SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #12

February 12, 2010

TOP OF THE NEWS

EU Parliament Votes Down Interim US-EU Banking Data Agreement
Massachusetts Consumer Data Protection Law Set to Take Effect Next Month
Cyber Warfare Part of Israeli Defense Arsenal

THE REST OF THE WEEK'S NEWS

Cyber Attack Simulation Hosts Invite Media to Observe
Man Charged in Click Fraud Scheme
Internet Filter Protesters Attack Australian Government Websites
Irish MEP Says Small-Time Downloaders Should be Left Alone
Mozilla Says Sothink Web Video Downloader Add-On is Clean
Gov. Schwarzenegger Signs Executive Order for Improving State IT Systems
Microsoft Releases 13 Security Bulletins; One May Cause Problems
Bugat Trojan Designed for ACH Theft
Chinese Hacker Site Crackdown Viewed with Skepticism
Operation Aurora Attacks Continuing

---

************************ Sponsored By Microsoft *************************

Volume 7 of the Microsoft(R) Security Intelligence Report An in-depth perspective on malicious and unwanted software, software exploits, security breaches and software vulnerabilities including data derived from more than 450 million computers worldwide and some of the busiest services on the Internet, such as Windows Live Hotmail and Bing. Watch the interview and download the full report.
http://www.sans.org/info/54798

*************************************************************************

TRAINING UPDATE --SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style
http://www.sans.org/sans-2010/

--SANS Phoenix, February 14 -February 20, 2010 6 courses and bonus evening presentations, including The Art of Incident Response and Advanced Forensic Techniques: Catching Hackers on the Wire
http://www.sans.org/phoenix-2010/

--SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
http://www.sans.org/reston-2010/

--SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

--SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses
http://www.sans.org/sansfire-2010/

Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Oslo, Dublin, Dubai and Geneva all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org *************************************************************************

---

TOP OF THE NEWS

EU Parliament Votes Down Interim US-EU Banking Data Agreement (February 11, 2010)

The European Parliament has voted down an interim agreement that would have allowed the US access to EU residents' banking transaction information held in the SWIFT system. The US has been analyzing European banking transactions since late 2001 as part of its efforts to fight terrorism, but that fact was not made public until 2006. European Ministers had passed the interim agreement to allow continued US monitoring of SWIFT late last year; the European Parliament's rejection of that agreement appears to be focused on privacy issues.
-http://www.theregister.co.uk/2010/02/11/europe_rejects_data_share/
-http://www.h-online.com/security/news/item/European-Parliament-blocks-US-access-
to-SWIFT-data-928492.html
-http://news.bbc.co.uk/2/hi/europe/8510471.stm
[Editor's Note (Honan): This interim agreement was brought in as a result of the US accessing every banking transaction by EU citizens and companies via the Swift system since 2001 in direct contravention of the EU Data Protection Directive. The overwhelming vote in favour of rejecting the interim agreement, 378 to 196, demonstrates that there are still grave concerns regarding privacy. So the message should be clear, if the US wants to monitor the financial transactions of EU citizens it must do so in accordance with EU law. ]

Massachusetts Consumer Data Protection Law Set to Take Effect Next Month (February 11, 2010)

A stringent Massachusetts consumer data protection law is slated to take effect on March 1, 2010. It will require organizations conducting business with Massachusetts residents to encrypt consumer data stored on portable media devices and all data transmitted over public or wireless networks. Organizations will also be required to maintain records of exactly what consumer data they retain. The law was initially scheduled to take effect January 1, 2009, but the deadline has been extended twice.
-http://www.computerworld.com/s/article/9155978/Deadline_looms_for_Mass._data_pro
tection_law?taxonomyId=17
[Editor's Note (Skoudis): We need to get to a world where data at rest is encrypted by default. Unencrypted data should be the exception, not the rule.

(Schultz: This Massachusetts law is in my mind one of the most significant security-related pieces of legislation to ever be passed. Hopefully this law will set a precedent for passage of similar legislation in other states. ]

Cyber Warfare Part of Israeli Defense Arsenal (February 9, 2010)

Speaking at the Institute for National Security Studies (INSS), Israeli chief of military intelligence Maj. Gen. Amos Yadlin noted that "using computer networks for espionage is as important to warfare today as the advent of air support was to warfare in the 20th century," giving power to small countries that was once reserved for just large countries. Yadlin said the Israeli military is developing an "internet warfare" team. There is evidence that Israeli forces used cyber warfare techniques to help jets launch a strike on a suspected Syrian nuclear facility under construction. Israeli cyber warfare appears to be focused on thwarting Iran's development of uranium enrichment plants and other nuclear-related efforts. Newspaper reports indicate that Israeli intelligence attempted to plant software in equipment that could damage Iranian nuclear program information systems. In these cases, the targets are systems that are not Internet connected, so the malware is hidden on mobile devices such as cell phones and computers that could be connected to the isolated information systems.
-http://www.aviationweek.com/aw/generic/story_channel.jsp?channel=defense&id=
news/dti/2010/02/01/DT_02_01_2010_p39-198440.xml&headline=Israel%20Adds%20Cy
ber-Attack%20to%20IDF
[Editor's Note (Pescatore): Cyber warfare has been part of every major country's military arsenal for over a decade now.

