SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #91

November 17, 2009

Interesting story in the Washington Post this morning by Lolita Baldor of the Associate Press on an FBI announcement that attackers are now targeting law firms with the same advanced techniques they are using against government and defense contractors.

http://www.washingtonpost.com/wp-dyn/content/article/2009/11/17/AR2009111701074.
html

An almost identical announcement was made in a private letter to the heads of the 300 largest companies in the United Kingdom, from the head of MI5. The UK announcement was made two years ago.

Alan

---

TOP OF THE NEWS

GAO Report Finds Network Security Problems at Los Alamos
Most Security Products Require Multiple Testing Cycles for Certification

THE REST OF THE WEEK'S NEWS

Yahoo! Closes SQL Injection Hole in HotJobs
Connecticut AG Investigating Data Breach That Compromised Doctors' Information
Four Men Jailed for Using Trojan to Steal Funds From Bank Accounts
Microsoft Security Advisory Acknowledges Zero-Day Windows 7 Vulnerability
Israeli Police Arrest Alleged Phisher
Flash Flaw Could be Exploited to Upload Malicious Code to Websites
Spammers Offer Verizon Customers Malware-Laden Account Balance Checker
Phishing eMail Purports to Come From NACHA
Class Action Settlement Approved in Data Breach Case

---

************** Sponsored By Lightwave Communications Inc. ***************

SecureAware: The Hottest Automated Compliance Solution of 2009!

SecureAware(R) is a Governance, Risk and Compliance system that can automate the management, delivery, and tracking of your annual security policies. SecureAware is the only solution platform which can be deployed rapidly, cost effectively and with minimal end user and administrator training. Effectively manage security and compliance risks in a matter of hours, not weeks.

https://www.sans.org/info/50808

*************************************************************************

TRAINING UPDATE

-- SANS London, UK, November 28-December 6
16 courses, bonus evening sessions: Hex Factor, Forensics Mini Summit and more
https://sans.org/london09/
-- SANS CDI, Washington DC, December 11-18
24 courses, bonus evening presentations, including Future Trends in Network Security
https://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010
19 courses, bonus evening presentations: Top 7 Trends in Incident Response and Computer Forensics, Advanced Forensic Techniques and more
https://www.sans.org/security-east-2010/
-- SANS AppSec 2010, San Francisco, January 29-February 5, 2010
https://www.sans.org/appsec-2010/
-- SANS Phoenix, February 14 -February 20, 2010
https://www.sans.org/phoenix-2010/
-- SANS 2010, Orlando, March 6 - March 15, 2010
https://www.sans.org/sans-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand
Plus New Delhi, Geneva and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

GAO Report Finds Network Security Problems at Los Alamos (November 13 & 16, 2009)

A report from the Government Accountability Office (GAO) describes various computer network vulnerabilities at Los Alamos National Laboratory (LANL). The weaknesses include failing to identify and authenticate users, failing to encrypt classified information, failing to monitor security policy compliance and allowing users access to data beyond the scope of their duties. The report also made note of LANL's "decentralized approach to information security program management (which) has led to inconsistent implementation of policy." LANL has spent US $45 million on security for its classified computer network between 2001 and 2008.
-http://www.nextgov.com/nextgov/ng_20091116_2938.php?oref=topnews
-http://www.govinfosecurity.com/articles.php?art_id=1937
-http://www.gao.gov/new.items/d1028.pdf
[Editor's Note (Pescatore): The report's central finding really is that the decentralized approach to cybersecurity wasn't matched with enough strong central authority to assure consistency. This is a common problem in federal research labs and academic environments - and many commercial companies. Federation means pushing most responsibility and authority to the local level, but still having central authority to establish and enforce common requirements. ]

Most Security Products Require Multiple Testing Cycles for Certification (November 16, 2009)

A study from ISCA Labs, based on data from 20 years of security product testing, listed the top reasons products fail their initial certification testing. Seventy-eight percent of products do not perform the primary function for which they are designed; 58 percent have faulty or missing logging capabilities; and 44 percent have security problems themselves. Most products require two to four cycles of testing before attaining certification.
-http://www.csoonline.com/article/507825/Most_Security_Products_Fail_First_Certif
ication_Tests
-http://www.icsalabs.com/sites/default/files/WP14117.20Yrs-ICSA%20Labs.pdf

