SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #13

February 16, 2010

Update on the free programs at SANS 2010 in Orlando (March 6 - 15). They are actually better - more current, more authoritative, more useful, more pragmatic, and better presented - than the sessions I have seen at any other organization's security conference - free or paid. The full list is at the end of this issue. Here are a few examples: Security Architecture Disasters: And what you can do to avoid them (Michele Guel and John Strand); So, You Wanna Be a Cyber Warrior, Huh? (Ed Skoudis); What's New for Security in Windows 7 and Server 2008-R2 (Jason Fossen); How to Respond to an Unexpected Security Incident (Lenny Zeltser); Spear Phishing and Client-side Exploits (Stephen Sims); State of the Hack (Rob Lee); Software Security Street Fighting Style (Johannes Ullrich). See: http://www.sans.org/sans-2010/ for registration.

And there is a fascinating new book about computers and terrorism by Shane Harris of the National Journal, called "The Watchers." Nonfiction, but reads like a thriller. It starkly illuminates the complex balance between liberty and security. The Wall Street Journal has an excerpt: http://online.wsj.com/article/SB10001424052748704820904575055481363319518.html?m
od=WSJ_LifeStyle_Lifestyle_11

Alan

TOP OF THE NEWS

Google Promises Changes Ahead for Buzz
Phony Anti-Virus Malware Adds Live Support
Michigan Company Sues Bank For Failing to Halt Fraudulent Wire Transfers

THE REST OF THE WEEK'S NEWS

Microsoft Patch Blue Screen Problem Blamed on Insidious Malware Infection
China Tops List of Bot-Infected Computers in Last Three Months of 2009
Royal Dutch Shell Investigating Employee Database Leak
Max Ray Butler Draws 13-Year Sentence
Adobe Releases Flash Update
Hathaway Says Congress Should Consolidate Cyber Security Legislation
Microsoft to Add Activation Exploit Detection to Windows 7
Former Goldman Sachs Programmer Indicted for Alleged Code Theft
NetWars Seeks Cyber Security Talent

******************** Sponsored By Skybox Security, Inc. **************** Skybox CertiFire - Manage, audit, and optimize multiple Check Point, Cisco, Fortinet or Juniper firewalls in minutes. Download a free 14-day trial at http://www.sans.org/info/54844. Easy to install and use, CertiFire helps you find and fix security gaps such as firewall misconfigurations, conflicting rules, and access compliance issues. Use CertiFire to get accurate and action-oriented firewall information - fast. *************************************************************************
TRAINING UPDATE

-- SANS Phoenix, February 14 -February 20, 2010 6 courses and bonus evening presentations, including The Art of Incident Response and Advanced Forensic Techniques: Catching Hackers on the Wire
http://www.sans.org/phoenix-2010/

-- SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style
http://www.sans.org/sans-2010/

-- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
http://www.sans.org/reston-2010/

-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses
http://www.sans.org/sansfire-2010/

Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Bangalore, Dublin, Dubai, Toronto and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************

TOP OF THE NEWS

Google Promises Changes Ahead for Buzz (February 15, 2010)

Google has made some changes to Buzz, its newly-launched social network service, after users complained that it went too far in sharing their personal information. Users were complaining that their contact lists were being made public without their permission. There were also complaints that they had insufficient control over who could follow them. Google launched Buzz early last week and automatically included on users' follow lists the contacts they most frequently emailed and chatted with. Google has now shifted to a system that automatically suggests people to follow rather than placing them on users' follow lists. Google has also stopped automatically connecting users' Picasa albums and Google Reader-shared items through Buzz.
-http://money.cnn.com/2010/02/15/technology/Google_Buzz_privacy/index.htm?cnn=yes
-http://www.securecomputing.net.au/News/167138,google-responds-to-buzz-user-feedb
ack.aspx
-http://www.msnbc.msn.com/id/35409762/ns/technology_and_science-tech_and_gadgets/

