SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #100

December 21, 2010

TOP OF THE NEWS

FCC Has Votes to Pass Net Neutrality Rules
Congress Waters Down Cyber Security Provisions in Defense Authorization Bill

THE REST OF THE WEEK'S NEWS

Researchers Create Botnet to Study
Microsoft Retires Office Genuine Advantage
Gawker Acknowledges Falling Down on Security, Plans to Do Better
Data on NYC Tourism Site Compromised Through SQL Injection Attack
Bank of America Stops Processing WikiLeaks Transactions
Thornberry to Coordinate House Cyber Security Legislation
Google Enhances Warnings for Suspicious Search Results
Google Misses Connecticut AG Data Submission Deadline
Tech Executives Allegedly Sold Inside Information

---

************************ Sponsored By ArcSight, Inc. *******************
Special Holiday Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code: Free_Logger_4_SANS. Free downloads are limited, so act fast and secure your free ArcSight Logger TODAY! Happy holidays and happy logging from ArcSight, an HP Company.
http://www.sans.org/info/68233
*************************************************************************

TRAINING UPDATE
New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security
http://www.sans.org/security-east-2011/

- -- North American SCADA 2011, Lake Buena Vista, FL, February 23-March 2, 2011
http://www.sans.org/north-american-scada-2011/

- -- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module
http://www.sans.org/phoenix-2011/

- -- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

- -- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current

Plus Atlanta, Bangalore, Singapore and Barcelona all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
****************************************************************************

---

TOP OF THE NEWS

FCC Has Votes to Pass Net Neutrality Rules (December 20, 2010)

The US Federal Communications Commission (FCC) is expected to pass net neutrality regulations on Tuesday, December 21. Internet service providers (ISPs) would be prohibited from blocking or favoring traffic to or from particular websites on Internet lines to homes. While not prohibiting ISPs from charging websites for enhanced speed of delivery, the rules would discourage the practice. Rules for wireless networks would be somewhat less restrictive. Broadband providers would also be required to disclose their network management practices to customers. Net neutrality proponents have criticized FCC chairman Julius Genachowski's proposal for being too weak.

-http://mediadecoder.blogs.nytimes.com/2010/12/20/f-c-c-poised-to-pass-net-neutra
lity-order/

-http://voices.washingtonpost.com/posttech/2010/12/fcc_copps_to_vote_in_favor_of.
html

-http://www.computerworld.com/s/article/9201818/Net_neutrality_plan_has_the_votes
_at_FCC?taxonomyId=16

Congress Waters Down Cyber Security Provisions in Defense Authorization Bill (December 17, 2010)

The pared-down version of the 2011 National Defense Authorization Act that cleared the US House of Representatives last week includes some language that addresses cyber security concerns for military systems, though not nearly the scope for which supporters had hoped. The bill would establish a group of IT acquisition officials to focus on IT procurement. The DOD would define the number of people necessary for the team and the certification they must have to serve on the team. A provision in earlier drafts of the bill would have allowed DOD officials to exclude companies from procurement bids if they had been determined to pose a cyber security threat in the supply chain. The provision has been watered down so that DOD would have to tell the company about the risks their products and services pose and work with the companies to mitigate those threats. Companies could be excluded from contract bidding only after a decision by senior DOD officials who would inform Congress of the decision. The bill must now pass the Senate.

-http://washingtontechnology.com/Articles/2010/12/17/House-passes-defense-authori
zation-act-for-2011.aspx?Page=1

-http://fcw.com/articles/2010/12/17/federal-cybersecurity-removed-from-defense-au
thorization.aspx?admgarea=TC_SECCYBERSEC

-http://www.govinfosecurity.com/articles.php?art_id=3184

---

***********************************************************************
Christmas in May: Take the SANS 2011 Annual Log Management Survey

Take the 7th Annual Log Management Survey and be entered to win a $250 American Express Gift card. This comprehensive survey has become a leading indicator of how well log management and automation helps organizations with their security and compliance needs. To take our survey, follow this link: http://www.sans.org/info/68238

The results will be released in early May during a short series of live webcasts with Jerry Shenk and Dave Shackleford.
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Researchers Create Botnet to Study (December 20, 2010)

Canadian researchers have published the results of a study they conducted in which they created a botnet to see how it worked. The simulation involved researchers from Ecole Polytechnique de Montreal with help from others at Nancy University in France and Carlton University in Ottawa. The experiment involved creating an isolated botnet with Waledac software. The researchers examined the botnet's communication protocols, message formats, command-and-control architecture and other elements.

-http://www.csoonline.com/article/647917/researchers-create-botnet-to-learn-how-i
t-works

Microsoft Retires Office Genuine Advantage (December 20, 2010)

Microsoft has retired its Office Genuine Advantage anti-piracy program, which detected whether users were running legitimate or counterfeit copies of the software suite. A spokesperson for the company explained the decision by writing in an email that "the program has served its purpose." Windows Genuine Advantage, now known as Windows Activation Technologies, is still active.

