SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XII - Issue #14
February 19, 2010
TOP OF THE NEWS
EPIC Files Complaint With FTC Seeking Privacy-Related Changes to Google BuzzCyber Attack Simulation Underscores Areas of Policy Weakness
Group Publishes Top 25 Programming Errors List, Says Application
THE REST OF THE WEEK'S NEWS
Kneber Botnet Infected 75,000 Computers Former Goldman SachsProgrammer Pleads Not Guilty
Google Fixes Buzz Cross-Site Scripting Flaw
Malware Hits Norfolk, Virginia City Computers
Out-of-Cycle Update for Adobe Reader and Acrobat
Data Leaked From Latvian State Revenue Service Database
************************** Sponsored By zScaler *************************
WEBCAST - Google was victimized by hackers. Will you be next? Join us for this educational Webcast on Feb 25, 2010. Keynote by Peter Firstbrook, Gartner Analyst. Watch a step-by-step demo of how Chinese hackers attacked big name US companies. Learn how to protect your organization from such threats. Register Here: http://www.sans.org/info/55203
************************************************************************
TRAINING UPDATE
- -- SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style
http://www.sans.org/sans-2010/
- -- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
http://www.sans.org/reston-2010/
- -- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/
- -- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses
http://www.sans.org/sansfire-2010/
- -- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses
http://www.sans.org/rocky-mountain-2010/
- -- SANS Boston 2010, June 6-14, 2010 11 courses
http://www.sans.org/boston-2010/
Looking for training in your own community?
http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php
Plus Bangalore, Dublin, Dubai, Toronto and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************
TOP OF THE NEWS
EPIC Files Complaint With FTC Seeking Privacy-Related Changes to Google Buzz (February 17, 2010)
The Electronic Privacy Information Center (EPIC) has filed a complaint with the Federal Trade Commission (FTC) regarding Google's newly-introduced social networking service Buzz. The "complaint concerns an attempt by Google ... to convert the private, personal information of Gmail subscribers into public information for ... Buzz." The complaint alleges that Google "violated user privacy expectations, diminished user privacy, contradicted Google's own privacy policy, and may have also violated federal wiretap laws." EPIC wants to compel Google to make Buzz a completely opt-in service, stop using Gmail users' contact lists to create Buzz contact lists, and give Buzz users more control over their own information.-http://news.cnet.com/8301-30685_3-20000076-264.html?part=rss&subj=news&t
ag=2547-1_3-0-20
-http://epic.org/privacy/ftc/googlebuzz/GoogleBuzz_Complaint.pdf
[Editor's Note (Shultz): There is a great deal truth to the old saying that perception is reality, and few sources of information affect public perception more than do Internet Web sites. ]
Cyber Attack Simulation Underscores Areas of Policy Weakness (February 16 & 17, 2010)&
A cyber attack simulation in which former US federal officials played roles as cabinet members illustrated "the government's lack of policies to guide a response to a widespread attack." The attack involved malware hidden in an NCAA March Madness Basketball bracket application that was sent to cell phones; the malware logged users' keystrokes and intercepted messages. The infected devices were also used to launch a botnet attack. The attacks escalated into power failures, millions of cell phones without service and Wall Street shut down for a week. The simulated attacks escalated to cause power failures, leave millions without cell phone service, and shut down Wall Street for a week. The simulation, dubbed Cyber Shockwave, was sponsored by the Bipartisan Policy Center.-http://www.nextgov.com/nextgov/ng_20100216_5378.php?oref=topnews
-http://www.washingtonpost.com/wp-dyn/content/article/2010/02/16/AR2010021605762_
pf.html
[Editor's Note (Ranum): I'm highly skeptical that a botnet attack could easily escalate into power failures, disruption of cell service for millions, and Wall St getting shut down for a week. (Anyone who claims the latter doesn't appear to understand how the New York Stock Exchange works) - this has my B.S. meter pegged in the red zone. Simulations should be credible, or they're just propaganda.