[Editor's Note (Pescatore): Google has followed a predictable path just like others before them: abuse user data, wait for outrage; if outrage, apologize - but stick to opt-out options buried a few menus down, vs. doing the right thing and going completely opt-in. Enterprises contemplating using advertising supported IT like free mail and social networking services need to go in with their eyes wide open - the real customers are the advertisers, not the users of the services. ]

Phony Anti-Virus Malware Adds Live Support (February 13, 2010)

Cyber criminals behind the Live PC Care phony anti-virus scam have begun offering live support to add a layer of credibility to their operation. The phony antivirus software screen now has an online support button that allows users to chat with an agent who will do his or her best to convince the user to pay money to solve the purported security problems. Symantec researchers say that their interactions with the support staff suggest that there are real people manning the chats.
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=222900276&cid=RSSfeed_IWK_All

[Editor's Note (Schultz): The perpetrators in this scheme are, unfortunately, very clever. Adding a phony live support capability exploits the tendency on the part of confused users to talk to somebody to obtain help or clarification. ]

Michigan Company Sues Bank For Failing to Halt Fraudulent Wire Transfers (February 10 & 12, 2010)

A Michigan company is suing its bank after cyber thieves allegedly made fraudulent wire transfers totaling US $560,000. The lawsuit filed by Experi-Metal Inc. (EMI) against Comerica Bank alleges that the bank had inadequate security practices and failed to take note of indications that the transactions were suspicious. The complaint seeks reimbursement for the loss as well as interest, attorney's fees and other damages. In this particular case, the cyber thieves obtained the banking account credentials through a phishing email sent to an employee at EMI. The transactions wired funds to bank accounts in Russia, Estonia, Scotland, Finland, China and the US and were withdrawn soon after the deposits were made. The suit alleges Comerica's security practices made EMI vulnerable to the phishing attack. The bank allegedly routinely sent its online customers emails with links asking them to submit information to renew digital certificates. The suit also alleges that the bank failed to notice unusual activity. Until the fraudulent transactions were made, EMI had made just two wire transfers ever; in just a three-hour period, 47 wire transfers and 12 transfer of fund requests were made. In addition, after EMI became aware of the situation and asked the bank to halt transactions, the bank allegedly failed to do so until 38 more had been initiated.
-http://www.computerworld.com/s/article/9156558/Michigan_firm_sues_bank_over_thef
t_of_560_000_?taxonomyId=17
-http://www.krebsonsecurity.com/2010/02/comerica-phish-foiled-2-factor-protection
/#more-973

*************************** Sponsored Links ***************************

1) The latest Microsoft security alerts, demos, and webcasts delivered to you. Get your customized TechNet widget.
http://www.sans.org/info/54849

2) Join your peers and other professionals at the first European Forensics & Incident Response Summit April 19-20.
http://www.sans.org/info/54854

3) Register for Department of Homeland Security Control Systems Cyber Security Trainings. SANS Process Control and SCADA Summit March 29-30.
http://www.sans.org/info/54859

*************************************************************************

THE REST OF THE WEEK'S NEWS

Microsoft Patch Blue Screen Problem Blamed on Insidious Malware Infection (February 15, 2010)

Microsoft says that the blue screen problem reported by some users following the installation of a security bulletin last week may be due to a rootkit buried on users' computers. Some Windows XP users reported that the updates caused what is known as the Blue Screen of Death; the issue was traced to a particular bulletin, MS10-015, after it was discovered that removing the update described in that bulletin reversed the problem. The problem does not affect all users; a researcher said there was evidence that the machines experiencing the problem appear to have been infected with the TDSS or Tidserv rootkit. Microsoft has stopped distributing the bulletin for the time being.
-http://www.theregister.co.uk/2010/02/15/rootkit_blue_screen_culprit_probably/
-http://www.h-online.com/security/news/item/Symantec-says-rootkit-causes-Windows-
XP-blue-screen-of-death-931280.html
ISC:
-http://isc.sans.org/diary.html?storyid=8215
[Editor's Note (Pesactore): If you look at Microsoft's Malicious Software Removal Tool statistics, about 1 out of 3 small business and home PCs (the ones that run Auto Update) have botnet payloads on them. Most enterprises find between 3 and 10% of their PCs also have been compromised by botnet malware. A lot of those payloads interfere with security functions, for obvious reasons. ]