---

************************ Sponsored Links: ****************************

1) DON'T MISS the Upcoming Webcast: A Day In The Life Of A Configuration Compliance Exception

Sponsored by: BigFix

https://www.sans.org/info/50813

2) Free SANS Audio Cast: Why is Application Security so Hot? Why Smart Organizations are Focusing Security Efforts Here Featuring Jack Danahy, Security Executive, Office of the CTO at IBM.

https://www.sans.org/info/50818

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Yahoo! Closes SQL Injection Hole in HotJobs (November 16 & 17, 2009)

An SQL injection vulnerability on the jobs section of the Yahoo! website, HotJobs, could be exploited to gain access to personal information. Yahoo! addressed the issue within hours of being alerted to the vulnerability, which is known as a Blind SQLi problem. The flaw was detected after hacking forum members were found to be discussing ways to exploit it.
-http://www.securecomputing.net.au/News/160704,flaw-detected-on-yahoo-website.asp
x
-http://www.computerweekly.com/Articles/2009/11/16/239005/yahoo-blocks-job-site-v
ulnerability-after-hackers-take.htm
-http://www.v3.co.uk/v3/news/2253197/yahoo-site-flaw-uncovered
-http://www.eweekeurope.co.uk/news/yahoo--defends-jobs-site-against-sql-injection
s-2464
-http://news.techworld.com/security/3206438/yahoo-jobs-site-in-sql-attack-worry/?
intcmp=nws-hm-l
[Editor's Note (Pescatore): A site that is going to store information as sensitive as what most job sites store should be avoiding well known vulnerabilities vs. quickly removing them after other people notice them. ]

Connecticut AG Investigating Data Breach That Compromised Doctors' Information (November 10 & 16 2009)

Connecticut Attorney General Richard Blumenthal has launched an investigation into the Blue Cross Blue Shield data breach. In August, a laptop computer containing personally identifiable information of 800,000 healthcare providers was stolen in Chicago. The affected individuals include at least 18,000 healthcare workers from Connecticut. Blumenthal said that Blue Cross Blue Shield and its affiliates "may have violated state law by losing the information and failing to notify providers in a timely fashion." He says the offer of one year of credit monitoring is "inadequate and unacceptable." The compromised information includes names, tax identification numbers and Social Security numbers (SSNs).
-http://www.informationweek.com/news/healthcare/security-privacy/showArticle.jhtm
l?articleID=221601331
-http://www.ihealthbeat.org/articles/2009/11/10/connecticut-attorney-general-inve
stigating-bcbs-data-breach.aspx

Four Men Jailed for Using Trojan to Steal Funds From Bank Accounts (November 13 & 16, 2009)

A court in the United Kingdom has sentenced four men to prison for using malware to steal nearly GBP 600,000 (US $1 million) from bank accounts. The men used the PEP2-BBB Trojan horse program to monitor users' browser activity and steal financial account information. The fraud affected at least 138 bank customers. The men received sentences of up to four-and-a-half years.
-http://www.theregister.co.uk/2009/11/16/bank_trojan_gang_sentenced/
-http://www.google.com/hostednews/ukpress/article/ALeqM5hOOyBQxdsqcFLDeKCmoxiTMSH
4CA

Microsoft Security Advisory Acknowledges Zero-Day Windows 7 Vulnerability (November 13, 14 & 16, 2009)

Microsoft has issued a security advisory acknowledging a zero-day vulnerability in Windows 7. The denial-of-service flaw was disclosed by a researcher last week. Proof-of-concept exploit code for the Server Message Block (SMB) flaw has been published on a blog. The code could be used to render vulnerable systems unreliable or even cause them to stop functioning. However, Microsoft maintains that the flaw could not be exploited to take control of computers or install malware on computers. Users are advised to block Transmission Control Protocol (TCP) ports 139 and 445 to protect their computers until the fix is ready. The flaw also affects Windows Server 2008 R2.
-http://www.microsoft.com/technet/security/advisory/977544.mspx
-http://www.h-online.com/security/news/item/Microsoft-investigates-vulnerability-
in-Windows-7-and-Server-2008-R2-860137.html
ISC:
-http://isc.sans.org/diary.html?storyid=7597
-http://news.cnet.com/8301-27080_3-10397759-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.computerworld.com/s/article/9140858/Microsoft_confirms_first_Windows_
7_zero_day_bug?source=rss_security
-http://www.washingtonpost.com/wp-dyn/content/article/2009/11/16/AR2009111602221.
html

