SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #95

December 04, 2009

For readers doing business in India or who have staff or contractors there? The Indian computer industry and government have awakened to the idea that security matters and that security skills are the key to more secure software development and to safety of sensitive information (and keeping outsourcing contracts). To let your connections there know about the new national security training initiative, have them email

SMustapha@sans.org.

Alan

---

TOP OF THE NEWS

Sequoia Releases eVoting System Source Code
Number of Records Compromised in Breaches of Government and Military Systems Soars
EFF Suing Gov. Agencies for Information on Social Networking Site Surveillance

THE REST OF THE WEEK'S NEWS

Microsoft December Security Update Will Address Zero-Day IE Flaw
DHS Finishes Draft of National Cyber Attack Response Plan
UK Police Take Down 1,200 Shady Websites
Judge Throws Out Class Action Lawsuit
Research in Motion Patches Flaws in BlackBerry PDF Distiller
Microsoft Patches Not Responsible for Black Screen; Security Firm Apologizes
Northrup Grumman to Fund Cyber Security Solutions Research
US-CERT Warns of Vulnerability in Clientless SSL VPN Products
Virgin to Pilot Deep Packet Inspection Anti-Piracy Effort

---

****************** Sponsored By Top Layer Networks **********************

Download the new Spring 2010 WhatWorks Poster White Paper from Top Layer

- - Using Network IPS to Protect Against Next-Generation Cyber Threats

https://portal.sans.org/tools.php

View the new Spring 2010 Poster - Top 35 Secure Development Techniques at

https://www.sans.org/info/51683

*************************************************************************

TRAINING UPDATE

- -- SANS CDI, Washington DC, December 11-18
24 courses, bonus evening presentations, including Future Trends in Network Security
https://www.sans.org/cyber-defense-initiative-2009
- -- SANS Security East 2010, New Orleans, January 10-18, 2010
19 courses, bonus evening presentations: Top 7 Trends in Incident Response and Computer Forensics, Advanced Forensic Techniques and more
https://www.sans.org/security-east-2010/
- -- SANS AppSec 2010, San Francisco, January 29-February 5, 2010
https://www.sans.org/appsec-2010/
- -- SANS Phoenix, February 14 - February 20, 2010
https://www.sans.org/phoenix-2010/
- -- SANS 2010, Orlando, March 6 - March 15, 2010
https://www.sans.org/sans-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand
Plus Ottawa, Tokyo and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Sequoia Releases eVoting System Source Code (December 2, 2009)

Sequoia Voting Systems has published the source code for its Frontier end-to-end electronic voting system, making it the first electronic voting machine maker to do so. The company plans to release code for all of its system software before June 2010. Electronic voting machine makers have previously insisted that publishing their source code would violate their proprietary rights and make it easier to manipulate election results. Sequoia announced its plan to release the code earlier this year.
-http://www.theregister.co.uk/2009/12/02/sequoia_source_code_disclosure/
-http://www.wired.com/threatlevel/2009/10/sequoia/
[Editor's Note (Pescatore): This is just a baby step forward, as only very limited parts of the code have been released under an overly restrictive license. However, maybe this will pressure the other voting machine software companies to start taking bigger steps. Such open review should be an evaluation criteria for any competitive procurement of electronic voting systems. ]

Number of Records Compromised in Breaches of Government and Military Systems Soars (December 2, 2009)

Although the number of reported data security breaches of US military and government systems has dropped over the last year, the number of records compromised by those breaches has climbed, according to statistics from the Identity Theft Resource Center. During 2008, US government and military organizations reported 110 breaches; so far this year, 82 breaches have been reported. However, the breaches this year have compromised more than 70 million records, while last year's breaches compromised a total of fewer than 3 million.
-http://www.govtech.com/gt/articles/734214

EFF Suing Gov. Agencies for Information on Social Networking Site Surveillance (December 1, 2 & 3, 2009)

