SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #82

October 16, 2009

TOP OF THE NEWS

Finland Declares 1Mb Broadband Access a Legal Right
Microsoft Releases Bumper Crop of Bulletins

THE REST OF THE WEEK'S NEWS

More Breach Woes at PayChoice
Schwarzenegger Nixes Data Breach Notification Bill
Guilty Pleas in Natwest Phishing Case
Missing Flash Drive Holds Virginia Adult Ed. Student Information
Most Sidekick Data Recovered
Alleged VoIP Hacker Extradited
Mozilla Releases Plug-In Check Service for Firefox
Adobe Security Update Fixes Nearly 30 Flaws
Rising Online Banking Theft Spurs New Recommendations
Malware Infection Prompts Michigan Airport to Take Website Offline
One Third of Japanese Web Sites Have Flaws That Enable Unauthorized Access

---

*********************** Sponsored By BigFix, Inc. **********************

UPCOMING WEBCAST: Network Control Meets Endpoint Security Featuring: Kimber Spradlin.

This live web presentation and Q&A with a panel of experts from BigFix and ForeScout will provide an overview of the many different dimensions of security, including best practices for achieving continuous compliance at the endpoint and on the network.

https://www.sans.org/info/49753

************************************************************************

TRAINING UPDATE

- -- SANS Tokyo, October 19-24
https://www.sans.org/sanstokyo2009_autumn/
- -- SANS Chicago North Shore, Oct. 26-Nov. 2
https://www.sans.org/chicago09/
- -- SCADA Security Summit, Stockholm, Oct. 27-30
https://www.sans.org/euscada09_summit/
- -- SANS Middle East, October 31-November 11
https://www.sans.org/middleeast09/
- -- SANS San Francisco, November 9-14
https://www.sans.org/sanfrancisco09
- -- SANS Sydney, Nov.9-14
https://sans.org/sydney09/
- -- SANS London, UK, Nov.28-Dec. 9
https://sans.org/london09/
- -- SANS CDI, Washington DC, Dec. 11-18
https://www.sans.org/cyber-defense-initiative-2009
- -- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses, bonus evening presentations.
https://www.sans.org/security-east-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Finland Declares 1Mb Broadband Access a Legal Right (October 14 & 15, 2009)

The Finnish government has enacted a law making 1Mb broadband Internet access a legal right. The law will take effect in July 2010. The country may eventually guarantee its citizens the right to 100Mb broadband connections. Finland's Transport and Communications Ministry spokesperson Laura Vikkonen was quoted as saying that "We think (the Internet is) something you cannot live without in modern society. Like banking services or water or electricity, you need an Internet connection." Earlier this year, France declared Internet access to be a human right.
-http://news.cnet.com/8301-17939_109-10374831-2.html
-http://network.nationalpost.com/np/blogs/posted/archive/2009/10/15/finland-makes
-broadband-internet-a-legal-right.aspx

Microsoft Releases Bumper Crop of Bulletins (October 13 & 14, 2009)

Microsoft released a record 13 security bulletins on Tuesday, October 13. The bulletins address a total of 34 vulnerabilities, including a flaw in the File Transfer Protocol (FTP) service in Internet Information Services (IIS) and a trio of Server Message Block (SMB) flaws. Exploit code for one of the SMBv2 flaws was posted to the Internet before the fix was released. The release includes fixes for all supported versions of Windows. Two of the critical patches address flaws in Windows 7; the official release date for the new operating system is October 22, but it has been available to certain entities since this summer. ISC:
-http://isc.sans.org/diary.html?storyid=7345
-http://news.cnet.com/8301-27080_3-10374134-245.html
-http://www.h-online.com/news/item/Microsoft-Patch-Tuesday-34-security-vulnerabil
ities-addressed-828128.html
-http://www.scmagazineus.com/Microsoft-Patch-Tuesday-bonanza-13-fixes-for-34-flaw
s/article/152214/
-http://www.theregister.co.uk/2009/10/14/microsoft_patch_tuesday_oct_2009/
-http://www.computerworld.com/s/article/9139371/Microsoft_patches_last_major_ATL_
bugs?source=rss_security
-http://www.computerworld.com/s/article/9139307/Microsoft_delivers_massive_Patch_
Tuesday_fixes_34_flaws?
-http://www.msnbc.msn.com/id/33310782/ns/technology_and_science-security/
-http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx
Editor's Note (Schultz): Interestingly, over the six years since the first "Patch Tuesday," Microsoft has released nearly 400 bulletins that have described nearly 750 vulnerabilities, over half of which have been labeled "critical." See blog.emagined.com for a full commentary.]