China Tops List of Bot-Infected Computers in Last Three Months of 2009 (February 15, 2010)

During the final three months of 2009, more computers in China than in any other country around the world became infected with bot malware, according to a report from McAfee. One possible reason China has such a high number of infected PCs is that users are less likely to have updated their software, in large part because such a large number of computers are running pirated software.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/02/14/AR2010021403817.
htm

China Tops List of Bot-Infected Computers in Last Three Months of 2009 (February 15, 2010)

Royal Dutch Shell Investigating Employee Database Leak (February 12, 13 & 15, 2010)

A database containing personal information of more than 170,000 Royal Dutch Shell employees has been copied and sent to environmentalists and human rights groups. The database was "downloaded without authorization and distributed to some external parties." Those responsible for the leak have not been identified, but could be disgruntled and/or former employees seeking a "peaceful corporate revolution." The data in the file are about six months old. Shell is investigating the breach, and is demanding that organizations that received a copy of the database destroy it or face legal action.
-http://www.theregister.co.uk/2010/02/15/shell_data_loss/
-http://www.darkreading.com/database_security/security/client/showArticle.jhtml?a
rticleID=222900239
-http://business.timesonline.co.uk/tol/business/industry_sectors/natural_resource
s/article7025711.ece
-http://www.computerweekly.com/Articles/2010/02/12/240292/Did-activists-infiltrat
e-Shell-to-obtain-contacts-database.htm

[Editor's Note (Northcutt): Well, I would say this has a chance of changing the ROI picture for Data Loss Prevention technology. Imagine if their oil well and drilling field information was hacked and that information sent to the competition. It could be a game changer. ]

Royal Dutch Shell Investigating Employee Database Leak (February 12, 13 & 15, 2010)

Max Ray Butler Draws 13-Year Sentence (February 12 & 15, 2010)

Max Ray Butler, a.k.a. Max Vision and Iceman, has been sentenced to 13 years in prison for breaking into financial institutions' computer systems and stealing credit card information. Butler is also known for breaking into carder sites, where cyber thieves trade in stolen credit card information, and forcing them to operate through his own site, cardersmarket.com. Butler once worked as an informant for the FBI, but lost that job after he wrote malware that opened backdoors into computer systems, including those of some US government agencies. He served 18 months in prison for that offense. Following completion of his new prison term, Butler will serve five years of supervised release. He was also ordered to pay US $27.5 million in restitution.
-http://www.computerworld.com/s/article/9156658/Criminal_hacker_Iceman_gets_13_ye
ars
-http://www.wired.com/threatlevel/2010/02/max-vision-sentencing/
-http://www.theregister.co.uk/2010/02/15/max_vision_cybercrook_jailed/

[Editor's Note (an Internet Storm Center Incident Handler): This is simply sad. He ran arachNIDS, he is quoted through out the SANS sites (google for max vision site:sans.org). Originally I thought it was a stupid mistake that got him sent to prison for modifying a unix based worm to patch systems but he left himself a backdoor on those patched systems. He was one of the original hackers to come "out" as a white hat. To see him fall so far from a position of trust within our commuity to a hardened criminal is just plain sad. ]

Max Ray Butler Draws 13-Year Sentence (February 12 & 15, 2010)

Adobe Releases Flash Update (February 12 & 15, 2010)