-http://news.cnet.com/8301-10805_3-20026196-75.html

-http://www.channelregister.co.uk/2010/12/20/microsoft_retires_office_genuine_adv
antage_program/

-http://www.computerworld.com/s/article/9201778/Microsoft_kills_Office_anti_pirac
y_program?taxonomyId=144

-http://support.microsoft.com/kb/917999

Gawker Acknowledges Falling Down on Security, Plans to Do Better (December 18 & 20, 2010)

Gawker chief technology officer (CTO) Tom Plunkett acknowledged that his company's lack of preparedness resulted in the compromise of more than one million customer accounts. Plunkett wrote in an internal memo that "the tech team should have been better prepared
[and ]
committed more time to perform thorough audits. As a result of not having done these things, we have not adhered to standards expected of us." Gawker has audited the sites affected by the attack and has now mandated the use of Secure Sockets Layer (SSL) encryption for employees with accounts that use Google Apps as well as the use of two-factor authentication if employees require access to financial or legal information. Employees will also be prohibited from discussing sensitive company information on chat applications. The FBI is investigating the breach.

-http://www.computerworld.com/s/article/9201719/Gawker_CTO_outlines_post_hack_sec
urity_changes?taxonomyId=17

-http://www.theregister.co.uk/2010/12/18/gawker_hack_aftermath/


[Editor's Note (Schultz): From all appearances, Gawker's problem is not lack of audits. Instead, it is lack of adequate security risk management that includes implementing suitable preventative, detecting and corrective controls. Audits, while very important, are just the tail end of a complete risk management process. ]

Data on NYC Tourism Site Compromised Through SQL Injection Attack (December 20, 2010)

Cyber criminals used an SQL injection attack to compromise the information of more than 110,000 credit cards stored on a server belonging to a New York City tourism company. Twin America, d.b.a. City Sights NYC, sent a breach notification letter to the New Hampshire Attorney General after learning that 300 residents of that state were affected by the incident. SQL injection attacks have been around for more than a decade, but companies are still not taking adequate steps to protect their data from these attacks.

-http://www.bankinfosecurity.com/articles.php?art_id=3195

Bank of America Stops Processing WikiLeaks Transactions (December 18, 2010)

Bank of America (BofA) has become the most recent company to sever business ties with WikiLeaks, publicly announcing that it will not process transactions that appear to finance the whistle blowing website. BofA justified its action, saying "WikiLeaks may be involved in activities that are ... inconsistent with our internal policies for processing payments." WikiLeaks has threatened to publish evidence of "unethical practices" at certain financial institutions; BofA is believed to be among those institutions.

-http://www.bbc.co.uk/news/world-us-canada-12028084

-http://www.computerworld.com/s/article/9201618/Bank_of_America_cuts_services_for
_WikiLeaks?taxonomyId=17

Thornberry to Coordinate House Cyber Security Legislation (December 17, 2010)

William McClellan "Mac" Thornberry (R-Texas) has been tapped to be the point guard for congressional cyber security legislation. Incoming House Speaker John Boehner has assigned Thornberry to coordinate cyber security legislation in Congress, which is a complex task, as every house committee has some jurisdiction over the issue. Thornberry has been named vice-chairman of the House Armed Services Committee. He has been a member of the committee since his election to Congress 16 years ago.

-http://blogs.govinfosecurity.com/posts.php?postID=826&rf=2010-12-20-eg

-http://amarillo.com/news/local-news/2010-12-16/thornberry-named-committee

Google Enhances Warnings for Suspicious Search Results (December 17, 2010)

Google has debuted a new security feature for its search engine that warns users when they are attempting to visit a suspicious site. Google has been letting users know for some time that sites they are attempting to visit may harm their computers; this new feature expands that service to include sites that might not be serving malware, but may not be under complete control of the legitimate owner - for instance, when spammers have placed invisible links or redirects or when phishers have added pages to a site.

-http://krebsonsecurity.com/2010/12/google-debuts-this-site-may-be-compromised-wa
rning/

-http://www.scmagazineus.com/new-google-service-identifies-hacked-sites/article/1
93028/

Google Misses Connecticut AG Data Submission Deadline (December 17, 2010)

Google has not yet surrendered information it inadvertently collected about Connecticut residents to the state's Attorney General. Richard Blumenthal had given Google until 5:00 pm on Friday, December 17 to turn over the data it collected from unprotected Wi-Fi networks while gathering information for Street View. Google has allowed authorities elsewhere to look at the information it collected in those locations. Blumenthal will now consider whether nor not to take legal action against Google.

-http://www.washingtonpost.com/wp-dyn/content/article/2010/12/17/AR2010121705585.
html

Tech Executives Allegedly Sold Inside Information (December 16, 2010)

Four technology company executives have been arrested for selling inside company information to a California market research company. The executives worked as consultants for Primary Global Research, receiving generous fees for providing the company with information about industry trends that is then sold to money managers, but the FBI alleges that the activity "went way beyond permissible market research" when insider information was sold to hedge funds.

-http://www.computerworld.com/s/article/9201427/FBI_Executives_at_Dell_AMD_sold_i
nside_information

-http://mountainview.patch.com/articles/second-executive-at-primary-global-resear
ch-arrested-by-fbi


[Editor's Note (Northcutt): These guys will be back in the work place in two years. What can be done to put them on ice for longer than that? We need something similar to Megan's Law/sex offender registry. If they sold you out, they will sell me out! ]

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Adv isory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is a security professional currently involved in independent security research.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/