SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #84

October 23, 2009

Here's the bottom line on security in Windows 7, from NewsBites editorial board member John Pescatore:

"From a security perspective, Windows 7 offers definite improvements over Windows XP, but there is no major security reason to move to Windows 7 before it makes business sense. The biggest improvement in Windows desktop security comes from getting off of the IE6 browser and moving to IE8 or the latest version of Firefox - and you don't need Windows 7 to do that."

This issue also has a great "guest editor's note" about the actual value of this week's report on the Chinese cyber attacks.

Alan

---

TOP OF THE NEWS

Report Warns of Chinese Cyber Threat
European Parliament Shifts Stance on Disconnecting Illegal Filesharers
FCC Moves Forward on Net Neutrality
Legislators Take Aim at Certain Patriot Act Provisions

THE REST OF THE WEEK'S NEWS

Microsoft Releases Windows 7
Bill Increases DHS Budget for Internal Cyber Security Improvements
"Cautious Optimism" About Rapid7's Acquisition of Metasploit
Bing Bug Fix Expected by End of Week
Scareware Goes Hybrid
Air Force Association Announces Cyber Challenge for High School Students

---

**************************** Sponsored By SANS **************************

The Incident Detection Summit December 9-10 is a user-to-user, non-commercial conference on What Works in Incident Detection. It is the only place where you can learn about the strengths and weaknesses of competing technologies, where experts will share their knowledge on detecting intruders in both large and small enterprises.

https://www.sans.org/info/49894

*************************************************************************

TRAINING UPDATE

-- SANS Chicago North Shore, Oct. 26-Nov. 2
https://www.sans.org/chicago09/
-- SCADA Security Summit, Stockholm, Oct. 27-30
https://www.sans.org/euscada09_summit/
-- SANS Middle East, October 31-November 11
https://www.sans.org/middleeast09/
-- SANS San Francisco, November 9-14
https://www.sans.org/sanfrancisco09
-- SANS Sydney, Nov.9-14
https://sans.org/sydney09/
-- SANS London, UK, Nov.28-Dec. 9
https://sans.org/london09/
-- SANS CDI, Washington DC, Dec. 11-18
https://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010
19 courses, bonus evening presentations
https://www.sans.org/security-east-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand
Plus Hong Kong, Oslo and Vancouver, all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
*************************************************************************

---

TOP OF THE NEWS

Report Warns of Chinese Cyber Threat (October 22, 2009)

The US-China Economic and security Review Commission this week released a report titled "Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation." According to the report, domination of an adversary's information flow is central to Chinese military strategy. It also warns that China will likely conduct "a long term, sophisticated computer network exploitation campaign."
-http://www.scmagazineus.com/Security-report-finds-Chinese-cyberspying-threat-gro
wing/article/156013/
-http://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Ap
proved%20Report_16Oct2009.pdf
[Guest Editor's Note (Ed Giorgio, CSIS Commission member): Playing the devil's advocate, when (uninformed) policy makers read the executive summary, they will learn:

1. That China has a cyber doctrine very much like ours ("information dominance", "network centric warfare", etc.) - *boring*
2. They have an espionage program very much like ours - *boring*
3. They can reach out to industry (as we do) to get specialized talent - *boring*
4. They are gradually discouraging hactivism as it is a source of embarrassment and stuff like defacing whitehouse.gov doesn't achieve a long term military or economic objective (they are catching up to us on this policy) - *positive and* *boring*
5. While the case studies and time line are fascinating, I believe they are only the tip of the iceberg. The (all important) scale on which this is (apparently) happening (about 3 per year) is not convincing, and hence *does not require immediate attention*.

*** What is really needed it something we did in the cold war, a *"Net Assessment"* where we juxtapose operational capabilities (count nukes, missiles, tests, etc.) and decide if we are winning or losing. Only our government could make an informed statement of the scale on which this is currently happening and they would have to declassify a lot of information to do it; something I think is needed.