(Paller): The comments I am hearing from people who were there reinforces what Marcus is saying. The scenario seems to have been designed by people who do not understand current or future attack patterns. ]
Group Publishes Top 25 Programming Errors List, Says Application Vendors Should Be Liable for Code Security (February 16 & 17, 2010)
The 2010 CWE (Common Weakness Enumeration)/SANS Top 25 Most Dangerous Programming Errors list points to cross-site scripting (XSS), SQL injection, and buffer overflow vulnerabilities as the causes of nearly all major cyber attacks in recent years. The consortium behind the list, headed by the SANS Institute and Mitre Corp., is also publishing draft language to use in procurement documents that would hold software development organizations liable for product security.-http://www.sans.org/top25-programming-errors/
-http://www.computerworld.com/s/article/9157218/Hold_vendors_liable_for_buggy_sof
tware_group_says
-http://www.csoonline.com/article/544163/Security_Experts_Developers_Responsible_
for_Programming_Problems
-http://www.theregister.co.uk/2010/02/17/top_25_programming_errors/
-http://www.darkreading.com/vulnerability_management/security/app-security/showAr
ticle.jhtml?articleID=222900574
-http://www.h-online.com/security/news/item/Top-25-Programming-Errors-list-update
d-933535.html
[Editor's Note (Schultz): The fact that to date software vendors have for the most part not been held responsible in court cases for damages experienced due to bugs in their code is appaling. This precedent is in my mind the single greatest enabler of bug-infested coding on the part of vendors. ]
Group Publishes Top 25 Programming Errors List, Says Application Vendors Should Be Liable for Code Security (February 16 & 17, 2010)
The 2010 CWE (Common Weakness Enumeration)/SANS Top 25 Most Dangerous Programming Errors list points to cross-site scripting (XSS), SQL injection, and buffer overflow vulnerabilities as the causes of nearly all major cyber attacks in recent years. The consortium behind the list, headed by the SANS Institute and Mitre Corp., is also publishing draft language to use in procurement documents that would hold software development organizations liable for product security.-http://www.sans.org/top25-programming-errors/
-http://www.computerworld.com/s/article/9157218/Hold_vendors_liable_for_buggy_sof
tware_group_says
-http://www.csoonline.com/article/544163/Security_Experts_Developers_Responsible_
for_Programming_Problems
-http://www.theregister.co.uk/2010/02/17/top_25_programming_errors/
-http://www.darkreading.com/vulnerability_management/security/app-security/showAr
ticle.jhtml?articleID=222900574
-http://www.h-online.com/security/news/item/Top-25-Programming-Errors-list-update
d-933535.html
[Editor's Note (Schultz): The fact that to date software vendors have for the most part not been held responsible in court cases for damages experienced due to bugs in their code is appaling. This precedent is in my mind the single greatest enabler of bug-infested coding on the part of vendors. ]
*************************** Sponsored Link ****************************
1) Listen to ETM LogRhythm in the Hotseat - SIEM 2.0 Interview with Chris Petersen at http://www.sans.org/info/55208
*************************************************************************
THE REST OF THE WEEK'S NEWS
Kneber Botnet Infected 75,000 Computers (February 18, 2010)
The Kneber botnet has reportedly breached nearly 75,000 computers. The goal of the malware is to harvest login credentials for online financial accounts, social networking sites, and email systems. The compromised systems include those at some US government agencies and commercial enterprises, such as Merck (a pharmaceutical company) and Paramount Pictures. Organizations are advised to limit and monitor outbound traffic to stem damage from similar infections.-http://www.msnbc.msn.com/id/35456838/ns/technology_and_science-security/
-http://news.cnet.com/8301-27080_3-10455525-245.html?tag=mncol;title
P.S. This botnet infiltrated 374 U.S. companies and government organizations per
-http://www.computerworld.com/s/article/9158778/Kneber_botnet_hit_374_U.S._firms_
gov_t_agencies?source=CTWNLE_nlt_pm_2010-02-18
[Editor's Note (Pescatore): Remember back say 10 years ago when you knew major email viruses (like Melissa) by name? With bot client malware, we are at the same point we were with macro malware back then - the threat got ahead of the protection. It is time to force the protection you pay for to move it up a notch, or change vendors. There are some simple process improvements that greatly reduce the risk, but there are also many leading products that do a much better job than many that are in use.