Adobe has issued a fix for a critical flaw in its Flash Player that could be exploited to make unauthorized cross-domain requests, which could be used to create denial-of-service conditions or allow cross-site forgery attacks on vulnerable computers. Users are urged to upgrade to version 10.0.45.2; the vulnerability affects Windows, Mac and Linux versions of the software. Adobe also said it will be releasing an out-of-cycle fix for several critical flaws in Acrobat and Reader on Tuesday, February 16; the update is for versions 9.3 and 8.2 of the products.
-http://www.h-online.com/security/news/item/Adobe-fixes-critical-vulnerability-in
-Flash-Update-929060.html
-http://www.theregister.co.uk/2010/02/12/adobe_updates/
-http://www.scmagazineus.com/adobe-patches-flash-player-plans-out-of-band-reader-
fix/article/163685/
-http://www.adobe.com/support/security/bulletins/apsb10-06.html
-http://www.adobe.com/support/security/bulletins/apsb10-07.htm

[Editor's Note (Pescatore): When I was a kid, I used to think the baseball World Series meant someone playing the Yankees, since the Yankees seemed to be in every World Series back in the day. Now I'm thinking that rebooting my PC really is just there to upload the latest patch to Adobe Flash or Reader� ]

Adobe Releases Flash Update (February 12 & 15, 2010)

Hathaway Says Congress Should Consolidate Cyber Security Legislation (February 12, 2010)

Melissa Hathaway, who led the Obama administration's cyber security review last year, says that US lawmakers need to consolidate cyber security legislation currently moving through the House and Senate. There are currently at least 35 bills that deal with government and private industry cyber security. The difficulties in merging existing bills lie in the fact that legislators are committed to certain points of view about the locus of cyber security enforcement and authority.
-http://www.nextgov.com/nextgov/ng_20100212_8971.php

Hathaway Says Congress Should Consolidate Cyber Security Legislation (February 12, 2010)

Microsoft to Add Activation Exploit Detection to Windows 7 (February 12, 2010)

Microsoft plans to update Windows 7 systems to include a feature that can detect whether or not users have genuine copies of the operating system running on their computers. The Windows Activation Technologies Update will check to see if the users have used activation exploits to get pirated copies to run. Windows 7 can be downloaded at no cost, but users must pay a registration fee if they want the software to be activated. Activation exploits have been circulating on the Internet.
-http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?a
rticleID=222900212&subSection=Security

Microsoft to Add Activation Exploit Detection to Windows 7 (February 12, 2010)

Former Goldman Sachs Programmer Indicted for Alleged Code Theft (February 11, 2010)

Former Goldman Sachs computer programmer Sergey Aleynikov has been indicted on charges of theft of trade secrets, transporting stolen property in foreign commerce, and unauthorized computer access. Aleynikov allegedly stole proprietary source code that Goldman Sachs used to conduct "sophisticated high-speed and high-volume trades on various stock and commodities markets." He was employed at Goldman Sachs until June 5, 2009, when he left to work at Teza Technologies, where he had been hired to develop a high-speed trading platform. According to prosecutors, Aleynikov transferred large quantities of Goldman Sachs code to a server in Germany shortly before leaving the company. If he is convicted, Aleynikov could face up to 25 years in prison.
-http://www.nytimes.com/2010/02/12/technology/12code.html?partner=rss&emc=rss

Former Goldman Sachs Programmer Indicted for Alleged Code Theft (February 11, 2010)

NetWars Seeks Cyber Security Talent (February 11, 2010)

The NetWars contest aims to find the best and the brightest of young computer security talent in the US and "make sure they're working for the good guys." The US has approximately 1,000 highly skilled cyber security experts; it needs 20,000. A group of cyber security contests, including NetWars, helps identify that potential. NetWars in particular challenges the participants' ability to attack as well as to defend, because "unless you know how to attack, you don't know how to defend." The contest is not aimed at training hackers, but at identifying talent. The best performers in the competitions will be matched with recruiters in government and private industry.
-http://www.forbes.com/forbes/2010/0301/rebuilding-paller-america-internet-give-m
e-your-hackers_print.html

NetWars Seeks Cyber Security Talent (February 11, 2010)

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security. Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/