(Honan): RAND has just released a whitepaper on Cyber Warfare that I highly recommend people interested in this topic should read.
-http://www.rand.org/pubs/monographs/2009/RAND_MG877.pdf]

European Parliament Shifts Stance on Disconnecting Illegal Filesharers (October 23, 2009)

The European Parliament has removed an amendment to its telecommunications legislation that would have made it difficult for member countries to cut off Internet service to file sharing copyright violators without a court order. The European parliament earlier indicated it viewed Internet access as a basic human right. Now member countries will have the leeway to make their own decisions about punishments for illegal filesharing. France has already adopted a three-strikes policy that would allow illegal filesharers to be cut off from the Internet for as long as one year.
-http://news.bbc.co.uk/2/hi/technology/8322308.stm
-http://www.siliconrepublic.com/news/article/14225/comms/eu-in-web-u-turn-to-allo
w-member-states-to-ban-illegal-file-sharers
[Editor's Note (Liston): While I'm not sure I would agree that Internet access is a "basic human right," I don't see the two stances as being irreconcilable. Our judicial system is grounded on the notion of the removal of basic human rights as punishment for illegal activity. ]

FCC Moves Forward on Net Neutrality (October 22, 2009)

On Thursday, the US Federal Communications Commission (FCC) voted unanimously to begin the rulemaking proceeding to codify existing Net neutrality principles. Under the new rules, broadband providers could use "reasonable" traffic management to prevent bottlenecks, but they would have to be forthcoming with their customers about those practices. The rules would also prohibit the providers from giving certain network traffic preferential treatment. Users would be allowed to run legal applications and visit legal websites. US Senator John McCain said the Internet Freedom Act that would block the FCC from enacting rules that would create "onerous federal regulation."
-http://www.msnbc.msn.com/id/33430848/ns/technology_and_science-tech_and_gadgets/
-http://www.pcworld.com/article/174155/mccain_introduces_bill_to_block_fccs_net_n
eutrality_rules.html
-http://bits.blogs.nytimes.com/2009/10/22/fcc-begins-crafting-rules-on-network-ne
utrality/
-http://voices.washingtonpost.com/posttech/2009/10/fcc_moves_forward_on_net_neutr
.html
-http://www.wired.com/epicenter/2009/10/fcc-net-neutrality/
-http://www.pcworld.com/article/174173/what_happens_in_an_fcc_rulemaking_proceedi
ng.html

Legislators Take Aim at Certain Patriot Act Provisions (October 21, 2009)

US legislators have introduced proposals that would reform certain provisions of 2001's USA Patriot Act, some of which are set to expire at the end of this calendar year. Among the proposed changes are restricting the circumstances under which National Security Letters are issued. (National Security Letters allow the FBI to obtain a variety of information pertinent to government investigations without a court order.) Another proposal is to nullify legislation - not part of the Patriot Act - that grants US telecommunications companies immunity from prosecution for gathering communications data without warrants. The Patriot Act was enacted just weeks after the September 11 attacks.
-http://www.wired.com/threatlevel/2009/10/conyers_bill/
[Editor's Note (Liston): Many portions of this ill-conceived legislation deserve to die. Rewarding telecom companies with immunity for conspiring with the government on warrant-less wiretaps is simply one small part of what needs to go. ]

---

************************ Sponsored Links: ****************************

1) Register Today and receive 10% off for SANS vLive course SEC542, Web App Penetration Testing and Ethical Hacking, November 2nd - November 9th. Please use the code @Risk542 when registering.

https://www.sans.org/info/49899

2) REGISTER NOW for the upcoming Analyst Webcast: Making Database Security an IT Security Priority

https://www.sans.org/info/49904

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft Releases Windows 7 (October 18, 21 & 22, 2009)

