SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #96

December 08, 2009

TOP OF THE NEWS

Judge Signs Off on Filesharing Fine, But Rejects Request to Limit Speech
FTC Holds First of Three Privacy Workshops
Electronic Data Redaction Not Always Effective

THE REST OF THE WEEK'S NEWS

Facebook Establishes Safety Advisory Board
Microsoft to End Support for Windows XP SP2 and Windows Server 2000 and Client
Company Suing Bank Over Fraudulent Transfers
Phishers Bait Their Hooks for Webmasters
Adobe Issuing Security Updates and Investigating Reported Illustrator Flaw
Two Charged in Phony Cisco Equipment Scheme
ISC Issues Fix for Vulnerability in BIND 9 with DNSSEC Validation
Two Men Get Probation for Manipulating LA Traffic Signals
GIAC Certifications in Demand Among Employers

---

******************** Sponsored By Trend Micro, Inc. *******************

Trend Micro Ranked #1

In Real-World Independent Testing of Endpoint Malware Protection Conventional anti-malware testing methods don't deliver optimal protection.

Get proven endpoint protection with OfficeScan.

https://www.sans.org/info/52049

*************************************************************************

TRAINING UPDATE

- -- SANS CDI, Washington DC, December 11-18
24 courses, bonus evening presentations, including Future Trends in Network Security
https://www.sans.org/cyber-defense-initiative-2009
- -- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses, bonus evening presentations: Top 7 Trends in Incident Response and Computer Forensics, Advanced Forensic Techniques and more
https://www.sans.org/security-east-2010/
- -- SANS AppSec 2010, San Francisco, January 29-February 5, 2010
https://www.sans.org/appsec-2010/
- -- SANS Phoenix, February 14 -February 20, 2010
https://www.sans.org/phoenix-2010/
- -- SANS 2010, Orlando, March 6 - March 15, 2010
https://www.sans.org/sans-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
Plus Ottawa, Tokyo and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Judge Signs Off on Filesharing Fine, But Rejects Request to Limit Speech (December 7, 2009)

US District Judge Nancy Gertner has finalized a US $675,000 verdict against Boston University student Joel Tenenbaum for illegal filesharing. The lawsuit was brought by the Recording Industry Association of America (RIAA). Judge Gertner made clear in her decision that she feels that the "astronomical penalties" allowed music companies under current copyright law are out of line. She also noted that had Tenenbaum's defense team narrowed its fair use argument to Tenenbaum's own activity rather than "mount(ing) a broadside attack that would excuse all file sharing for private enjoyment," she would have been willing to consider the argument. Judge Gertner issued an injunction prohibiting Tenenbaum from further filesharing, but declined to grant the RIAA's request to prohibit him from encouraging filesharing, writing that "Although plaintiffs are entitled to statutory damages, they have no right to silence defendant's criticism of the statutory regime under which he is obligated to pay those damages."
-http://www.computerworld.com/s/article/9141914/Update_Judge_affirms_675K_verdict
_in_RIAA_music_piracy_case?taxonomyId=146
-http://www.wired.com/threatlevel/2009/12/piracy-verdict-finalized/
-http://www.boston.com/news/local/breaking_news/2009/12/judge_wont_stop.html
-http://www.wired.com/images_blogs/threatlevel/2009/12/tenenbaumfinal.pdf

FTC Holds First of Three Privacy Workshops (December 7, 2009)

At a US Federal Trade Commission (FTC) workshop on privacy held on December 7, FTC Chairman Jon Leibowitz said that his agency will examine its enforcement of consumer privacy standards. In particular, the burgeoning industry growing up around online consumer information data has underscored the need to address online privacy concerns. Leibowitz noted that most consumers are unaware of what information is collected about them and with whom it is shared. The next FTC privacy forum is scheduled for January 28, 2010.
-http://www.computerworld.com/s/article/9141911/FTC_to_consider_stricter_online_p
rivacy_rules?taxonomyId=17
-http://mediadecoder.blogs.nytimes.com/2009/12/07/at-ftc-conference-concerns-abou
t-advertising-and-privacy/
-http://money.cnn.com/news/newsfeeds/articles/djf500/200912071829DOWJONESDJONLINE
000372_FORTUNE5.htm
[Editor's Note (Northcutt): This should have happened years ago, but I applaud the FTC for taking on the topic. Apparently the Sears Kmart shopping club privacy debacle is the genesis for this.
-http://voices.washingtonpost.com/securityfix/2008/01/searss_privacy_promises_bro
ken_1.html
If any readers in the UK have information about any actions taken as a result of BT recording user's surfing habits, I would love to hear from you (Stephen@sans.edu)
-http://blog.taragana.com/index.php/archive/bt-shelves-phorms-web-usage-monitorin
g-for-targeting-ads-to-personal-surfing-patterns/]