---

************************ Sponsored Links: ****************************

1) Register Today and receive 10% off for SANS vLive course SEC542, Web App Penetration Testing and Ethical Hacking, November 2nd - November 9th. Please use the code @Risk542 when registering.

https://www.sans.org/info/49758

2) REGISTER NOW for the upcoming Webcast, brought to you by: Breach Security, Inc. Achieving Web Application Integrity with WebDefend.

https://www.sans.org/info/49763

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

More Breach Woes at PayChoice (October 15, 2009)

Online payroll services provider PayChoice has taken its onlineemployer. com portal offline for the second time in a month. In an email to its customers, PayChoice said that "we determined that valid user credentials for an Online Employer user were used in an unauthorized manner to add ... fictitious employees in an attempt to have payments made to fraudulent bank accounts." Last month, cyber criminals hacked into PayChoice servers, stole customer information and used it to send customized emails messages that urged the recipients to download a plug-in to ensure uninterrupted service. The download was actually malware that stole login credentials.
-http://voices.washingtonpost.com/securityfix/2009/10/paychoice_suffers_another_d
ata.html

Schwarzenegger Nixes Data Breach Notification Bill (October 13 & 15, 2009)

California Governor Arnold Schwarzenegger has vetoed legislation that would have required data breach notification letters to include more specific information about each incident. SB-20 would have mandated that entities experiencing data breaches provide affected consumers with details of the incident, the type of data compromised, and recommendations for guarding against identity fraud. It also would have required organizations to send copies of notification letters to the state attorney general's office if the breach affected more than 500 people. The governor said he declined to sign the bill because there is no evidence that the additional information would help consumers.
-http://www.scmagazineus.com/Schwarzenegger-negs-update-to-California-breach-law/
article/152379/
Editor's Note (Schultz): Schwarzenegger's veto of yet another bill that would have greatly benefited consumers in California amounts to just one of many nails in the coffin of what initially appeared to be a promising political career.]

Guilty Pleas in Natwest Phishing Case (October 15, 2009)

Four people have pleaded guilty to conspiracy to defraud and money laundering for their roles in a phishing scheme that targeted Natwest online banking customers. The group used a Trojan horse program to steal account information from 138 of the UK bank's customers; they stole GBP 600,000 (US $982,000), of which GBP 140,000 (US $229,000) has been recovered. The pleas mark the conclusion of the first successful case for the Police Central e-Crime Unit.
-http://www.itpro.co.uk/616339/london-cyber-criminals-face-jail-for-natwest-fraud
-http://www.google.com/hostednews/ukpress/article/ALeqM5hbgMgqo5cerMbHLegx9daws4Q
5oA

Missing Flash Drive Holds Virginia Adult Ed. Student Information (October 15, 2009)

Virginia Department of Education officials have acknowledged that a missing flash drive contains personally identifiable information of more than 103,000 former adult education students. The unencrypted data include names, Social Security numbers (SSNs) and employment information. The information on the drive was intended to be used in research. Transferring unencrypted data is a violation of agency policy.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/10/14/AR2009101402118.
html
Editor's Note (Honan): Time and time again we hear the line "violation of policies" being trotted out when a breach such as this happens. Policies without controls are as ineffective as guns without bullets.]

Most Sidekick Data Recovered (October 15, 2009)

According to a Microsoft executive, "most if not all" of the Sidekick data believed to have been lost last week has been recovered. The company expects to start restoring the data to users' devices soon. The statement offered little in the way of explanation for the outage, but notes that it has implemented a "more resilient back-up process" to guard against data loss in the future. New Sidekick sales are still suspended.
-http://www.h-online.com/news/item/Microsoft-restores-Sidekick-customer-data-8301
89.html
-http://voices.washingtonpost.com/fasterforward/2009/10/microsoft_says_it_can_rec
over.html
-http://www.computerworld.com/s/article/9139407/Microsoft_recovers_most_Sidekick_
data?taxonomyId=17
-http://news.bbc.co.uk/2/hi/technology/8309218.stm
-http://news.cnet.com/8301-13860_3-10375994-56.html

Alleged VoIP Hacker Extradited (October 15, 2009)

