SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #89

November 10, 2009

TOP OF THE NEWS

First iPhone Worm Detected
UK Home Office Says it Will Require ISPs to Retain User Communication Data

THE REST OF THE WEEK'S NEWS

60 Minutes Report on US Cyber Security
Top 10 Reasons Government Downplays Cyber Intrusions
Attack on Alleged Syrian Nuclear Facility Aided by Compromised Laptop
Canadian Govt. Pays Compensation to Avoid Class-Action Lawsuit in Data Breach Case
Apple Issues Snow Leopard Update
RIM Issues Fix for BlackBerry Desktop Manager Code Execution Flaw
Lawsuit Alleges iPhone Game Maker Harvests User Information Without Permission
Norwegian ISP Does Not Have to Block Pirate Bay
Bord Gais Agrees to Security Improvements After Breach
Number of Filesharing Sites Burgeoned While Pirate Bay Access Was in Question

---

******************** Sponsored By Palo Alto Networks ********************

Standalone IPS is Dead.

Gartner advises clients to migrate to next-generation firewalls at their next IPS refresh. Before you renew your IPS or make another purchase, read this report so you can make an informed decision.

https://www.sans.org/info/50579

*************************************************************************

TRAINING UPDATE

-- SANS Vancouver, November 14-19
https://www.sans.org/vancouver09/
-- SANS London, UK, November 28-December 6
16 courses, bonus evening sessions: Hex Factor, Forensics Mini Summit and more
https://sans.org/london09/
-- SANS CDI, Washington DC, December 11-18
https://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010
19 courses, bonus evening presentations
https://www.sans.org/security-east-2010/
- -- SANS AppSec 2010, San Francisco, January 29-February 5, 2010
https://www.sans.org/appsec-2010/
- -- SANS Phoenix, February 14 -February 20, 2010
https://www.sans.org/phoenix-2010/
- -- SANS 2010, Orlando, March 6 - March 15, 2010
https://www.sans.org/sans-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

First iPhone Worm Detected (November 9, 2009)

The first worm known to infect iPhones changes the devices' lock mode wallpaper. Users who have jailbroken their iPhones to allow third-party applications to run, but have not changed their default Secure Shell (SSH) login password, are vulnerable to the malware. The worm, dubbed "ikee," started as a practical joke and spread more widely than its creator intended. Ikee has also sent users' photographs to other iPhone users, but does not otherwise carry a malicious payload. However, it is likely that malicious variants will follow.
-http://www.scmagazineuk.com/Apple-iPhones-hit-by-major-worm-attack-after-a-Rick-
Astley-joke-spirals-out-of-control/article/157359/
-http://www.wired.com/threatlevel/2009/11/iphone-worm/
-http://voices.washingtonpost.com/securityfix/2009/11/first_iphone_worm_targets_m
odi.html
-http://news.bbc.co.uk/2/hi/technology/8349905.stm
-http://www.h-online.com/security/news/item/First-iPhone-worm-features-Rick-Astle
y-854085.html
[Editor's Note (Pescatore): If someone modifies a phone's operating system to run untrusted software, it is hard to feel sorry for them when they get hit by malware. Remember what happens to Windows desktops? ]

UK Home Office Says it Will Require ISPs to Retain User Communication Data (November 9 & 10, 2009)

The UK Home office has said it will move forward with plans to require telecommunications companies to retain information about customers' Internet use, including instant messaging, email and other variations of electronic communication, like social networking and chatting within online games. The data would be stored by the telecommunications companies and not in a central database. The content of the communications would not be retained. Authorities want the information kept so they can access records of when suspects in an investigation contacted each other and through what method. Home Office Minister David Hanson said that "communications data is crucial to the fight against crime and keeping people safe," while acknowledging that the process "demands a fine balance between privacy and maintaining the capabilities of the police and security services."
-http://news.bbc.co.uk/2/hi/uk_news/politics/8350660.stm
-http://computerworld.co.nz/news.nsf/scrt/6D1820A7BE892EF5CC257669006CA00F?opendo
cument&utm_source=topnews&utm_medium=email&utm_campaign=topnews

---

************************ Sponsored Links: ****************************

1) Steamlining Security Awareness Training (SAT) with SecureAware from Lightwave Security Or Rapidly deploy PCI, COBIT, and ISO compliant Security Awareness Training(SAT)

https://www.sans.org/info/50584 2) Let Us Hack You. Before Hackers Do!

It's Finally Here - The Cenzic Website HealthCheck. FREE.

