SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #21

March 16, 2010

Two cool ways to help with cyber skills advancement:

(1) If your organization employs more than 50 cyber security professionals and wants to be on the forefront of developing the next generation of cyber experts, you can sponsor one (or more) of the US Cyber Challenge summer camps this summer. If you miss this window, you probably won't be able to engage in the Cyber Challenge programs going forward because those who help at the outset will get first option on future camps. Email Karen Evans at karenevans@prodigy.net

(2) You can win your choice of $3,000 or a free SANS course if you will complete a survey about security skills. Three winners will be named. This is for anyone holding a CISA or GSNA or CEH or CSIH or SSCP. This week only. If you hold any of those certifications, email apaller@sans.org with the cert name as the subject and we'll send you back the form.

Alan

---

TOP OF THE NEWS

Six of Seven AV Programs Tested Did Not Detect Aurora Attack Variants
FBI: Cost of Reported Cybercrime in 2009 Was US $560 Million
South Korea Investigates Data Security Practices, Indicts 39 for Alleged Piracy

THE REST OF THE WEEK'S NEWS

Phishers Target NetRegistry Users
Microsoft Testing Fix for Zero-Day IE Vulnerability
China Says Google Must Follow Censorship Rules
UK's GCHQ Lost 35 Laptops in 2008
Two Plead Guilty to Selling Pirated Software
Netflix Nixes Contest Reprise
Apple Issues Safari Update
Conficker Infection at New Zealand Hospital Traced to USB Drive
Microsoft Wins Injunction Against IM Spamming Company

---

********************* Sponsored By Entrust Technologies ****************
Entrust Unified Communications Certificates provide greater flexibility to support powerful communications products like Microsoft Exchange Server 2007 and Microsoft Office Communications Server 2007, without sacrificing security controls. Up to 10 host names included, 128/256-bit SSL encryption, quick issuance and one to four year certificate lifetimes available. Now from only $387 per year. Learn more at
http://www.sans.org/info/56193
*************************************************************************

TRAINING UPDATE
- -- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
http://www.sans.org/reston-2010/

- -- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

- -- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

- -- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

- -- SANS Boston 2010, June 6-14, 2010 11 courses
http://www.sans.org/boston-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Dubai, Geneva, Toronto, Singapore and Amsterdam all in the next 90 days.
For a list of all upcoming events, on-line and live: https://www.sans.org/index.php
*************************************************************************

---

TOP OF THE NEWS

Six of Seven AV Programs Tested Did Not Detect Aurora Attack Variants (March 11, 2010)

A test of seven of commonly used anti-virus programs found that just one detected variants of the malware that exploited the IE vulnerability used in the Aurora attacks, which affected Google, Adobe and other US companies. Rick Moy, president of NSS Labs, the company that performed the tests, said that "vendors need to put more focus on the vulnerability than on exploit protection." Threat detection and mitigation need to evolve to meet the challenge of the emerging attacks. OS and client software vendors need to shoulder their share of the security burden.
-http://www.computerworld.com/s/article/9169658/Update_Security_industry_faces_at
tacks_it_cannot_stop?taxonomyId=13&pageNumber=1
-http://darkreading.com/vulnerability_management/security/antivirus/showArticle.j
html?articleID=223600014&subSection=Antivirus

[Editor's Note (Pescatore): Anti-viral software is only good for detecting previously seen attacks, not much news here. Testing AV programs to detect things they don't have signatures for is like testing soda for nutritional value. ]

FBI: Cost of Reported Cybercrime in 2009 Was US $560 Million (March 12 & 15, 2010)

According to statistics from the FBI's Internet Crime Complaint Center (IC3), the financial cost of cyber crime reported in the US more than doubled between 2008 and 2009, totaling nearly US $560 million in 2009. Among the most frequently reported attacks were phishing schemes that purported to come from the FBI itself. The total number of cybercrime complaints rose 22.9 percent from 257,284 submissions in 2008 to 336,655 submissions in 2009. Other often-reported schemes involved non-delivery of Internet-purchased merchandise or payments for Internet purchases, and phony anti-virus software.
-http://www.computerworld.com/s/article/9170258/FBI_Cyberfraud_losses_doubled_in_
2009?taxonomyId=17
-http://www.theregister.co.uk/2010/03/15/cybercrime_complaint_surge/
-http://www.v3.co.uk/v3/news/2259467/fbi-reports-online-crime-losses
-http://www.fbi.gov/pressrel/pressrel10/ic3report_031210.htm
-http://www.ic3.gov/media/annualreport/2009_IC3Report.pdf