Edwin Pena is being extradited from Mexico to the US to face charges related to the theft and resale of voice over Internet protocol (VoIP) services. Pena has been a fugitive for more than three years. Pena was arrested in June 2006 and was released on US $100,000 bail,
-http://www.computerworld.com/s/article/9139434/Fugitive_hacker_headed_back_to_U.
S._for_arraignment?source=rss_security

Mozilla Releases Plug-In Check Service for Firefox (October 14, 2009)

Mozilla now has a service that checks to make sure that Firefox users are running the most recent versions of browser plug-ins. The first version of the service checks the status of about 15 plug-ins; Mozilla plans to add others in the future. There are also plans to embed the service in Firefox 3.6, which is scheduled for a November release. Firefox already has the capability to check if add-ons are up to date. According to Mozilla, out-of-date plug-ins are responsible for about 30 percent of browser crashes.
-http://www.theregister.co.uk/2009/10/14/mozilla_firefox_security_plugin/
-http://www.computerworld.com/s/article/9139372/To_boost_security_Mozilla_launche
s_plug_in_checker?source=rss_security
-http://voices.washingtonpost.com/securityfix/2009/10/mozilla_firefox_users_check
_yo.html
-http://www.informationweek.com/news/internet/browsers/showArticle.jhtml?articleI
D=220600898

Adobe Security Update Fixes Nearly 30 Flaws (October 13 & 14, 2009)

Adobe's scheduled quarterly security update for October addresses nearly 30 security flaws in Adobe Reader and Acrobat. One of the critical vulnerabilities has already been exploited in the wild. The update affects Reader and Acrobat version 9.1.3; Acrobat version 8.1.6 for Windows, Mac and Unix; and Reader and Acrobat version 7.1.3 for Windows and Mac. Users are urged to upgrade to the most recent versions of Acrobat and Reader. Also included in this release is a new software updater for Reader and Acrobat. ISC:
-http://isc.sans.org/diary.html?storyid=7348
-http://news.cnet.com/8301-27080_3-10374264-245.html
-http://www.h-online.com/news/item/Adobe-closes-29-vulnerabilities-in-Acrobat-and
-Reader-828796.html
-http://www.theregister.co.uk/2009/10/13/adobe_reader_updater_update/
-http://www.adobe.com/support/security/bulletins/apsb09-15.html

Rising Online Banking Theft Spurs New Recommendations (October 12 & 14, 2009)

The Clampi Trojan horse program infected computers at the Cumberland County (PA) Redevelopment Authority, allowing cyber thieves to steal nearly US $480,000 from the organization's bank account. Just over US $100,000 of the stolen money has been recovered. The incident is one of a growing number affecting organizations that offer online banking services. Because Clampi affects only Windows operating systems, one possible solution to the problem is for organizations that choose to conduct their banking online to use a Live CD, a read-only, bootable operating system such as Ubuntu.
-http://www.theregister.co.uk/2009/10/14/microsoft_windows_bank_thefts/
-http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_
on.html
Editor's Note (Schultz): Cybercrooks will go wherever the money is. If Ubuntu-based online banking services are used increasingly, the crooks will quickly figure out how to defraud customers despite a change in the underlying operating system on which these services are built.

(Honan): As with all matters relating to information security we should not use a knee jerk reaction, such as asking users to use Live CDs for their banking. Rather we need to look at the methods of attack and device better ways of preventing, detecting and reacting to them.]

Malware Infection Prompts Michigan Airport to Take Website Offline (October 12 & 13, 2009)

The Gerald R. Ford International Airport in Grand Rapids, Michigan took its website offline on Monday because of a suspected malware infection. Travelers were directed to airline websites for flight information until the site was put back online on Tuesday morning. Airport officials made the decision to take the site down to protect users from getting infected while visiting the site. The infection manifested itself as a pop-up that purported to be from Adobe, urging users to download an Adobe Reader update; the download was actually malware. The malware also appears to have infected the airport's administrative system.
-http://www.theregister.co.uk/2009/10/13/airport_malware_infection/
-http://www.woodtv.com/dpp/news/local/grand_rapids/Airport_Web_site_down_with_vir
us_issues

One Third of Japanese Web Sites Have Flaws That Enable Unauthorized Access (October 16, 2009)

Japan's largest security organization, NRI SecureTechnologies, just published an English translation of its authoritative annual study of web site security issues and trends in Japan. Interesting reading.
-http://www.nri-secure.co.jp/news/2009/1009_report.html

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit:

http://portal.sans.org/