SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #18

March 05, 2010

Power and other utility company employees are invited to attend a free
(eye-opening) webcast on March 19 on the advanced persistent threat
already inside utilities. Send your request for a seat to
apaller@sans.org subject March 19.


Alan

---

TOP OF THE NEWS

Aurora Cyber Attackers Targeted Source Code Management Systems
Israeli Raid Called Off After Plan Details Posted on Facebook
Three Arrested in Huge Botnet Case

THE REST OF THE WEEK'S NEWS

Napolitano Announces Cybersecurity Awareness Competition
Microsoft Releases New Versions of Update That Caused Crashes; Will Issue Two New Bulletins Next Week
Average Users Have Difficulty keeping Up With Security Patches
Chertoff Says Average Users Struggle With Security
White House Declassifies parts of Cybersecurity Initiative
RealNetworks Settles With Movie Studios Over RealDVD
German Court Overturns Telecommunications Data Retention Law
Lawsuit Alleges Patient Data Leaked Through P2P Network

---

******************* Sponsored By Entrust Technologies *******************
Entrust Unified Communications Certificates provide greater flexibility to support powerful communications products like Microsoft Exchange Server 2007 and Microsoft Office Communications Server 2007, without sacrificing security controls. Up to 10 host names included, 128/256-bit SSL encryption, quick issuance and one to four year certificate lifetimes available. Now from only $387 per year. Learn more at http://www.sans.org/info/55824
*************************************************************************

TRAINING UPDATE

- -- SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style http://www.sans.org/sans-2010/

- -- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND http://www.sans.org/reston-2010/

- -- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World http://www.sans.org/security-west-2010/

- -- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report http://www.sans.org/sansfire-2010/

- -- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat http://www.sans.org/rocky-mountain-2010/

- -- SANS Boston 2010, June 6-14, 2010 11 courses http://www.sans.org/boston-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Dubai, Geneva, Toronto, Singapore and Brisbane all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *************************************************************************

---

TOP OF THE NEWS

Aurora Cyber Attackers Targeted Source Code Management Systems (March 3 & 4, 2010)

According to a paper released by McAfee at the RSA Conference, the attackers who breached systems at Google and other companies went after source-code management systems. Once they accessed the systems, the attackers would have been able to steal and to modify source code. The attackers found the software-configuration management systems (SCM) to be "wide open." Many of the companies affected by the Aurora attacks, as they have been dubbed, used the same source-code management system from Perforce. The attackers gained initial access to the companies' systems through weaponized email
[previously known as spear phishing ]
attacks.
-http://www.wired.com/threatlevel/2010/03/source-code-hacks/
-http://www.zdnetasia.com/news/security/0,39044215,62061601,00.htm
-http://www.crn.com/security/223101584;jsessionid=JWORUUYIMPJWRQE1GHPCKHWATMY32JV
N
-http://ibnlive.in.com/news/google-china-hackers-stole-source-code-researcher/111
020-11.html?from=tn?from=rssfeed

Israeli Raid Called Off After Plan Details Posted on Facebook (March 3 & 4, 2010)

A planned Israeli raid on a Palestinian village in the West Bank was called off after a soldier posted information about it on Facebook. The post included details about the time and location of the planned sweep and the name of his combat unit. Other soldiers who saw the post alerted their superiors. The soldier was sentenced to 10 days in prison and has been relieved of combat duty.
-http://www.smh.com.au/technology/technology-news/israel-aborts-raid-after-soldie
r-posts-details-on-facebook-20100304-pjfb.html
-http://haaretz.com/hasen/spages/1153619.html

Three Arrested in Huge Botnet Case (March 2, 3 & 4, 2010)

Spanish authorities have arrested three people in connection with a botnet that comprised as many as 12.7 million PCs worldwide. The Mariposa botnet included PCs at Fortune 1,000 companies and at 40 major banks. Its main focus was stealing login credentials for online bank accounts, email services and similar information. Following the arrests, police recovered personal information of more than 800,000 people. Mariposa was first detected in December 2008 and was shut down in December 2009. It was defeated with the help of the Mariposa Working Group, a coalition of security experts, academics and law enforcement, which monitored communication between the compromised machines and the cyber criminals. The three people arrested in Spain are allegedly Mariposa's administrators. Arrests in other countries are said to be imminent.
-http://edition.cnn.com/2010/TECH/03/03/spain.computer.virus.arrest/
-http://www.mercurynews.com/business/ci_14498591?source=rss&nclick_check=1
-http://www.mercurynews.com/business/ci_14504717?source=rss&nclick_check=1
-http://www.theregister.co.uk/2010/03/03/mariposa_botnet_bust_analysis/
-http://www.theregister.co.uk/2010/03/04/mariposa_police_hunt_more_botherders/
-http://news.bbc.co.uk/2/hi/technology/8547453.stm
-http://www.computerworld.com/s/article/9164838/Spanish_police_take_down_massive_
Mariposa_botnet?taxonomyId=17
-http://www.eweek.com/c/a/Security/Spain-IT-Security-Companies-Sting-Mariposa-Bot
net-390027/
-http://www.foxnews.com/scitech/2010/03/04/mastermind-worlds-worst-virus-large/