South Korea Investigates Data Security Practices, Indicts 39 for Alleged Piracy (March 12, 13 & 15, 2010)

Officials in South Korea will investigate the information security practices of 25 companies following the arrest of three people for selling personally identifiable information of 20 million retail customers. The data were purchased from Chinese cyber criminals who have not been arrested. Separately, 39 people have been indicted for allegedly uploading large quantities of movies and other copyrighted digital content to peer-to-peer (P2P) sites.
-http://www.google.com/hostednews/afp/article/ALeqM5gU4DwmPkiau1V6GE0blDIG8H6DTA
-http://www.net-security.org/secworld.php?id=9018

---

*************************** Sponsored Links ***************************
(1) The National SCADA Security Summit has free courses from DHS and wonderful workshops by NERC (for US Utilities only) and in depth courses, plus the best look yet at the Advanced Persistent Threat already inside utilities. Register at:
http://www.sans.org/scada-security-summit-2010/
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Phishers Target NetRegistry Users (March 15, 2010)

Phishers using a Brazilian domain name have launched an attack against customers of Australian domain name and hosting company NetRegistry. The emails arrive with the subject: Please Update. The body of the message asks users to provide their usernames and passwords to verify their profiles; the message also says that if they do not provide the requested information, their email accounts will be deactivated. NetRegistry has sent warnings to its customers reminding them that it will never ask them to provide login information via email.
-http://www.securecomputing.net.au/News/169589,hackers-attempt-to-dupe-netregistr
y-customers.aspx
-http://www.itwire.com/business-it-news/security/37605-netregistry-proactive-resp
onse-to-phishing-attack

Microsoft Testing Fix for Zero-Day IE Vulnerability (March 12, 13 & 15, 2010)

Microsoft said it is testing a fix for a recently disclosed security flaw in Internet Explorer (IE), but did not say if it intends to issue an out-of-cycle fix for the vulnerability that is already being actively exploited. The flaw affects IE 6 and IE 7, but not IE 5.01 and IE 8. In the mean time, Microsoft is offering a "fix it" tool that disables the component in the iepeers.dll file that is the source of the vulnerability. Microsoft also offered other workaround suggestions in the advisory it issued about the flaw last week.
-http://www.computerworld.com/s/article/9170278/Microsoft_hustles_on_IE_patch_tes
ts_fix
-http://news.cnet.com/8301-27080_3-20000392-245.html?tag=mncol;title
-http://www.theregister.co.uk/2010/03/15/microsoft_ie_fixes/
-http://support.microsoft.com/kb/981374
-http://www.microsoft.com/technet/security/advisory/981374.mspx

China Says Google Must Follow Censorship Rules (March 12, 13 & 15, 2010)

A Chinese official has said that the government will not back down from their stance on Internet search censorship requirements, and that Google must comply with the rules or face the consequences. In January 2010, following the disclosure of cyber attacks against Google's IT systems believed to have originated in China, Google announced that it would stop censoring Internet search results in China. An unnamed source "familiar with the company's thinking" said Google is nearly certain to withdraw from China's search engine market.
-http://www.informationweek.com/news/software/open_source/showArticle.jhtml?artic
leID=223800107
-http://www.washingtonpost.com/wp-dyn/content/article/2010/03/12/AR2010031203564.
html
-http://money.cnn.com/2010/03/15/technology/google_china/index.htm?cnn=yes
-http://www.usatoday.com/tech/news/2010-03-12-google-china_N.htm
-http://www.ft.com/cms/s/2/dd69e680-2e06-11df-b85c-00144feabdc0.html

UK's GCHQ Lost 35 Laptops in 2008 (March 11 & 12, 2010)

According to a report from the UK's Intelligence and Security Committee (ISC), the Government Communications Headquarters (GCHQ) lost 35 laptops in 2008. Three of the computers were classified "top secret." The disclosure led to criticism from MPs regarding what they called GCHQ's "cavalier" attitude about information security. GCHQ appears to have had a "haphazard" monitoring system, and so was unaware what information the missing computers held. An agency spokesperson said there is no evidence the information has been misappropriated or misused, but because of the lackadaisical record keeping, there is no way to be certain.
-http://www.v3.co.uk/v3/news/2259451/government-security-agency
-http://www.computerworlduk.com/management/government-law/public-sector/news/inde
x.cfm?RSS&NewsId=19344
-http://www.guardian.co.uk/uk/2010/mar/11/gchq-mislaid-laptop-computers-report