Newsletters: NewsBites

Volume XII - Issue #13

TOP OF THE NEWS

THE REST OF THE WEEK'S NEWS

TOP OF THE NEWS

Google Promises Changes Ahead for Buzz (February 15, 2010)

Phony Anti-Virus Malware Adds Live Support (February 13, 2010)

Michigan Company Sues Bank For Failing to Halt Fraudulent Wire Transfers (February 10 & 12, 2010)

THE REST OF THE WEEK'S NEWS

Microsoft Patch Blue Screen Problem Blamed on Insidious Malware Infection (February 15, 2010)

China Tops List of Bot-Infected Computers in Last Three Months of 2009 (February 15, 2010)

China Tops List of Bot-Infected Computers in Last Three Months of 2009 (February 15, 2010)

Royal Dutch Shell Investigating Employee Database Leak (February 12, 13 & 15, 2010)

Royal Dutch Shell Investigating Employee Database Leak (February 12, 13 & 15, 2010)

Max Ray Butler Draws 13-Year Sentence (February 12 & 15, 2010)

Max Ray Butler Draws 13-Year Sentence (February 12 & 15, 2010)

Adobe Releases Flash Update (February 12 & 15, 2010)

Adobe Releases Flash Update (February 12 & 15, 2010)

Hathaway Says Congress Should Consolidate Cyber Security Legislation (February 12, 2010)

Hathaway Says Congress Should Consolidate Cyber Security Legislation (February 12, 2010)

Microsoft to Add Activation Exploit Detection to Windows 7 (February 12, 2010)

Microsoft to Add Activation Exploit Detection to Windows 7 (February 12, 2010)

Former Goldman Sachs Programmer Indicted for Alleged Code Theft (February 11, 2010)

Former Goldman Sachs Programmer Indicted for Alleged Code Theft (February 11, 2010)

NetWars Seeks Cyber Security Talent (February 11, 2010)

NetWars Seeks Cyber Security Talent (February 11, 2010)

Additional

Newsletters: NewsBites

Subscribe to SANS Newsletters

Volume XII - Issue #13

TOP OF THE NEWS

THE REST OF THE WEEK'S NEWS

TOP OF THE NEWS

Google Promises Changes Ahead for Buzz (February 15, 2010)

Phony Anti-Virus Malware Adds Live Support (February 13, 2010)

Michigan Company Sues Bank For Failing to Halt Fraudulent Wire Transfers (February 10 & 12, 2010)

THE REST OF THE WEEK'S NEWS

Microsoft Patch Blue Screen Problem Blamed on Insidious Malware Infection (February 15, 2010)

China Tops List of Bot-Infected Computers in Last Three Months of 2009 (February 15, 2010)

China Tops List of Bot-Infected Computers in Last Three Months of 2009 (February 15, 2010)

Royal Dutch Shell Investigating Employee Database Leak (February 12, 13 & 15, 2010)

Royal Dutch Shell Investigating Employee Database Leak (February 12, 13 & 15, 2010)

Max Ray Butler Draws 13-Year Sentence (February 12 & 15, 2010)

Max Ray Butler Draws 13-Year Sentence (February 12 & 15, 2010)

Adobe Releases Flash Update (February 12 & 15, 2010)

Adobe Releases Flash Update (February 12 & 15, 2010)

Hathaway Says Congress Should Consolidate Cyber Security Legislation (February 12, 2010)

Hathaway Says Congress Should Consolidate Cyber Security Legislation (February 12, 2010)

Microsoft to Add Activation Exploit Detection to Windows 7 (February 12, 2010)

Microsoft to Add Activation Exploit Detection to Windows 7 (February 12, 2010)

Former Goldman Sachs Programmer Indicted for Alleged Code Theft (February 11, 2010)

Former Goldman Sachs Programmer Indicted for Alleged Code Theft (February 11, 2010)

NetWars Seeks Cyber Security Talent (February 11, 2010)

NetWars Seeks Cyber Security Talent (February 11, 2010)

Subscribe to SANS Newsletters

Additional