SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #81

October 13, 2009

TOP OF THE NEWS

Sidekick Outage Causes Data Loss and Outrage
Researchers Claim Botnet Steals Revenue from Google, Yahoo! and Bing

THE REST OF THE WEEK'S NEWS

Apple Acknowledges Bug in Snow Leopard Causes Data Loss
Security Software Locates and Wipes Stolen NHS Computers
Google Fixes Android DoS Flaws
Maine Supreme Court to Decide Hannaford Liability
Twitter Suspended Researcher's Account for Mentioning Malicious URL
Inspector General Finds Security Gaps in Some DHS Public-Facing Websites
Federal Reserve Bank Employee Pleads Guilty to Fraud and Identity Theft
Federal Charges Filed Against Former DuPont Scientist

---

*************************** Sponsored By Bit9 **************************

SANS' Chris Brenton on Malware Defense - Live in Houston, DC & Toronto

Protect against the Advanced Persistent Threat and targeted attacks facing US businesses and government agencies. Join fellow IT and Security professionals for this FREE cyber defense seminar from Bit9, the leader in application whitelisting.

Register today:

- - Tomorrow, Oct 14th Houston
- - Oct 21st Washington DC
- - Oct 27th Toronto

https://www.sans.org/info/49514

************************************************************************

TRAINING UPDATE

-- SANS Tokyo, October 19-24
https://www.sans.org/sanstokyo2009_autumn/
-- SANS Chicago North Shore, Oct. 26-Nov. 2
https://www.sans.org/chicago09/
-- SCADA Security Summit, Stockholm, Oct. 27-30
https://www.sans.org/euscada09_summit/
-- SANS Middle East, October 31-November 11
https://www.sans.org/middleeast09/
-- SANS San Francisco, November 9-14
https://www.sans.org/sanfrancisco09
-- SANS Sydney, Nov.9-14
https://sans.org/sydney09/
-- SANS London, UK, Nov.28-Dec. 9
https://sans.org/london09/
-- SANS CDI, Washington DC, Dec. 11-18
https://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010 - 19 courses, bonus evening presentations
https://www.sans.org/security-east-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/spring09.php
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Sidekick Outage Causes Data Loss and Outrage (October 10 & 12, 2009)

A server failure appears to be responsible for a massive data loss affecting T-Mobile Sidekick customers. The outage occurred at Danger, a Microsoft subsidiary, which is the Sidekick data service provider. Users lost contacts, pictures, and saved email messages. While it is possible that some data could be restored from a backup system, most is likely gone forever. T-Mobile has suspended sales of Sidekicks for the time being. The company is offering customers a one-month credit to their accounts to compensate for the data loss. The data loss affects customers who conducted a hard reset - removing their phones' batteries or pressing a reset button. The customers attempted the hard reset because of outages affecting the devices all last week.
-http://www.msnbc.msn.com/id/33278150/ns/technology_and_science-security/
-http://www.computerworld.com/s/article/9139261/T_Mobile_sidelines_Sidekick_in_wa
ke_of_data_debacle?taxonomyId=1
-http://www.usatoday.com/tech/wireless/phones/2009-10-12-sidekick-data_N.htm
-http://www.informationweek.com/news/personal_tech/smartphones/showArticle.jhtml?
articleID=220600351
-http://voices.washingtonpost.com/fasterforward/2009/10/sidekick_users_see_their_
data.html
-http://www.washingtonpost.com/wp-dyn/content/article/2009/10/11/AR2009101100109_
pf.html
-http://www.cnn.com/video/#/video/tech/2009/10/12/tsr.tmobile.loses.data.cnn
Editor's Note (Ullrich): So much for storing your data "in the cloud". A local backup sounds like a great idea again. (Pescatore): Ah, the monthly reminder that consumer grade services do not live up to business class needs. (See definition of "extremely rare data loss" in the Apple item below.)]

Researchers Claim Botnet Steals Revenue from Google, Yahoo! and Bing (October 9, 2009)

Researchers at Click Forensics claim they have found a new botnet (the "Bahama botnet") that is draining advertising revenue from Google, Yahoo! and Bing by sending part of it to smaller networks. Users whose machines are infected with this botnet's bots reach fake search pages made to look like bona fide ones. Their connections are initially redirected to small ad networks to which small referral fees are paid, and then ultimately to the sites that users have specified.

---

************************ Sponsored Links: ****************************

1) Register Today and receive 10% off for SANS vLive course SEC542, Web App Penetration Testing and Ethical Hacking, November 2nd - November 9th. Please use the code @Risk542 when registering.

https://www.sans.org/info/49519

2) View Cyber Attack and Defense Webinar and how IPS technology can provide protection.

https://www.sans.org/info/49524

3) Find IT. Search IT. Mask IT. dataguise solutions for sensitive data discovery and masking.

https://www.sans.org/info/49529

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Apple Acknowledges Bug in Snow Leopard Causes Data Loss (October 12, 2009)

Apple has acknowledged a problem with its Mac OS X 10.6 operating system, known as Snow Leopard, that can cause users to lose their personal data and says a fix is in the works. The problem, according to Apple, "occurs only in extremely rare cases." Users have been reporting that after they log in as guest users, their personal data are gone when they return to their personal accounts.
-http://news.cnet.com/8301-31021_3-10373064-260.html
-http://www.computerworld.com/s/article/9139250/Snow_Leopard_bug_deletes_all_user
_data
Editor's Note (Pescatore): Data loss is to information security as patient mortality is to medicine. "Extremely rare" has to mean "close to never" vs. "not often."]