Request Yours Now!

https://www.sans.org/info/50589

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

60 Minutes Report on US Cyber Security (November 7, 8 & 9, 2009)

A recent report on US television news program 60 Minutes looked at how effectively the US government is protecting its computer systems from attacks. Former Chief of US National Intelligence and retired Admiral Mike McConnell spoke candidly about the possibility that those wanting to attack the US could take down the country's electric power grid. Director of the Center for Strategic and International Studies Jim Lewis spoke of a computer security breach at the CENTCOM network in which intruders managed to gain access to a highly sensitive US military computer system and stay inside for days. The breach may have been made possible through planted, infected flash drives; the US military has since banned the use of the portable memory devices. The report also cited sources as saying that in 2005 and again in 2007, cyber attackers targeted cities in Brazil, knocking out power for hours. Brazilian officials maintain that the 2007 blackout was due to negligent maintenance of high voltage insulators.
-http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565.shtml
-http://www.news.com.au/story/0,27574,26317867-23109,00.html
-http://www.wired.com/threatlevel/2009/11/brazil_blackout/
-http://blogs.govinfosecurity.com/posts.php?postID=355
[Editor's Note (Pescatore): There was an awful lot of overhype in this episode, and not just about the Brazilian blackout. Not once did anyone mention the vast majority of the incidents they mentioned were due to major lapses in vulnerability management, not evil geniuses devising unstoppable attacks. (Honan): This article in Wired Magazine has the Brazilian Government refuting the allegations that the black outs were due to hackers.
-http://www.wired.com/threatlevel/2009/11/brazil_blackout/
. ]

Top 10 Reasons Government Downplays Cyber Intrusions

In light of the 60 Minutes story on cyber attacks on the power grid, here is Ed Giorgio offering his top ten "reasons why cyber intrusions are ignored, denied, or not reported by government." As stupid as they seem when light is shined on them, and government officials will generally deny them, they come into play far too often.

1. It is downright embarrassing to admit that you do not have very good cyber defenses and it will severely hurt your brand.

2. The targeted organization frequently has no solution to the problem as was the case when DHS "lied" to congress. In government and the military, you cannot report a problem you don't have a solution for.

3. The administration might be worried about international political fallout because it impacts other delicate issues with China, Russia, Israel, France, etc.

4. We don't want to open a can of worms and admit that we too have an offensive capability which we work hard to keep secret.

5. We fear the unwanted oversight and attention.

6. If we are forced to address the problem by making us reprogram resources from high priority mainstream mission programs which we are already behind on.

7. The bureaucracy doesn't want to be forced to hold somebody accountable and perhaps take adverse action.

8. Adding security may get in the way of mission operations and reduce our effectiveness (like not being allowed to use a thumb drive).

9. Recognizing the problem would expand the set of stakeholders who you have to work with to solve the problem. No bureaucrat wants that as it causes a loss of control.

10. We are skeptics and just plain don't believe it's a big problem and that's it. It has been blown out of proportion.

Attack on Alleged Syrian Nuclear Facility Aided by Compromised Laptop (November 2, 6 & 9, 2009)

News reports suggest that an Israeli airstrike against alleged Syrian nuclear facilities in 2007 was aided by information gathered from a compromised laptop computer. A story in German publication Der Spiegel says that a Syrian diplomat staying at a London hotel in late 2006 left his laptop unattended, allowing Mossad (Israeli intelligence agency) operatives the opportunity to install software. It is not clear if the software was used to monitor communications or to peruse information already stored on the laptop.
-http://www.securecomputing.net.au/News/160143,mossad-laptop-hack-behind-nuclear-
strike-reports-suggest.aspx
-http://www.theregister.co.uk/2009/11/06/mossad_syria_trojan_hack/
-http://www.spiegel.de/international/world/0,1518,658663-2,00.html

Canadian Govt. Pays Compensation to Avoid Class-Action Lawsuit in Data Breach Case (November 7, 2009)

The Canadian government has paid CAD 751,750 (US $712,000) to approximately 4,100 people whose personal information was compromised when six computers were stolen from a Canada Revenue Agency (CRA) office. The settlement pre-empts a potential class action lawsuit. The breach affected as many as 120,000 individuals. The payments of CAD 150 (US $142) and CAD 200 (US $189) are to compensate people for the time they spent contacting credit agencies to put notices on their accounts that their information had been compromised. A 2008 audit of the CRA found inadequate security at offices in Quebec and Ontario.
-http://www.edmontonsun.com/news/canada/2009/11/07/11668041-sun.html
[Editor's Note (Ranum): This is how to improve government cybersecurity: make it hurt the bureaucrats and agencies responsible. ]

Apple Issues Snow Leopard Update (November 9, 2009)

Apple has released an update for Mac OS X 10.6, known as Snow Leopard, to address issues that affect "the stability, compatibility, and security" of users' computers. The Mac OS X v10.6.2 update fixes a number of security issues, including arbitrary code execution flaws, launch cross-site scripting vulnerabilities, cause denial-of-service flaws, privilege elevation flaws and unexpected application termination. In some cases, additionally, attempts to download unsafe content may not generate warnings and brute force dictionary attacks against SSH login passwords may not be detected.
-http://blogs.zdnet.com/Apple/?p=5191&tag=content;col1
-http://blogs.zdnet.com/security/?p=4870&tag=content;col1
-http://news.cnet.com/8301-27080_3-10393728-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://support.apple.com/kb/HT3937
There is also a security update for Leopard (Mac OS X 10.5) available and support
-http://isc.sans.org/diary.html?storyid=7561

