
-http://news.cnet.com/8301-27080_3-10370164-245.html
-http://www.theregister.co.uk/2009/10/08/fbi_robert_mueller_commonwealth_club_spe
ech/
-http://www.fbi.gov/pressrel/speeches/mueller100709.htm
[Editor's Note (Schultz): For better or worse, a well-proven principle in information security is that nothing wakes people up to the need to do something about information security faster than good old-fashioned fright over an incident or near incident.

(Pescatore): Hmmm, if he avoids every form of communications that carries fraud, he must not use snail mail, fax, telephone, etc. Must be tough to run the FBI only using tin cans and strings to communicate.]

Convicted Online Trading Hacker Strikes Again (October 7 & 8, 2009)

Van T. Dinh, who has already served time in prison for a computer fraud scheme involving stock-trading has pleaded guilty to charges of computer fraud and identity theft in another cyber crime scheme. Dinh admitted to breaking into the computer system of a currency exchange service and stealing US $100,000. The earlier conviction, involving the stocks, marked the first time the US Securities and Exchange Commission (SEC) had charged a person with fraud that involved identity theft and hacking. For that scheme, Dinh was sentenced to 13 months in prison and three years of supervised release.
-http://www.theregister.co.uk/2009/10/08/recidivist_hacker_pleads_guilty/
-http://www.wired.com/threatlevel/2009/10/dinh/
-http://www.wired.com/images_blogs/threatlevel/2009/10/dinh_complaint.pdf

Legislators Seek More Information on JP Morgan Chase Bank Data Breach (October 7, 2009)

US Representatives Joe Barton (R-Texas) and George Radanovich (R-Calif.) have sent a letter to JP Morgan Chase Bank Chairman and CEO James Dimon asking for more information about a lost data tape. The tape is reportedly missing from a JP Morgan Chase offsite storage facility. While it appears that the bank notified affected customers about the breach, the legislators have additional questions, including how many people were affected by the breach; how many people were notified of the breach; and whether all affected customers have been enrolled in Chase Identity Protection following the breach. Reps. Barton and Radanovitch are members of the House Committee on Energy and Commerce, which "has a long history of examining privacy and data security issues."
-http://republicans.energycommerce.house.gov/Media/file/News/100709_Letter%20to_J
P_Morgan_Chase_Data_Theft.pdf

Operation Phish Phry Rounds Up 100 Suspects (October 7 & 8, 2009)

A two-year international investigation known as Operation Phish Phry has netted authorities in the US and Egypt 100 suspects. The group stole information from thousands of people and used the data to defraud US banks of more than US $1.5 million. An indictment accuses all defendants of conspiracy to commit wire fraud and bank fraud; some individuals have also been charged with aggravated identity theft and conspiracy to commit computer fraud.
-http://www.smh.com.au/technology/security/biggest-cybercrime-investigation-in-us
-history-fbi-smashes-phishing-ring-20091008-gngq.html
-http://www.theregister.co.uk/2009/10/08/100_phishers_netted/
-http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID
=220301571

Stolen Laptop Holds Unencrypted Data of 850,000 Doctors (October 6 & 7, 2009)

A laptop computer stolen from the car of a BlueCross BlueShield employee contains unencrypted personal data of 850,000 physicians. The data include names, addresses, tax ID numbers and national provider identification numbers. About 187,000 of the physicians use their Social Security numbers (SSNs) as their tax ID or national provider numbers. Company policy dictates that the data be encrypted, but the unidentified employee downloaded unencrypted data to work on at home; BlueCross BlueShield is reviewing its security policy in light of the incident. The theft occurred on August 27, 2009.
-http://www.ama-assn.org/amednews/2009/10/05/bisd1006.htm
-http://www.scmagazineus.com/Blue-Cross-Blue-Shield-Association-affirms-laptop-br
each/article/151740/
[Editor's Note (Schultz): I predict that the fact that this incident put physicians' data at risk will lead to far greater repercussions than if the incident had involved only everyday patients' data.

(Ranum): I'm sure there is someone willing to step forward and say that there was a "pressing business need" for that laptop to carry such data, or that its user required access to that database 24/7 anywhere, and hence needed to carry it around with them. Right?]

Microsoft Blocks Hacked Hotmail Accounts; Researcher Says Scope of Attack Suggests Keystroke Loggers (October 6 & 7, 2009)

Microsoft has blocked access to all the Hotmail accounts that were recently compromised. Usernames and passwords for several thousand accounts were posted to the Internet last week. Microsoft has indicated it believes the data were obtained through a phishing attack, but a researcher says that because the attack also affected Gmail, Yahoo mail and other accounts and because so many accounts were compromised overall, it bears characteristics suggesting the data were stolen through surreptitiously installed keystroke logging programs.
-http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID
=220301340
-http://www.computerworld.com/s/article/9139098/Researcher_refutes_Microsoft_s_ac
count_of_hijacked_Hotmail_passwords?source=rss_security

PayPal Suspends Researcher's Account (October 6 & 7, 2009)

PayPal has suspended the account of security researcher Moxie Marlinspike after someone used research he presented at the Black Hat security conference this summer to publish a phony PayPal certificate. The account suspension puts about US $500 in limbo for Marlinspike, who uses "donate" buttons on his website where he offers free tools he has developed. PayPal says it will reinstate Marlinspike's account when he removes the PayPal logo from his website. A PayPal spokesperson said the company does not allow its services "to be used in the sale or dissemination of tools which have the sole purpose to attack customers and illegally obtain individual customer information." Marlinspike demonstrated a proof-of-concept SSL certificate attack.
-http://www.theregister.co.uk/2009/10/06/paypal_banishes_ssl_hacker/
-http://www.wired.com/threatlevel/2009/10/marlinspike/
-http://www.scmagazineus.com/PayPal-suspends-hackers-account-after-bogus-SSL-post
/article/151743/

SPECIAL NOTICE: Protecting Your Business from Online Banking Fraud

One of the big problems in security right now is organized crime targeting comptroller PCs with malware, collecting online banking credentials and using them to wire transfer money to accomplices (mules) in numerous transfers that are below ten thousand dollars each. SANS.edu graduate students Robert Comella, Greg Farnham and, John Jarocki just completed a research project on ways to protect an organization against this threat.

Their report can be found at:

-https://www.sans.edu/resources/student_projects/200910_05.pdf

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit

http://portal.sans.org/