---

**************************** Sponsored Link ***************************
1) Attend an Online Demo of iPrism Web Filter and Get a $20 Amazon Giftcard! http://www.sans.org/info/55829
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Napolitano Announces Cybersecurity Awareness Competition (March 4, 2010)

Speaking at the RSA Conference in San Francisco, Department of Homeland Security Secretary Janet Napolitano described steps the government is taking to develop a strategic approach to cyber security. Napolitano spoke of the urgent need to improve cyber security to protect the country from attacks, highlighted by the recent attacks on Google and other US companies. Napolitano also announced the National Cybersecurity Awareness Campaign Challenge Competition created to gather ideas for "raising public awareness of cyber security." The winners of the competition will be invited to Washington to attend a DHS event and will help plan the National Cybersecurity Awareness Campaign.
-http://news.bbc.co.uk/2/hi/technology/8548618.stm
-http://www.toptechnews.com/news/DHS-Chief-Outlines-Security-Strategy/story.xhtml
?story_id=010000CEYJCE&full_skip=1
-http://www.informationweek.com/news/security/government/showArticle.jhtml?articl
eID=223101441
-http://www.dhs.gov/files/cyber-awareness-campaign.shtm

Microsoft Releases New Versions of Update That Caused Crashes; Will Issue Two New Bulletins Next Week (March 4, 2010)

Microsoft has released a reworked version of the MS10-015 security update that caused problems for some users when it was released last month. If computers were infected with the Alureon rootkit, the patch caused systems to crash. The newer version of the patch checks first to see if Alureon is present on computers before it installs. The new update will be automatically pushed out to users. Microsoft also announced that it will be issuing two security updates on Tuesday, March 9, both of which are rated important. The updates address a total of eight flaws and affect Microsoft Windows and Office.
-http://news.zdnet.co.uk/security/0,1000000189,40070580,00.htm
-http://www.computerworld.com/s/article/9166158/Microsoft_plans_to_patch_8_Window
s_Office_bugs_next_week
-http://www.microsoft.com/technet/security/Bulletin/MS10-mar.mspx

Average Users Have Difficulty keeping Up With Security Patches (March 4, 2010)

If home users were to apply every security patch available for applications on their Windows PCs, they would be facing roughly 75 instances of patching every year, or one every five days, according to Secunia. In addition to the large number of patches, users would also have to interact with an average of 22 different patching mechanisms. Faced with the frequency and variety of required patching, it is no surprise that many users are not up to date for patches on all programs on their computers. Last year at the RSA Conference, Secunia made a call for a unified patching standard, but the idea did not go over well.
-http://www.computerworld.com/s/article/9165738/Typical_Windows_user_patches_ever
y_5_days?taxonomyId=17
Editor's Note (Schultz): Secunia is right. There are just too many bugs in too many software products. There is no way that the average PC user, let alone the average organization, can even begin to keep up with all the patches. A single patch installation method would help only to some degree; the far bigger problem is software developers continuing to produce bug-infested software with few if any negative consequences to them. ]

Chertoff Says Average Users Struggle With Security (March 3, 2010)

Speaking at the RSA conference in San Francisco this week, former Homeland security Secretary Michael Chertoff said that effective computer security is too complicated for average computer users. Chertoff said that not only do users need to be educated about cyber security, but there need to be "solutions that they are comfortable with." The government, the private sector and individual users all have roles to play in making changes.
-http://blogs.wsj.com/digits/2010/03/03/most-people-don%E2%80%99t-understand-cybe
r-threats-says-former-dhs-chief/

White House Declassifies parts of Cybersecurity Initiative (March 3, 2010)