Security Software Locates and Wipes Stolen NHS Computers (October 12, 2009)

Four laptop computers stolen from an NHS Trust have been recovered. The computers, which belong to the Lancashire Care NHS Foundation Trust, were stolen from four separate locations: an NHS site in Blackpool, a car in Manchester, an employee's home and a London hotel room. Software previously installed on the computers allowed them to be wiped remotely and their locations traced. None of the machines contained patient data. Arrests have been made in connection with the theft of the computers.
-http://www.infosecurity-magazine.com/view/4508/stolen-nhs-laptops-recovered-no-d
ata-breach-thanks-to-remote-wiping/
[Editor's Note (Schultz): The fact that software allowed the Lancashire Care NHS Foundation Trust to wipe data after the laptops were stolen reflects positively upon this institution's security practices. At the same time, however, it appears that this institution has a way to go regarding laptop security. Why are so many laptops being stolen in the first place? And why are data that are potentially sensitive stored on laptops instead of on servers?

Editor's Note (Ullrich): Nice to see fancy remote wipe software that actually works!]

Google Fixes Android DoS Flaws (October 12, 2009)

A pair of flaws in the Google Android mobile platform could be exploited to create denial-of-service conditions. Google has fixed both vulnerabilities, which affect Android version 1.5. The first of the flaws involves the way Android handles malformed SMS messages; the second involves Android's Dalvik application programming interface (API).
-http://www.securecomputing.net.au/News/157945,google-android-vulnerabilities-dis
closed.aspx
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=220600339
-http://www.computerworld.com/s/article/9139192/Google_patches_DoS_vulnerabilitie
s_in_Android
-http://www.ocert.org/advisories/ocert-2009-014.html

Maine Supreme Court to Decide Hannaford Liability (October 9 & 12, 2009)

The Maine Supreme Court will decide whether or not retailers that fail to protect consumers' payment card data will be required to compensate those people for the time they spend correcting any problems that arise from a data security breach. Consumers are already covered for unauthorized charges under banks' zero-liability protection policies. In this case, the court must decide if "time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law." The case involves the breach at Hannaford Bros. in which millions of payment card numbers were compromised.
-http://consumerist.com/5379157/maines-supreme-court-to-decide-if-consumers-shoul
d-be-compensated-for-hannaford-security-breach
-http://www.wired.com/threatlevel/2009/10/hannaford/

Twitter Suspended Researcher's Account for Mentioning Malicious URL (October 9 & 12, 2009)

Twitter blocked F-Secure's chief researcher officer Mikko Hypponen from accessing his account for two days last week for including a malicious link in one of his communications. Hypponen's account was reactivated on Friday, October 9, when he received a message chastising him for including a URL for a MySpace phishing site, but Twitter removed all his followers. The original Tweet was posted in August, and contained an exhortation to beware of the phishing site. The address Hypponen provided contained extra spaces to prevent people from accidentally visiting it.
-http://www.theregister.co.uk/2009/10/09/twitter_bans_security_maven/
-http://www.wired.com/threatlevel/2009/10/twitter-suspends-researcher
-http://www.geek.com/articles/news/twitter-bans-f-secure-chief-research-officer-m
ikko-hypponen-20091012/
-http://www.f-secure.com/weblog/archives/00001789.html

Inspector General Finds Security Gaps in Some DHS Public-Facing Websites (October 9, 2009)

According to a report from US Department of Homeland Security (DHS) Inspector General Richard Skinner, a number of popular department websites are vulnerable to attacks and could allow DHS data to be lost or used without proper authorization. Among the problems discovered on the sites are inconsistent patch management and security assessments. The report makes six recommendations to improve the websites' security, including establishing regular patching and vulnerability assessment practices and clarifying DHS's "vulnerability assessment policy and guidelines to address threats specifically associated with its websites."
-http://fcw.com/Articles/2009/10/09/DHS-Web-sites-vulnerable-to-hackers-IG-says.a
spx
-http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_09-101_Sep09.pdf

Federal Reserve Bank Employee Pleads Guilty to Fraud and Identity Theft (October 6 & 7, 2009)

A former Federal Reserve Bank of New York employee has pleaded guilty to bank fraud and aggravated identity theft. Curtis Wiltshire, who worked at the institution as an information and technical analyst, stole other employees' personal information, including Social Security numbers (SSNs), which he used to fraudulently obtain US $200,000 in federally insured student loans. According to the terms of a plea Agreement, Wiltshire faces between 27 and 33 months in prison.
-http://www.databreaches.net/?p=7702
-http://www.courthousenews.com/2009/10/07/Former_Fed_Bank_Worker_Admits_to_ID_The
ft.htm

Federal Charges Filed Against Former DuPont Scientist (October 6, 2009)

A former DuPont research scientist is now facing federal criminal charges for allegedly trying to steal trade secrets from the company. Hong Meng is already facing civil charges for stealing information about a new thin computer display technology called organic light emitting diode (OLED). Earlier this year, Meng notified his employer that he planned to leave his position and join DuPont in China. At that time he asked permission to download data to take with him. Although is request was denied, he allegedly copied about 600 files onto an external storage device. Meng is Chinese with permanent resident status in the US.
-http://www.computerworld.com/s/article/9139014/Former_DuPont_researcher_hit_with
_federal_data_theft_charges?taxonomyId=17
-http://www.google.com/hostednews/ap/article/ALeqM5hY6U9_VbDLCYkuz8Sn5w4wT10rUgD9
B37Q1O0
-http://pubs.acs.org/cen/news/87/i41/8741news6.html

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit

http://portal.sans.org/