(Skoudis): This is the new normal. Countries are using integrated cyber operations for intelligence and offensive military operations. It's cost effective, supports achieving military objectives, and has relatively lower risk than other methods.

(Schultz): It is a cheaper, less risky form of spying. Consider the risks and costs of training spies and getting them placed in positions in which they are able to steal information versus social engineering, breaking into systems, and/or installing malware in systems while the perpetrator works from home. The risks-rewards ratio of the later is much more favorable. ]

---

*************************** Sponsored Links ***************************

1) Replace Cisco CS-MARS from the MARS creators. Upgrade to AccelOps at your current MARS maintenance fee and receive a full year of maintenance & support.
http://www.sans.org/info/54803

2) Attend the first European event focused at Forensics and Incident Response Summit April 19-20 in London.
http://www.sans.org/info/54808

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Cyber Attack Simulation Hosts Invite Media to Observe (February 10 & 11, 2010)

The Bipartisan Policy Center is hosting a cyber attack simulation next week. Cyber ShockWave is designed to see how government officials would react to a cyber attack in real time. The roles of the Cabinet members will be played by former presidential administration staff members and national security officials. None of the participants will have any advance knowledge of the attack; their roles will be to advise the President in their various capacities. What makes this cyber attack simulation different from others is that members of the media have been invited to observe the exercise. A public discussion will follow the simulation.
-http://www.computerworld.com/s/article/9155318/Simulated_cyber_attack_to_test_go
vernment_response?taxonomyId=17
-http://fcw.com/articles/2010/02/11/web-cyber-shockwave-simulation.aspx
-http://politics.theatlantic.com/2010/02/_recreating_a_s_ituation.php

Man Charged in Click Fraud Scheme (February 11, 2010)

Christopher Kennedy has been charged with developing and distributing click fraud software that allegedly cheated online auction site eBay out of thousands of dollars. The software, Saucekit, manipulates software cookies to make it appear as if site visitors have been clicking on eBay advertisements; eBay pays sites that direct users to its site with click-throughs by identifying information in the cookies. Last March, eBay sent Kennedy a cease-and-desist order that Kennedy ignored. eBay also filed a civil suit before involving police. Kennedy is facing one count of wire fraud; he could be sentenced to up to five years in prison and fined US $250,000.
-http://www.securecomputing.net.au/News/166931,developer-charged-with-cookie-scam
-on-ebay.aspx
[Editor's Note (Pescatore): Bot-compromised PCs have been driving click fraud rates back up, after click fraud rates had declined a bit in early 2009. Going after identified bad guys is good but the online advertising industry has to invest in being more aggressive about the auditing it does to verify the legitimacy of ad viewing/click-through rate claims - just as the print and radio and TV advertising industries before them had to do. ]

Internet Filter Protesters Attack Australian Government Websites (February 10 & 11, 2010)

Protesters have launched distributed denial-of-service (DDoS) attacks against Australian government websites to express their objection to proposed Internet filters. The filters will prevent access to pornographic and criminally-related websites. One statement indicated the group behind the attacks does not believe the government has the right to control what people view on the internet. The plan calls for the filters to be installed by early next year. The group behind the attacks also launched similar attacks on the Scientology website in the past.
-http://news.bbc.co.uk/2/hi/asia-pacific/8508732.stm
-http://www.theregister.co.uk/2010/02/11/oz_anti_censorship_ddos_latest/
-http://www.wired.com/threatlevel/2010/02/anonymous-unfurls-operation-titstorm/
-http://www.securecomputing.net.au/News/166993,anonymous-blasts-government-sites-
for-second-day.aspx

Irish MEP Says Small-Time Downloaders Should be Left Alone (February 10, 2010)

An Irish Member of the European Parliament (MEP) has compared imposing sanctions on small-time illegal downloaders to "using a sledgehammer to crack a nut." MEP Alan Kelly said those efforts are misdirected; content is so often syndicated that some of those people may not be aware that they are breaking the law by downloading the files. Instead, Kelly would like to see enforcement focusing on the providers of pirated copyright material.
-http://www.siliconrepublic.com/news/article/15205/new-media/mep-tells-record-lab
els-to-leave-illegal-downloaders-alone/

Mozilla Says Sothink Web Video Downloader Add-On Is Clean (February 10 & 11, 2010)