Microsoft Windows 7 is now available to the general public. The company is hoping its new operating system gets a warmer reception than Vista received. Vista was criticized for its use of excessive pop-ups from the User Account Control (UAC) security feature, causing users to turn the feature off entirely. In Windows 7, the UAC is not as intrusive; however, its off-the-shelf default setting is not the most secure setting available.
-http://www.msnbc.msn.com/id/33429899/ns/technology_and_science-tech_and_gadgets/
-http://www.washingtonpost.com/wp-dyn/content/article/2009/10/16/AR2009101600707.
html
-http://www.informationweek.com/news/software/operatingsystems/showArticle.jhtml?
articleID=220900239
-http://www.computerworld.com/s/article/9136500/Review_Windows_7_a_closer_look
[Editor's Note (Schultz): Although the intrusiveness of security mechanisms such as UAC was only one of many things that made Vista so unpopular, this problem stood out in the minds of Vista users. The moral of this story is that usability problems in connection with security mechanisms are especially apparent and distasteful, a lesson that vendors such as Microsoft are likely to remember well into the future.]

Bill Increases DHS Budget for Internal Cyber Security Improvements (October 22, 2009)

The US Senate approved a bill designating a budget of nearly US $43 billion to the Department of Homeland Security (DHS). Of that, nearly US $400 million is allocated to spend on improving internal cyber security, a 27 percent increase over last year's allocation. The Senate wants DHS to use the funds to decrease the number of Internet access points at the agency and to improve cyber security training and management. Additional portions of the overall budget could also be used to address cyber security issues; for instance, nearly US $1 billion is allocated for the DHS department of science and technology, which conducts cyber security research as part of its mission.
-http://www.computerworld.com/s/article/9139785/DHS_to_get_big_boost_in_cybersecu
rity_spending_in_2010?source=rss_security
[Editor's Note (Pescatore): Hmmm, reducing the number of Internet connections should *reduce* security spending, not increase it. ]

"Cautious Optimism" About Rapid7's Acquisition of Metasploit (October 21, 2009)

Concerns about Rapid7's acquisition of Metasploit appear to be fading after it was announced that the terms of the deal call for Metasploit to continue operating as an open source enterprise. Rapid7 president and CEO Mike Tuchen said the company plans to "leverage Metasploit technology to enhance (its) vulnerability management" product NeXpose.
-http://www.scmagazineus.com/Rapid7-buys-Metaploit-remains-committed-to-open-sour
ce/article/155921/
-http://www.csoonline.com/article/505574/Making_Sense_of_Rapid7_s_Metasploit_Acqu
isition

Bing Bug Fix Expected by End of Week (October 21, 2009)

Microsoft is fixing a bug in its Bing search engine that was being exploited by spammers to get around filters. The attack involved a bug in Bing's redirection mechanism and a link-shortening technique. The trouble lies in the way Bing formats links in RSS (really simple syndication) feeds. Microsoft expects to have fixed the problem by Friday October 23.
-http://news.cnet.com/8301-27080_3-10380846-245.html
[Editor's Note (Liston): Microsoft has, once again, failed to learn from the mistakes of others. Back in the day, Google had similar issues that were exploited by spammers. ]

Scareware Goes Hybrid (October 20, 2009)

According to information from both Symantec and Panda Security, scareware purveyors have begun releasing hybrid malware. One recently detected piece of scareware infects victims' PCs with additional malware that makes them part of a botnet. Another type of scareware prevents users from opening any applications until they purchase the fraudulent product. Symantec's study also found that between July 2008 and June 2009, it received reports of 43 million attempts to install scareware on users PCs.
-http://lastwatchdog.com/scareware-purveyors-advance-blackmail-creating-botnets/

Air Force Association Announces Cyber Challenge for High School Students (October 19, 2009)

Starting on November 7, 200 teams of high school students from the US, Japan and South Korea will compete in the US Air Force Association's CyberPatriot II, a series of live cyber war games aimed at promoting careers in related fields. The field will be winnowed down to 25 teams that will participate in a final competition in February 2010.
-http://www.thedailytell.com/2009/10/nonprofit-air-force-association-recruits-you
th-for-cyber-war-games/
-http://www.afa.org/media/press/cyberpat09.asp

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit:

http://portal.sans.org/