SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #88

November 06, 2009

TOP OF THE NEWS

EU Legislators Reach Agreement on Internet Access Rights and Illegal Downloading
FBI Warns More Than US $100 Million Stolen Through Automated Clearing House System Fraud
Senate Judiciary Committee Approves Two Breach Notification Bills

THE REST OF THE WEEK'S NEWS

Judge Punishes Attorney for Disregarding Privacy Practices
Zero-Day Flaw in SSL and TLS Protocols
Cookie Issue Allows Attackers to target Main Domain From Subdomain
Microsoft to Issue Six Bulletins on November 10
Two Indicted for Unauthorized Computer Access
Adobe Issues Shockwave Security Update
Corporate Data Compromise Leads to Increased Risk of Identity Fraud

---

************************ Sponsored By SANS ******************************

Using the Network to detect incidents - Focusing on hosts to detect incidents. Two critical themes of the Incident Detection Summit December 9-10. Attend and hear expert speakers tell what network-centric and host-centric indicators yield the best results as well as how to collect/analyze them.

https://www.sans.org/info/50448

*************************************************************************

TRAINING UPDATE

-- SANS San Francisco, November 9-14
https://www.sans.org/sanfrancisco09
-- SANS Sydney, November 9-14
https://sans.org/sydney09/
-- SANS Hong Kong, November 9-14
https://www.sans.org/hong-kong-forensics-2009/
-- SANS Vancouver, November 14-19
https://www.sans.org/vancouver09/
-- SANS London, UK, November 28-December 6
16 courses, bonus evening sessions: Hex Factor, Forensics Mini Summit and more
https://sans.org/london09/
-- SANS CDI, Washington DC, December 11-18
https://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses, bonus evening presentations
https://www.sans.org/security-east-2010/
Looking for training in your own community? https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at
https://www.sans.org/ondemand/
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

EU Legislators Reach Agreement on Internet Access Rights and Illegal Downloading (November 5, 2009)

European Union legislators have reached an agreement that strikes a balance between citizens' rights to Internet access and the need to protect copyright holders' interests. Internet users are granted protection from having their Internet access arbitrarily cut off if they are suspected of illegal filesharing. Internet access can be cut off only if national authorities have proof that users have illegally downloaded copyrighted material. The EU agreement, which has yet to be confirmed, does not require that authorities obtain a court order before cutting suspected offenders off from the Internet. France has already enacted a three-strikes policy for illegal downloaders, but connections cannot be severed without an order from a judge. Britain is considering similar rules. Spain has said it will not cut illegal downloaders off from the Internet.
-http://www.net-security.org/secworld.php?id=8472
-http://www.msnbc.msn.com/id/33655437/ns/technology_and_science-security/
-http://www.computerworld.com/s/article/9140364/EU_breaks_deadlock_in_debate_over
_right_to_Internet_access?source=rss_security
-http://www.nytimes.com/2009/11/06/technology/internet/06net.html?_r=1&ref=te
chnology
-http://www.theregister.co.uk/2009/11/05/span_does_not_intend_to_pursue_web_disco
nnection/

FBI Warns More Than US $100 Million Stolen Through Automated Clearing House System Fraud (November 3 & 4, 2009)

The FBI's Internet Crime Complaint Center has issued an Intelligence Note warning of increased fraudulent use of the Automated Clearing House (ACH) system to steal more than US $100 million from small and medium sized businesses, municipal governments and school districts. In general, the online attacks use social engineering techniques to trick users into installing malware on computers used to conduct financial transactions. Once the criminal have access to the organizations' bank accounts, they transfer money out to accounts often opened by "money mules," people who have agreed to forward the money to overseas accounts for a small fee. The transfers are kept under US $10,000 to avoid triggering currency transaction reports.
-http://www.ic3.gov/media/2009/091103-1.aspx
-http://www.networkworld.com/news/2009/110309-fbi-warns-of-100m-cyber-threat.html
-http://news.cnet.com/8301-27080_3-10390118-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.securityfocus.com/brief/1032
-http://www.scmagazineus.com/FBI-Money-mule-scams-top-100-million/article/157066/

Senate Judiciary Committee Approves Two Breach Notification Bills (November 5 & 6, 2009)

On Thursday, the US Senate Judiciary Committee approved both the Personal Data Privacy and Security Act of 2009 and the Data Breach Notification Act. The bills now go before the full Senate. The Personal Data Privacy and Security Act would require organizations that retain consumer data to establish data privacy and security programs. The bill would also impose significant fines for failing to disclose a data breach and require that entities experiencing data security breaches notify those whose information was compromised and also notify law enforcement authorities. The Data Breach Notification Act would establish a federal law requiring data breach notification that would supersede all existing state breach notification laws. The bill would also require organizations to report large breaches to the US Secret Service.
-http://www.computerworld.com/s/article/9140408/Federal_data_protection_law_inche
s_forward?source=rss_security
-http://www.pcworld.com/article/181549/senate_panel_approves_databreach_notificat
ion_bills.html
-http://www.nextgov.com/nextgov/ng_20091105_7308.php?oref=topnews
-http://computerworld.co.nz/news.nsf/scrt/6402CA6D786CBA34CC25766500775C35?opendo
cument&utm_source=security&utm_medium=email&utm_campaign=security
[Editor's Note (Schultz): Both bills will face considerable opposition in the full Senate. Opponents assert that if passed, these pieces of legislation would be too costly to businesses. ]

---

************************ Sponsored Links: ****************************

1) Streamlining Security Awareness Training (SAT) with SecureAware from Lightwave Security Or Rapidly deploy PCI, COBIT, and ISO compliant. Security Awareness Training(SAT)

https://www.sans.org/info/50453

2) REGISTER NOW for the upcoming webcast: A Day In The Life Of A Configuration Compliance Exception.

https://www.sans.org/info/50458

3) Website HealthCare Reform is Coming...