RIM Issues Fix for BlackBerry Desktop Manager Code Execution Flaw (November 6, 2009)

Research in Motion (RIM) has released a fix to address a remote code execution flaw in its Blackberry desktop manager. The vulnerability lies in a Lotus Notes DLL and affects versions 5.0 and earlier of the Blackberry desktop software. The US Computer Emergency Readiness Team (US-CERT) is encouraging users to update their software. ISC:
-http://isc.sans.org/diary.html?storyid=7537
-http://www.scmagazineuk.com/security-patch-offered-by-rim-to-fix-vulnerability-i
n-the-blackberry-desktop-manager/article/157207/
-http://blogs.zdnet.com/security/?p=4854
-http://www.us-cert.gov/current/index.html#blackberry_desktop_manager_vulnerabili
ty
-http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&extern
alId=KB19701

Lawsuit Alleges iPhone Game Maker Harvests User Information Without Permission (November 6 & 9, 2009)

A lawsuit filed against Storm8, a maker of iPhone games, alleges that the games circumvent security protections on iPhones to harvest users' phone numbers. The lawsuit is seeking class action status; it alleges that Storm8's actions violate the Computer Fraud and Abuse Act and other laws. The issue is not new to Storm8. Earlier this year, a SFGate.com journalist detailed the information his iPhone was transmitting to Storm8 while playing the popular game Vampires Live, and several web sites have made similar allegations. As of Monday, some of Storm8's games appear to have been made unavailable to users in the US.
-http://www.theregister.co.uk/2009/11/06/iphone_games_storm8_lawsuit/
-http://www.pcworld.com/businesscenter/article/181745/lawsuit_claims_iphone_games
_stole_phone_numbers.html
-http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail??blogid=150&entry_id=51
077
Lawsuit text:
-http://www.boingboing.net/lawsuits/Complaint_Storm_8_Nov_04_2009.pdf

Norwegian ISP Does Not Have to Block Pirate Bay (November 6, 2009)

A Norwegian court has ruled that Internet service provider (ISP) Telenor does not have to block users' access to The Pirate Bay website. Telenor received a warning letter from entertainment industry trade group IFPI earlier this year, but declined to comply with requests to block the file-sharing site because it does not believe that ISPs should act as Internet content censors.
-http://www.computerworld.com/s/article/9140450/Norwegian_ISP_doesn_t_have_to_blo
ck_Pirate_Bay_says_court?source=rss_security
-http://www.dmwmedia.com/news/2009/11/06/norwegian-court:-isp-telenor-need-not-bl
ock-pirate-bay

Bord Gais Agrees to Security Improvements After Breach (November 5 & 6, 2009)

In the wake of an investigation into a data breach at Bord Gais, the Irish gas and electricity company has agreed to implement improved security measures. In June, four laptop computers were stolen from Bord Gais offices in Dublin. One of the computers, which was not encrypted, contained the personal information of nearly 94,000 Bord Gais customers. The compromised data include home addresses and account numbers. The investigation concluded that Bord Gais had breached several provisions of the Data Protection Act, including failing to deploy effective appropriate security measures on the laptop and not limiting access to personal data to a "need to know" basis. Since the breach, Bord Gais has put encryption on all its laptops, has removed inactive users from its system and putting the IT department in charge of user access controls. Employees will also receive data protection awareness training.
-http://www.irishtimes.com/newspaper/breaking/2009/1105/breaking2.htm
-http://www.siliconrepublic.com/news/article/14343/cio/bord-gais-implements-new-s
ecurity-regime-after-major-data-breach
-http://www.bordgais.ie/corporate/index.jsp?1nID=93&2nID=95&nID=761&a
ID=1791
[Editor's Note (Honan): The actual report from the Data Protection Commissioners' office is available at
-http://www.bordgais.ie/files/corporate/news/20091104010903_DPC%20REPORT.pdf
and makes for interesting reading as it highlights a number of issues we commonly see in SANS NewsBites stories such as ineffective implementation of policies, poor segregation of duties, poor user access control and lack of encryption for sensitive information. ]

Number of Filesharing Sites Burgeoned While Pirate Bay Access Was in Question (November 2, 2009)

In the three months since The Pirate Bay website was ordered to shut down, the number of new filesharing websites increased 300 percent, according to a report from McAfee. Some of the sites appear to have been created to support the filesharing community following the order, while others have been created by criminals who want to trick people into downloading malware. The report says that "The Pirate Bay example shows how difficult it is to 'stop' data once it is on the web." The Pirate Bay has been jumping from ISP to ISP in an attempt to evade authorities; traffic to the site has been low.
-http://business.timesonline.co.uk/tol/business/industry_sectors/technology/artic
le6900434.ece
-http://www.theregister.co.uk/2009/11/02/mcafee_security_report/

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/