[Editor's Note (Pescatore): When people use portable devices, they will get lost or stolen, no exceptions. If people use portable devices for business purposes, sensitive information will be on those devices, no exceptions. So, making sure the information on the laptop is protected with strong encryption is always a requirement - even if somehow you are aware of what information those portable devices held. ]

Two Plead Guilty to Selling Pirated Software (March 12, 2010)

Two Texas men, father and son, have pleaded guilty to charges of criminal copyright infringement and conspiracy to commit criminal copyright infringement for selling pirated software over the Internet. Court documents indicate that Robert D. Cook and Todd A. Cook operated web sites that sold downloadable counterfeit software; in all, the Cooks sold US $1 million worth of software. Each man faces up to five years in prison and a fine of US $250,000. The case against the Cooks is part of a larger anti-piracy operation at the US Department of Justice.
-http://darkreading.com/security/app-security/showArticle.jhtml?articleID=2238001
22&subSection=Application+Security

Netflix Nixes Contest Reprise (March 12, 2010)

Netflix has called off a second contest to improve its movie recommendation algorithm. The first contest, launched in 2006, offered US $1 million to the winner, but instead won the company a lawsuit alleging that the dataset the company provided to contest participants made it easy to match the information to actual Netflix customers. A woman sued Netflix saying that the information provided to the entrants did not have identifying information stripped away adequately. The lawsuit alleged that Netflix violated fair-trade and privacy laws that protect video rental records. That case is still pending. The second contest was cancelled in response to questions from the Federal Trade Commission (FTC) regarding the effect of the contest on Netflix members' privacy.
-http://www.theregister.co.uk/2010/03/12/netflix_contest_cancelled/
-http://www.wired.com/threatlevel/2010/03/netflix-cancels-contest/
-http://www.insidecounsel.com/News/2010/3/Pages/Netflix-Nixes-Contest-Over-Privac
y-Concerns.aspx

Apple Issues Safari Update (March 12, 2010)

Apple has released an update for its Safari browser that addresses 16 security flaws. The vulnerabilities fixed in Safari 4.0.5 include application termination flaw, arbitrary code execution flaws, information disclosure flaw and a flaw that allows a cookie to be set even if safari has been configured to block cookies. Updates are available for both Mac OS X and Windows.
-http://www.theregister.co.uk/2010/03/12/safari_update/
-http://www.computerworld.com/s/article/9169778/Apple_plugs_16_holes_in_Safari_as
_Pwn2Own_looms?taxonomyId=17
-http://www.h-online.com/security/news/item/Safari-4-0-5-patches-16-holes-953670.
html
-http://support.apple.com/kb/HT4070

Conficker Infection at New Zealand Hospital Traced to USB Drive (March 11 & 12, 2010)

An infection that shut down the computer system at the Waikato (New Zealand) district health board (DHB) in December has been blamed on a USB device used in a computer in a booth in a parking lot. The three thousand computers in the DHB network became infected with the Conficker virus and shut down the system for three days.
-http://www.nzherald.co.nz/compute/news/article.cfm?c_id=1501832&objectid=106
31570
-http://www.stuff.co.nz/waikato-times/news/3434167/Health-chaos-blame-a-stick

[Editor's Note (Pescatore): This is like blaming the rain for the leaky roof. The USB device is ot the problem - the fact that three thousand computers were *still* vulnerable to Conficker is the problem.
(Honan): Disabling the Windows Autorun feature, together with up to date patches and anti-virus software, can help prevent worms like Conficker from spreading. Microsoft provides a good overview as to how to disable Autorun using group Policies at
-http://support.microsoft.com/kb/962007]

Microsoft Wins Injunction Against IM Spamming Company (March 12, 2010)

Microsoft has been granted an injunction against a Hong Kong company that allegedly used instant messaging (IM) spam to fool users into surrendering their account details. Funmobile is now prohibited from sending unsolicited instant messages to Windows Live Messenger customers. The company must also pay Microsoft an undisclosed sum. The messages allegedly sent by Funmobile appeared to come from people Live Messenger users knew.
-http://news.zdnet.co.uk/security/0,1000000189,40085624,00.htm

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/