(Schultz): Advising organizations to monitor only outbound traffic is myopic. Both inbound and outbound traffic needs to be monitored if bot infections are to be detected. Analysis of outbound traffic helps identify internal machines that are connecting to suspicious external machines, some of which may be botmasters or other machines owned by an attacker.
(Honan): It appears the Kneber Botnet is based on the Zeus crimeware. So while this threat is not new, nor are botnets of 75,000 compromised machines or above new either, kudos to NetWitness for bringing this issue to the attention of the mainstream press. The Zeus Tracker project,
-https://zeustracker.abuse.ch/index.php
shows that they have detected 1293 Command & Control servers with approximately half of those C&C servers online. An interesting point to note is that the project shows that the average anti-virus detection rate for this malware is only 50% so it is no surprise to see it infiltrate so many organisations. ]
Former Goldman Sachs Programmer Pleads Not Guilty (February 17, 2010)
The former Goldman Sachs computer programmer accused of stealing proprietary source code before leaving for another job has pleaded not guilty to charges of theft of trade secrets, transportation of stolen property, and unauthorized computer access. Sergey Aleynikov was arrested last summer and indicted on February 11, 2010. He allegedly stole code while still employed at Goldman Sachs through his last day at the firm. Aleynikov allegedly deleted the program used to encrypt the code and the bash history on the computer after the files were transferred.-http://www.nytimes.com/2010/02/18/technology/18code.html?partner=rss&emc=rss
-http://www.businessweek.com/news/2010-02-17/former-goldman-programmer-aleynikov-
pleads-not-guilty-update1-.html
Google Fixes Buzz Cross-Site Scripting Flaw (February 17, 2010)
Google has fixed a cross-site scripting (XSS) vulnerability in Buzz, its new social networking site. The vulnerability could be exploited to run malicious JavaScript code on the Google.com, to redirect users to phishing web pages or to trick users into installing malware.-http://www.scmagazineus.com/google-patches-xss-hole-in-its-buzz-social-media-pla
tform/article/163930/
-http://www.computerworld.com/s/article/9158218/Google_fixes_Buzz_bug?taxonomyId=
17
[Editor's Note (Pescatore): I think a more news-worthy item would be "Major Advertising-based Web Site Has Never Had a Cross-site Scripting Flaw."
Malware Hits Norfolk, Virginia City Computers (February 17, 2010)
Nearly 800 computers used by the city of Norfolk, Virginia were infected with malware that all but wiped clean the computers' hard drives and deleted the Windows operating systems on the machines. The City's IT director suspects the cause may have been "time bomb" code, planted at some earlier date and programmed to execute just recently. The problem was detected earlier this month when the IT team noticed that computers were taking longer than usual to shut down. Once the computers finally shut down, they could not be restarted. The team uncovered a virtual print server that was pushing out malicious code and took it offline. The infected PCs have been reimaged and affected servers have been restored.-http://www.computerworld.com/s/article/9158499/City_of_Norfolk_hit_with_code_tha
t_takes_out_nearly_800_PCs?source=rss_news
Out-of-Cycle Update for Adobe Reader and Acrobat (February 16 & 17, 2010)
Adobe has issued an out-of-cycle security update for Reader and Acrobat. Version 9.3.1 of the programs addresses a pair of critical vulnerabilities. One of the flaws is the same as the vulnerability Adobe recently patched in Flash; it could allow unauthorized cross-domain requests. The other flaw could be exploited to crash vulnerable computers and possible allow attackers to gain control of the machines. There are updates available for Windows, Mac OS X, and Unix/Linux versions of Reader and Acrobat. Adobe has also released version 8.2.1 to address the vulnerabilities for users who are unable to update to version 9.x.-http://www.h-online.com/security/news/item/Two-critical-holes-closed-in-Adobe-Re
ader-and-Acrobat-933022.html
-http://www.theregister.co.uk/2010/02/17/adobe_reader_update/