The Electronic Frontier Foundation (EFF) and the University of California, Berkeley's Samuelson Law, Technology, and Public Policy Clinic are suing six US government agencies that failed to respond to Freedom of Information Act (FOIA) requests regarding their use of social networking sites in their investigations and surveillance. Law enforcement agencies are reportedly using phony profiles to trick users into allowing them to be online friends and then using evidence gathered from the profiles in cases against them. The FOIA requested records "about federal guidelines on the use of social-networking websites ... for investigative ... or data gathering purposes created since January 2003."
-http://news.cnet.com/8301-27080_3-10407224-245.html
-http://www.theregister.co.uk/2009/12/03/eff_social_networking_foia/
-http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleI
D=222000383
-http://www.computerworld.com/s/article/9141703/Lawsuit_seeks_information_on_fede
ral_surveillance_of_social_networking_sites?source=rss_news
-http://www.eff.org/files/filenode/social_network/social_networking_FOIA_complain
t_final.pdf
[Editor's Note (Pescatore): When you use free consumer-grade services like web mail and social networks and the like, you have sold your privacy away. People putting evidence of illegal behavior or making threatening statements on social networks is no different than if that use skywriting. Wow, does anyone actually remember skywriting?? OK, it is the same as putting it one of the electronic signs on blimps over football games. ]

---

************************ Sponsored Links: ****************************

1) Be sure to register for the upcoming webcast: Data Leakage Prevention: Laying the Groundwork

https://www.sans.org/info/51688

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft December Security Update Will Address Zero-Day IE Flaw (December 3 & 4, 2009)

Microsoft plans to issue six security bulletins to address a dozen security flaws on Tuesday, December 8. Among the issues to be addressed in the updates is a critical vulnerability in Internet Explorer (IE) for which exploit code has been published. The bulletins address vulnerabilities in Windows, IE, and Microsoft Office. Three of the six bulletins are rated critical
-http://www.computerworld.com/s/article/9141759/Microsoft_to_patch_IE_zero_day_bu
g_next_week?source=rss_security
-http://news.cnet.com/8301-27080_3-10408898-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.securecomputing.net.au/News/162044,microsoft-slates-six-fixes-for-dec
ades-final-patch-tuesday.aspx
-http://www.microsoft.com/technet/security/bulletin/ms09-dec.mspx

DHS Finishes Draft of National Cyber Attack Response Plan (December 3, 2009)

The US Department of Homeland Security (DHS) has completed, in cooperation with other government agencies, a draft national cyber attack response plan. The document establishes the roles and responsibilities of the public and private sectors in the event of such an attack. DHS is accepting public comment on the draft; the final plan is slated to be tested during Cyber Storm III, a cyber security drill, in September 2010. DHS plans to release certain details of the plan, but most will remain confidential.
-http://www.nextgov.com/nextgov/ng_20091203_2020.php?oref=topnews

UK Police Take Down 1,200 Shady Websites (December 3, 2009)

UK police have taken down more than 1,200 websites that had been selling counterfeit designer items and deep discounts. The sites claimed to be offering designer products, but customers received either shoddy "knock-offs" or nothing at all. Despite having UK domain names, most of the websites had been registered from Asia with phony information, making it difficult or impossible for dissatisfied customers to complain.
-http://www.theregister.co.uk/2009/12/03/fake_designer_kit_website_takedown/
[Editor's Note (Honan): It is important to note that the sites are not actually taken down but merely have been delisted by the UK domain registrar. The sites are still active and will no doubt be back online soon. ]

Judge Throws Out Class Action Lawsuit (December 3, 2009)

A US federal court judge has thrown out a class-action lawsuit against pharmacy benefits company Express Scripts regarding a 2008 data security breach. The man who brought the original case, John Amburgy, alleged negligence on the part of Express Scripts for failing to adequately protect consumer data. Amburgy argued that the breach put him at risk for identity theft and was thus entitled to compensation. Magistrate Judge Frederick Buckles wrote, "Abstract injury is not enough to demonstrate injury-infact. The injury or threat of injury must be concrete and particularized, actual and imminent, not conjectural or hypothetical."
-http://www.theregister.co.uk/2009/12/03/data_breach_plaintiff_loses/
-http://www.computerworld.com/s/article/9141772/No_harm_no_foul_says_judge_in_Exp
ress_Script_data_breach_case

Research in Motion Patches Flaws in BlackBerry PDF Distiller (December 2, 2009)

Research in Motion has issued security updates to address critical security flaws its BlackBerry Enterprise server. The problem lies in the PDF distiller. The vulnerabilities can be exploited through maliciously crafted PDFs attached to messages. The flaws affect BlackBerry Enterprise Server 5.0.0, 4.1.3 through 4.1.7 and Blackberry Professional Software 4.1 Service Pack 4.
-http://www.theregister.co.uk/2009/12/02/blackberry_pdf_security_patch/
-http://www.h-online.com/security/news/item/RIM-closes-critical-hole-in-BlackBerr
y-Enterprise-Server-874675.html
-http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&extern
alId=KB19860