Electronic Data Redaction Not Always Effective (December 4 & 7, 2009)

The US Transportation Security Administration (TSA) redacted portions of a screening techniques document, but the blacked-out data could be viewed by cutting and pasting sections of the .pdf document. HSBC Bank is blaming an accidental data leak on a flaw in the imaging software it uses. HSBC Bank says it redacted information from bankruptcy proof-of-claim forms, but when they were viewed online, the redacted information was visible. The bank notified affected customers earlier this fall.
-http://www.theregister.co.uk/2009/12/07/tsa_redaction_fail/
-http://www.computerworld.com/s/article/9141834/HSBC_exposed_sensitive_bankruptcy
_data?taxonomyId=17
[Editor's Note (Schultz): Mysteries (including security-related mysteries) in the world of software continue to occur. Lack of code inspection by security-competent developers continues to be the number one problem.

(Pescatore): This "redaction" stuff is sort of like hiding your wallet under your sneakers on your beach blanket when you go in the water at the beach. I think the problem is the use of the word "redaction" which really just means "editing." Maybe we should start to make redaction of sensitive data prohibited and require "deletion" or "elimination." ]

---

************************ Sponsored Links: ****************************

1) Webinar: Hardening Security Against Evasions Dec. 16th, 3 pm EST Security researchers share essentials for detecting evasions at high speeds.

https://www.sans.org/info/52054
2) Download the new Spring 2010 WhatWorks Poster White Paper from Top Layer
- - - Using Network IPS to Protect Against Next-Generation Cyber Threats

https://www.sans.org/info/52059

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Facebook Establishes Safety Advisory Board (December 7, 2009)

Facebook has established the Facebook Safety Advisory Board to address cyberbullying, phishing and other Internet safety issues facing the social networking site's users. Among the board's first priorities is to rework the Facebook help site to provide more detailed information and sections tailored specifically for parents, teachers and teens. The board includes Common Sense Media, ConnectSafely, WiredSafety, Childnet International, and The Family Online Safety Institute.
-http://www.computerworld.com/s/article/9141888/Facebook_forms_board_to_improve_s
afety?taxonomyId=17
-http://www.net-security.org/secworld.php?id=8584
[Editor's Note (Pescatore): It is good to see a focus on safety, too often overlooked by those who write and sell software. However, Facebook's focus should be on making Facebook *safer,* not on producing more "information" that is really all about trying transfer the blame to the users. Which is safer for children: a car with a special protective car seat for the child, or a car with a lot of warning labels about driving safely so the child doesn't go flying through the windshield in a crash? ]

Microsoft to End Support for Windows XP SP2 and Windows Server 2000 and Client (December 7, 2009)

Users running older versions of Windows have seven months to upgrade to newer versions before Microsoft cuts off support. As of July 13, 2010, Microsoft will no longer support windows XP SP2, Windows 2000 Server and Windows 2000 Client. Users of those operating systems are urged to upgrade to Windows 7, Windows Server 2003 or Windows Server 2008. Microsoft is offering online resources to ease the transition, including a Windows XP to Windows 7 migration guide and a Windows 7 Automated Installation Kit. Microsoft will probably continue to issue important security updates for XP and 2000 after the official support period ends, but will no longer issue service packs or other non-critical updates.
-http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?a
rticleID=222000858

Company Suing Bank Over Fraudulent Transfers (December 7, 2009)

Electronics testing company JM Test Systems is suing Capital One for alleged breach of contract and negligence for not preventing cyber thieves from transferring nearly US $100,000 out of the company's account. JM Test Systems maintains it alerted Capital One to the fraudulent transactions the same day they were happening and the bank failed to prevent the funds from being transferred. The company also alleges that the fraudulent transactions were conducted from IP addresses that the company had never used to conduct online banking. While individual customers often have 60 days to report fraudulent account activity, businesses are usually required to report the suspicious activity immediately if they are to have any hope of recovering the stolen funds.
-http://voices.washingtonpost.com/securityfix/2009/12/jmtest.html
[Editor's Note (Schultz): Count on cases such as this one becoming much more prevalent in the future. Downstream liability lawsuits and poor security practices go hand-in-hand. ]

Phishers Bait Their Hooks for Webmasters (December 5 & 7, 2009)

Phishers have begun turning their attention to webmasters in an attempt to infect more websites with malware. The fraudulent emails appear to come from web hosting services asking the webmasters to confirm their FTP details as a part of system maintenance. The attackers have targeted customers of more than 90 hosting providers, including GoDaddy, Yahoo! and 50Webs. People who fall for the scheme are shown a website that appears to be a page from cPanel; after they provide their login information, they are redirected to their host's login page.
-http://voices.washingtonpost.com/securityfix/2009/12/phishers_angling_for_web_si
te.html
-http://www.theregister.co.uk/2009/12/07/webmaster_phishing_campaign/