-http://www.computerworld.com/s/article/9157558/Update_Adobe_issues_emergency_PDF
_patches?source=CTWNLE_nlt_pm_2010-02-16
-http://www.adobe.com/support/security/bulletins/apsb10-07.html
[Editor's Note (Ullrich): This botnet isn't exactly new or large. It is a variant of "Zeus", which is a rather sophisticated bot toolkit offered for sale. This particular malware family has a record of going after small business bank accounts rather successfully using a number of flexible modules to disguise itself. Sadly, outdated defensive technique like anti virus are largely ineffective against it. ]
Data Leaked From Latvian State Revenue Service Database (February 15, 2010)
Latvia's State Revenue Service (VID) has acknowledged that a cyber security breach may have compromised 120 gigabytes of data. The hole in the VID's electronic tax declaration system appears to have been deliberately created. The compromised data leaked from the VID's database include millions of documents that contain information about businesses, individuals, and public figures. Police are investigating the incident.-http://www.monstersandcritics.com/news/europe/news/article_1533738.php/Massive-s
ecurity-breach-suspected-at-Latvian-tax-office
Malware Hits Norfolk, Virginia City Computers (February 17, 2010)
Nearly 800 computers used by the city of Norfolk, Virginia were infected with malware that all but wiped clean the computers' hard drives and deleted the Windows operating systems on the machines. The City's IT director suspects the cause may have been "time bomb" code, planted at some earlier date and programmed to execute just recently. The problem was detected earlier this month when the IT team noticed that computers were taking longer than usual to shut down. Once the computers finally shut down, they could not be restarted. The team uncovered a virtual print server that was pushing out malicious code and took it offline. The infected PCs have been reimaged and affected servers have been restored.-http://www.computerworld.com/s/article/9158499/City_of_Norfolk_hit_with_code_tha
t_takes_out_nearly_800_PCs?source=rss_news
Out-of-Cycle Update for Adobe Reader and Acrobat (February 16 & 17, 2010)
Adobe has issued an out-of-cycle security update for Reader and Acrobat. Version 9.3.1 of the programs addresses a pair of critical vulnerabilities. One of the flaws is the same as the vulnerability Adobe recently patched in Flash; it could allow unauthorized cross-domain requests. The other flaw could be exploited to crash vulnerable computers and possible allow attackers to gain control of the machines. There are updates available for Windows, Mac OS X, and Unix/Linux versions of Reader and Acrobat. Adobe has also released version 8.2.1 to address the vulnerabilities for users who are unable to update to version 9.x.-http://www.h-online.com/security/news/item/Two-critical-holes-closed-in-Adobe-Re
ader-and-Acrobat-933022.html
-http://www.theregister.co.uk/2010/02/17/adobe_reader_update/
-http://www.computerworld.com/s/article/9157558/Update_Adobe_issues_emergency_PDF
_patches?source=CTWNLE_nlt_pm_2010-02-16
-http://www.adobe.com/support/security/bulletins/apsb10-07.html
[Editor's Note (Ullrich): This botnet isn't exactly new or large. It is a variant of "Zeus", which is a rather sophisticated bot toolkit offered for sale. This particular malware family has a record of going after small business bank accounts rather successfully using a number of flexible modules to disguise itself. Sadly, outdated defensive technique like anti virus are largely ineffective against it. ]
Data Leaked From Latvian State Revenue Service Database (February 15, 2010)
Latvia's State Revenue Service (VID) has acknowledged that a cyber security breach may have compromised 120 gigabytes of data. The hole in the VID's electronic tax declaration system appears to have been deliberately created. The compromised data leaked from the VID's database include millions of documents that contain information about businesses, individuals, and public figures. Police are investigating the incident.-http://www.monstersandcritics.com/news/europe/news/article_1533738.php/Massive-s
ecurity-breach-suspected-at-Latvian-tax-office
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute. Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/