Watch Out Nov 9, 2009. Sign up now to be first in line.

https://www.sans.org/info/50463

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Judge Punishes Attorney for Disregarding Privacy Practices (November 5, 2009)

A US District Judge in Minnesota has reprimanded attorney Vincent J. Moccio for including the Social Security numbers (SSNs) and birth dates of 179 people in an electronically filed court brief. Judge Michael J. Davis ordered Moccio to provide credit monitoring for all affected individuals and to pay US $5,000 to an area food bank. The censure and punishment was not requested by anyone in the court case; instead, the judge used his "inherent power" to impress upon Moccio the importance of adhering to effective privacy practices.
-http://www.theregister.co.uk/2009/11/05/judge_sanctions_attorney/

Zero-Day Flaw in SSL and TLS Protocols (November 5, 2009)

A zero-day flaw in the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols could be exploited to launch a man-in-the-middle attack. The discovery of this authentication gap vulnerability means that all affected libraries will need to be patched. Representatives from leading technology firms have been meeting since late September to develop a new standard to fix the vulnerability.
-http://www.computerworld.com/s/article/9140362/Scramble_on_to_fix_flaw_in_SSL_se
curity_protocol?source=rss_security
-http://www.theregister.co.uk/2009/11/05/serious_ssl_bug/
-http://www.h-online.com/security/news/item/Vulnerability-in-SSL-TLS-protocol-851
478.html
-http://www.scmagazineus.com/Serious-vulnerability-in-SSL-discovered/article/1571
73/
-http://news.zdnet.co.uk/security/0,1000000189,39860592,00.htm
-http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=
221600523

Cookie Issue Allows Attackers to target Main Domain From Subdomain (November 4 & 5, 2009)

A problem with the way browsers handle cookies could be exploited to attack a website's main domain through its subdomains. A researcher has published a paper in which he offers proof-of-concept examples of the attack for the Google, Expedia and Chase Manhattan Bank websites. The problem lies in a browser protocol, RFC 2965, which says "that browsers must allow subdomains to set and read cookies for their parent."
-http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=
221600496&subSection=Vulnerabilities+and+threats
-http://www.securecomputing.net.au/News/159809,browser-cookie-handling-could-wide
n-web-attack-space.aspx
-http://www.theregister.co.uk/2009/11/04/website_cookie_stealing/

Microsoft to Issue Six Bulletins on November 10 (November 5, 2009)

According to Microsoft Security Bulletin Advance Notification, the company will issue six security bulletins on Tuesday, November 10. Three of the bulletins are rated critical, and three are rated important. All three of the critical bulletins and two of the important bulletins address remote code execution vulnerabilities; the other important bulletin addresses a denial-of-service vulnerability. The bulletins address flaws in Microsoft Windows and Office.
-http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx
-http://news.cnet.com/8301-27080_3-10391568-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20

Two Indicted for Unauthorized Computer Access (November 4 & 5, 2009)

Two former employees of the Stens Corporation, one from Indiana and one from Kentucky, have been indicted on charges of computer intrusion for allegedly breaking into the company's computer systems. According to the indictment, Scott R. Burgess and Walter D. Puckett allegedly accessed the Stens computer systems about a dozen times with passwords they had used up to two years previously. When administrators at Stens became suspicious, they terminated the old passwords, but the men were able to successfully guess the new login credentials. The men were allegedly working for a Stens competitor at the time of the intrusions. If convicted, the men could face up to five years in prison and a US $250,000 fine.
-http://indianapolis.fbi.gov/dojpressrel/pressrel09/ip110409.htm
-http://www.theregister.co.uk/2009/11/05/computer_intrusion_charges_filed/

Adobe Issues Shockwave Security Update (November 3, 4 & 6, 2009)

Adobe has updated its Shockwave Player to fix five critical flaws. Four of the vulnerabilities could be exploited to inject and execute malicious code. For an attack to succeed, users would need to be tricked into visiting specially crafted websites. Four of the flaws could be exploited to execute code; the fifth could be exploited to create denial-of-service conditions. Adobe recommends that users upgrade to Shockwave version 11.5.2.602 as soon as possible.
-http://www.h-online.com/security/news/item/Adobe-patches-critical-vulnerabilitie
s-in-Shockwave-Player-849517.html
-http://www.v3.co.uk/v3/news/2252654/adobe-patches-five-critical
-http://www.adobe.com/support/security/bulletins/apsb09-16.html

Corporate Data Compromise Leads to Increased Risk of Identity Fraud (November 4, 2009)

People who have received data breach notification letters from companies are four times more likely to be victims of identity fraud. This is despite claims made by many companies that they do not see any indication that the compromised data are being used by criminals. The study also found that most consumers do not see a direct correspondence between breach notification letters and identity fraud.
-http://www.darkreading.com/security/privacy/showArticle.jhtml?articleID=22160034
8

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit:

http://portal.sans.org/