Adobe Issuing Security Updates and Investigating Reported Illustrator Flaw (December 4, 2009)

Adobe is investigating a reported buffer overflow vulnerability in its Illustrator drawing tool. Exploit code for the flaw has been released. Attackers would need to manipulate users into opening a maliciously crafted .eps file for the exploit to work. The flaw reportedly affects Illustrator CS3 13.0.0 and CS4 14.0.0; the exploit is effective on computers running fully patched versions of Windows XP. On Tuesday, December 8, Adobe plans to release security updates to address several critical flaws, including one for a flaw in Flash player 10.0.32.18.
-http://www.scmagazineus.com/adobe-plans-flash-update-investigates-illustrator-fl
aw/article/159093/
-http://www.h-online.com/security/news/item/Critical-vulnerability-in-Adobe-Illus
trator-877170.html
-http://www.theregister.co.uk/2009/12/04/adobe_unpatched_vulns/

Two Charged in Phony Cisco Equipment Scheme (December 4, 2009)

Two men have been charged in connection with a scheme in which they allegedly passed off networking equipment purchased in China as Cisco products. Christopher Myers and Timothy Weatherly allegedly packaged the equipment in boxes with phony Cisco labels and included copies of Cisco manuals. They allegedly sold the equipment online. Both have been charged with conspiracy, trafficking in counterfeit goods, and trafficking in counterfeit labels. Myers is also accused of accessing a website to obtain Cisco serial numbers to attach to the products he and Weatherly sold.
-http://www.theregister.co.uk/2009/12/04/cisco_counterfeit_gear/
[Editor's Note (Pescatore): This is just standard piracy, where the old maxim "if the price seems too good to be true, it probably is" still holds. These days a good deal of concern (especially in government/military) about "supply chain integrity" - if you are buying hardware and software built in countries that may have government pressure on IT vendors to build in malicious capabilities, how do you verify that what you are buying (from a legitimate vendor) is not compromised? ]

ISC Issues Fix for Vulnerability in BIND 9 with DNSSEC Validation (December 3, 2009)

The Internet Systems Consortium (ISC) has issued a patch for a cache poisoning vulnerability in ISC BIND 9 with DNSSEC validation turned on. The flaw lies in the way BIND 9 handles recursive queries. The vulnerability has been given a severity rating of medium because it affects a relatively small percentage of users. However, for users who have DNSSEC validation turned on, the security risk is severe. Users are encouraged to upgrade to BIND 9.4.3-P4, 9.5.2-P1 or 9.6.1-P2. There are no fixes for BIND 9.0 through 9.3 as those versions are no longer supported.
-http://blogs.zdnet.com/security/?p=5051
-https://www.isc.org/node/504
[Editor's Note (Pescatore): Keeping DNS services secure and reliable is a lot of work. We're seeing healthy growth in hardened DNS products and services. ]

Two Men Get Probation for Manipulating LA Traffic Signals (December 1, 2009)

Two men who broke into the computer system that controls Los Angeles, California's traffic signals have been sentenced to two years probation. Gabriel Murillo and Kartik Patel accessed the computers in 2006 during a labor strike and reprogrammed certain signals to create significant traffic backups at intersections. The men must also pay US $6,250 in restitution and perform 240 hours of community service.
-http://latimesblogs.latimes.com/lanow/2009/12/engineers-who-hacked-in-la-traffic
-signal-computers-jamming-traffic-sentenced.html
[Editor's Comment (Northcutt): What a lame judge, what a great legal team Gabriel Murillo and Kartik Patel must have. Hacking traffic lights in a major city? That is right up there with disabling 911. And the news stories say they didn't cause any traffic accidents; I seriously doubt that is true, can you say LA cover up?
-http://cbs2.com/local/Traffic.Signals.Los.2.526583.html
-http://www.computerworld.com/s/article/9007751/Two_charged_with_hacking_LA_traff
ic_lights
-http://www.v3.co.uk/vnunet/news/2230263/los-angeles-engineers-pled]

GIAC Certifications in Demand Among Employers (September 28, 2009)

Foote Partners' 2009 IT Skills Trends Report published earlier this year lists the IT certifications most valued by employers in the IT security industry. Three of the top 10 positions, including the top spot, are held by Global Information Assurance Certification (GIAC) certifications. GIAC Certified Incident Handler ranks first on the list, with GIAC Certified Forensic Analyst (GCFA) and GIAC Certified Intrusion Analyst at numbers seven and eight, respectively. Managers like the fact that GIAC certified professionals are not focused on one specific product, but instead understand overarching concepts and how to apply them.
-http://www.govinfosecurity.com/articles.php?art_id=1807&opg=1

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/