The White House has declassified portions of the Comprehensive National Cybersecurity Initiative (CNCI). The plan, launched at the end of President George W. Bush's second term, comprises 12 directives that address government strategy to protect military, civilian, government and critical infrastructure networks and the government's offensive cyber warfare strategy. The White House has released summaries of all 12 directives. The declassified information includes details about EINSTEIN 3, the intrusion detection tool, that will monitor network traffic in real time; it "looks for anomalous activities that are not already in the signature database." Critics say that the new information does not go far enough in describing "the limits of their legal authorities."
-http://www.washingtonpost.com/wp-dyn/content/article/2010/03/02/AR2010030202113.
html
-http://www.wired.com/threatlevel/2010/03/us-declassifies-part-of-secret-cybersec
urity-plan/
-http://www.nextgov.com/nextgov/ng_20100303_9560.php?oref=topstory
-http://fcw.com/articles/2010/03/03/web-declassification-cnci.aspx
-http://www.whitehouse.gov/blog/2010/03/02/transparent-cybersecurity
-http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-ini
tiative

RealNetworks Settles With Movie Studios Over RealDVD (March 3 & 4, 2010)

RealNetworks has reached a settlement regarding the company's DVD-copying software, pre-empting a trial in the case. In 2008, the Motion Picture Association of America (MPAA) sued RealNetworks over its RealDVD software, alleging that the product allowed people to, in essence, steal DVDs. RealNetworks countered that the program was designed to allow people who purchased movies legitimately to make backup copies on the hard drives of their PCs. Last year, a judge granted a temporary injunction against the sale of RealDVD, and added that the product violates both the Digital Millennium Copyright Act and a license agreement that the company had signed with the DVD Copy Control Association. The settlement reached calls for RealNetworks to pay US $4.5 million to cover the plaintiff's legal fees and to stop selling the product. The company will also withdraw its appeal of the temporary injunction and will no longer support RealDVD or any other similar technology. The 2,700 people who purchased RealDVD will each receive US $30 reimbursement.
-http://www.computerworld.com/s/article/9165798/RealNetworks_settles_lawsuits_wil
l_stop_selling_DVD_copying_software?taxonomyId=17
-http://www.wired.com/threatlevel/2010/03/dmca-muscle-strong-arms-dvd-copying/

German Court Overturns Telecommunications Data Retention Law (March 2 & 3, 2010)

Germany's Federal Constitutional Court has overturned a law that allowed the retention of telephone and email data for anti-terrorism investigations. The court said the law was a "grave intrusion" on people's personal privacy rights and that it violates citizens' constitutional rights to private correspondence. The law required that all data, with the exception of content, on phone calls and email be retained for six months to allow authorities to conduct investigations if necessary. The court noted that the law did not provide adequate security for the data, nor did it "sufficiently limit the possible uses of
[the ]
data." The court ordered that all currently held data be deleted and that no more data be retained until a national law is passed that is in harmony with basic German law.
-http://www.msnbc.msn.com/id/35672314/ns/technology_and_science-security/
-http://euobserver.com/9/29595

[Editor's Note (Honan): The court did not find the Data Retention Law itself to be unconstitutional but that certain aspects of it contravened German privacy legislation. Changes will need to be made to the law to satisfy those concerns and the results of this case will be monitored closely by other European countries to see if the privacy issues raised also apply to their implementation of the EU Data Retention Directive. ]

Lawsuit Alleges Patient Data Leaked Through P2P Network (February 26, 2010)

A class action lawsuit filed last month alleges that The Open Door Clinic of Greater Elgin (Illinois) leaked confidential patient information through a peer-to-peer file sharing network. The suit says the class comprises at least 260 people whose personal medical information, including their HIV/AIDS status, was leaked and alleges negligence, invasion of privacy, and breach of confidentiality. The clinic became aware of the data leak in the summer of 2008, but did not notify its patients at the time. The lawsuit also alleges that some of the information was used to commit identity fraud. The clinic allegedly stores data, including patients' Social Security numbers (SSNs) and medical history on a file sharing network that clinic employees can access from home.
-http://www.kcchronicle.com/articles/2010/02/26/16209753/index.xml

---

**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)



John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.



Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.



Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States



Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.



Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.



Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.



Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.



Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.



Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.



Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.



David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.



Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.



Alan Paller is director of research at the SANS Institute



Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.



Clint Kreitner is the founding President and CEO of The Center for Internet Security.



Brian Honan is an independent security consultant based in Dublin, Ireland.



David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.



Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/