Mozilla now says that a plug-in it removed from its Firefox download website does not contain malware. Last week, Mozilla removed two plug-ins from the add-on site: Master Filer and Sothink Web Video Downloader. Mozilla now says that Sothink is clean. The confusion arose because the encryption program for Sothink's Web Video Downloader used to be armadillo, a compression utility that has at times been used to hide malicious code. Master Filer does contain malware, but the estimated number of downloads of that plug-in is under 700, far fewer than the 6,000 originally reported.
-http://www.scmagazineus.com/mozilla-recants-assertion-that-firefox-add-on-has-tr
ojan/article/163611/
-http://download.cnet.com/8301-2007_4-10451112-12.html?tag=mncol;title

Gov. Schwarzenegger Signs Executive Order for Improving State IT Systems (February 9 & 10, 2010)

California Governor Arnold Schwarzenegger has signed an executive order that will guide improvements to the state's information technology systems. The order "will standardize IT governance and information security, and increase transparency in IT spending." The order requires all state agencies to appoint CIOs and information security officers. The order also provides for consolidation of services to reduce data center space by 50 percent by July 2011 and reduce IT operations energy usage 30 percent by July 2012.
-http://gov.ca.gov/press-release/14406/
-http://www.informationweek.com/news/government/state-local/showArticle.jhtml?art
icleID=222700759&subSection=News
[Editor's Note (Pescatore): Some good stuff in there on formalizing the CISO-like role at agencies and departments. But way too much about centralization and standardization as the answer to everything, and way too little about making sure avoiding vulnerabilities gets baked in across IT operations vs. just more monitoring to know when vulnerabilities get exploited. ]

Microsoft Releases 13 Security Bulletins; One May Cause Problems (February 9, 2010)

Microsoft has released 13 security bulletins to address 26 vulnerabilities that could be exploited to execute code remotely, create denial-of-service conditions, or elevate privileges. The vulnerabilities updates address flaws in Microsoft Windows and Microsoft Office. There have been reports that one of the updates, MS010-15: Vulnerabilities in Windows Kernel, could allow elevation of privilege (KB977165), is causing problems for some users. People experiencing problems with the update can receive help from Microsoft at no charge.
-http://www.microsoft.com/technet/security/bulletin/ms10-feb.mspx
-http://www.computerworld.com/s/article/9154298/Microsoft_delivers_huge_Windows_s
ecurity_update
-http://www.krebsonsecurity.com/2010/02/new-patches-cause-bsod-for-some-windows-x
p-users/
-http://isc.sans.org/diary.html?storyid=8197

Bugat Trojan Designed for ACH Theft (February 9 & 10, 2010)

The Bugat Trojan steals financial account information, but appears to be designed specifically to harvest information that allows attackers to conduct fraudulent automated clearinghouse (ACH) and wire transfer transactions, a scheme that has been gaining attention in recent months. Bugat "uses an SSL-encrypted command and control infrastructure via HTTP-S, and also goes after FTP and POP credentials via those encrypted sessions."
-http://darkreading.com/vulnerability_management/security/client/showArticle.jhtm
l?articleID=222700615&subSection=End+user/client+security
-http://securitywatch.eweek.com/trojan_attacks/new_trojan_targets_us_banking_cred
entials.html
-http://www.secureworks.com/research/blog/index.php/author/jmilletary/

Chinese Hacker Site Crackdown Viewed with Skepticism (February 8, 2010)

Western security experts remain unconvinced that Chinese authorities' shutdown of a known hacker training website indicates a real change in attitudes toward malicious cyber activity. Although three people have been arrested and hundreds of thousands of dollars worth of equipment and money have been seized, the servers allegedly used in the attacks against Google and other US companies remain online and their operators have not been arrested. Some believe that the arrests and seizure are just "window dressing," and that the climate amenable to the attacks has not changed.
-http://www.nytimes.com/2010/02/08/world/asia/09hacker.html?partner=rss&emc=r
ss

Operation Aurora Attacks Continuing (February 10, 2010)

The attacks that targeted Google, Adobe and other US companies are continuing. Dubbed Operation Aurora, the attacks have affected considerably more than the 30 companies that were originally reported. Experts say they are getting closer to identifying the author or authors of the malware used in the attacks. While there is no direct forensic evidence linking the Chinese government to the attacks, there are hints in the code that link it to the Chinese language.
-http://www.darkreading.com/vulnerability_management/security/attacks/showArticle
.jhtml?articleID=222700786

---

**********************************************************************

The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)



John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.



Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.



Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States



Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.



Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.



Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.



Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.



Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.



Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.



Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.



David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.



Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.



Alan Paller is director of research at the SANS Institute



Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.



Clint Kreitner is the founding President and CEO of The Center for Internet Security.



Brian Honan is an independent security consultant based in Dublin, Ireland.



David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.



Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/