Microsoft Patches Not Responsible for Black Screen; Security Firm Apologizes (December 2, 2009)

Microsoft says it has found no evidence that patches announced in its November security bulletins are causing some users' computers to display what has been dubbed the "black screen of death." Last month, security firm Prevx disclosed the problem that some users claimed to be experiencing after downloading and installing the November security updates. Prevx has now withdrawn its claims that the black screen was caused by the updates. Instead, the changes to the windows Registry that are believed to be the cause of the black screen are likely to have been the work of malware. Prevx has apologized to Microsoft. Great summary at Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=7672
-http://news.zdnet.co.uk/security/0,1000000189,39918714,00.htm
-http://www.theregister.co.uk/2009/12/02/black_screen_u_turn/
-http://www.h-online.com/security/news/item/Microsoft-updates-not-responsible-for
-Black-Screen-of-Death-874841.html
-http://www.computerworld.com/s/article/9141670/Security_firm_retracts_black_scre
en_claims_apologizes_to_Microsoft?source=rss_security
-http://www.computerworld.com/s/article/9141637/Microsoft_denies_blame_for_black_
screens_of_death_?taxonomyId=17
-http://news.bbc.co.uk/2/hi/technology/8388253.stm
-http://news.cnet.com/8301-13860_3-10407090-56.html?part=rss&subj=news&ta
g=2547-1009_3-0-20

Northrup Grumman to Fund Cyber Security Solutions Research (December 1 & 2, 2009)

Northrop Grumman and three universities plan to form a cyber security research consortium to address emergent cyber security issues. Northrop Grumman will fund 10 research projects at The Massachusetts Institute of Technology (MIT), Carnegie Mellon University, and Purdue University. Eugene Spafford, executive director of Purdue's Center for Education and Research in Information assurance and security, said the consortium is "not trying to build a solution to existing problems, (but is) looking ahead to the future for a change, instead of being reactive."
-http://gcn.com/Articles/2009/12/02/northrop-cybersecurity-research-consortium.as
px
-http://www.reuters.com/article/technologyNews/idUSTRE5B046Z20091201
-http://www.securityfocus.com/brief/1043
[Editor's Note (Northcutt): If they can make progress on the attribution problem, that would be awesome. Short of a global change to IPv6, I just do not see how we have a chance of making progress on knowing the true origin of packets, but who knows what the researchers will be able to come up with. ]

US-CERT Warns of Vulnerability in Clientless SSL VPN Products (November 30, December 1 & 3, 2009)

The US Computer Emergency Readiness Team (US-CERT) has issued an advisory warning of a vulnerability that affects a number of clientless SSL virtual private network (VPN) products. The vulnerability could be exploited to circumvent authentication procedures or launch other attacks. The advisory says there is no known way to fix the flaw, but does suggest several workarounds, including limiting URL-rewriting to trusted domains, limiting VPN server connections to trusted domains, and disabling URL-hiding features. The vulnerability affects SSL VPN products from Cisco, Juniper, SonicWall, and SafeNet.
-http://www.darkreading.com/vulnerability_management/security/client/showArticle.
jhtml?articleID=222000105&subSection=End+user/client+security
-http://www.scmagazineus.com/clientless-ssl-vpn-products-vulnerable-says-us-cert/
article/159037/
-http://www.itpro.co.uk/618415/us-government-says-virtual-private-networks-vulner
able
-http://www.theregister.co.uk/2009/11/30/vpn_authentication_weakness/
-http://www.kb.cert.org/vuls/id/261869

Virgin to Pilot Deep Packet Inspection Anti-Piracy Effort (November 26, 2009)

Virgin Media says it will start monitoring customers' data packets without their consent in an effort to determine how much illegal filesharing traffic is traveling over its network. Virgin Media will use deep packet inspection technology that anonymizes the data. Prior to scanning the packets, the technology strips the IP address information. Each packet is scanned to see if it follows the BitTorrent, Gnutella or eDonkey filesharing protocols, and if so, it is opened to see if the content is licensed. Data that are encrypted would not be able to be examined.
-http://news.zdnet.co.uk/security/0,1000000189,39906062,00.htm

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/