Israeli Police Arrest Alleged Phisher (November 15, 2009)

Israeli police and the Israeli Defense Fund arrested a man suspected of launching a phishing attack on customers of Bank Leumi. The suspect allegedly sent fraudulent emails to bank customers that appeared to come from the bank and provided a link to a site that looked just like that of Bank Leumi, but which had a different address. If users visited the fraudulent site, they were asked to supply their account usernames and passwords. The suspect also allegedly created a phony Bank of Israel website.
-http://www.jpost.com/servlet/Satellite?cid=1258027294925&pagename=JPost%2FJP
Article%2FShowFull
-http://smart-grid.tmcnet.com/news/2009/11/15/4481851.htm

Flash Flaw Could be Exploited to Upload Malicious Code to Websites (November 12, 13 & 16, 2009)

A vulnerability in Adobe Flash can be exploited to upload malicious code to websites. The flaw could also affect other active content, such as JavaScript. Adobe says the flaw is "unpatchable" and that the problem lies in widely used web design practices that are not secure. Adobe director for product security and privacy Brad Arkin noted that "Sites should not allow user uploads to a trusted domain."
-http://www.theregister.co.uk/2009/11/13/adobe_flash_wallop/
-http://www.scmagazineus.com/researcher-finds-frighteningly-bad-adobe-flash-flaw/
article/157734/
-http://www.v3.co.uk/v3/news/2253145/researchers-warn-flash-issue
-http://www.computerworld.com/s/article/9140768/Flash_flaw_puts_most_sites_users_
at_risk_say_researchers
ISC:
-http://isc.sans.org/diary.html?storyid=7585
[Editor's Note (Schultz): Who is this Brad Arkin kidding? Saying that "Sites should not allow user uploads to a trusted domain" is completely unrealistic. ]

Spammers Offer Verizon Customers Malware-Laden Account Balance Checker (November 13, 2009)

Spammers have targeted Verizon customers by sending messages claiming to offer an account balance checker, but which really tricks users into allowing a Trojan horse program to be installed on their PCs. The email messages tell the recipients that their accounts are over the limit. If users open the malware, their computers are not only infected with the Trojan, but can be infected with additional malware through the Zbot botnet.
-http://www.computerworld.com/s/article/9140842/Fake_Verizon_balance_checker_is_a
_Trojan?source=rss_security
[Editor's Note (Northcutt): This is actually a bright spot in security. Since the Storm worm, the attacker community is relying more and more on social engineering. They will win sometimes, but with tools like Secunia, NoScript, and the whitelist endpoint tools I think the defensive side is making a bit of progress.
-http://secunia.com/vulnerability_scanning/
-http://noscript.net/
-http://www.bit9.com/
-http://www.coretrace.com/
-http://www.savantprotection.com/]

Phishing eMail Purports to Come From NACHA (November 12 & 13, 2009)

Phishers are preying on organizations that use National Automated Clearing House Association, which runs the Automatic Clearing House network that allows its users to conduct electronic financial transfers. The messages tell recipients that a recent transaction has failed and asks them to click on a link to address the problem. If users do as the message requests, their computers will become infected with a Trojan horse program capable of stealing login credentials. Businesses have lost hundreds of thousands of dollars to ACH fraud over the last year. Most of the stolen money is never recovered.
-http://voices.washingtonpost.com/securityfix/2009/11/in_the_past_few_weeks.html
-http://www.v3.co.uk/v3/news/2253149/phishing-attack-goes-nacha
-http://www.computerworld.com/s/article/9140815/Spam_campaign_targets_payment_tra
nsfer_system

Class Action Settlement Approved in Data Breach Case (November 12, 2009)

A judge has approved a class action lawsuit settlement in a case involving a data security breach at financial services firm D. A. Davidson & Co. The settlement makes approximately US $1 million available to reimburse affected individuals for losses incurred as a result of identity fraud related to the breach. The settlement allows class members to file claims until June 2011. The attackers broke into a D. A. Davidson customer database in December 2007. Three people have been arrested in connection with the breach.
-http://billingsgazette.com/news/local/crime-and-courts/article_6341f994-d00d-11d
e-bfda-001cc4c03286.html

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/