SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #28

April 09, 2010

TOP OF THE NEWS

Court Rules in Favor of Comcast in FCC Regulation Case
House of Commons Passes Digital Economy Bill
Navy Fleet Cyber Command Expected to Have Predictive Capabilities Within Two Years

THE REST OF THE WEEK'S NEWS

Reported Data Breaches on the Rise in Ireland
Microsoft to Issue 11 Bulletins to Address 25 Flaws on April 13
Adobe May Make Changes to Reader and Acrobat to Protect Users
Faulty Routing Data From Chinese ISP Causes Problems Again
Former Bank of America IT Worker Charged in ATM Scheme
Romanian Police Arrest 70 In Connection with eBay Fraud
Cyber Espionage Group Stealing Indian National Security Documents

---

************************** Sponsored By zScaler *************************
WEBCAST: Death of Security Appliances - Hype or Reality? Join us for an educational Webcast on April 21 Keynote by Jim Reavis, co-founder Cloud Security Alliance Are security appliances still relevant in a Web 2.0 centric world with increasing mobility? Learn about leveraging the cloud for improved security.
Register Here http://www.sans.org/info/57698
*************************************************************************

TRAINING UPDATE
- -- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

- -- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

- -- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

- -- SANS Boston 2010, August 2-8, 2010 11 courses
http://www.sans.org/boston-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Geneva, Toronto, Amsterdam and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

---

TOP OF THE NEWS

Court Rules in Favor of Comcast in FCC Regulation Case (April 8, 2010)

On Tuesday, April 6, a US Federal Appeals Court said that the Federal Communications Commission (FCC) does not have the authority to enforce net neutrality on Internet service providers (ISPs). The court ruled that the FCC exceeded its authority when it imposed sanctions on Comcast for throttling Internet traffic from the BitTorrent website. Comcast says its traffic regulation practices are based on volume, not traffic content. The ruling leaves the FCC's role in Internet traffic in question. The FCC could conceivably maneuver around the ruling by reclassifying high speed internet as a telecommunications service instead of an information service. With a simple 3-2 vote, the FCC commissioners could reclassify high speed Internet into a different regulatory category, where providers would be subject to more stringent rules. The FCC still plans to move forward with its national broadband plan.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/04/06/AR2010040600742.
html
-http://www.washingtonpost.com/wp-dyn/content/article/2010/04/07/AR2010040704866.
html?wprss=rss_technology
-http://www.msnbc.msn.com/id/36276758/ns/technology_and_science-tech_and_gadgets/
-http://www.latimes.com/news/opinion/editorials/la-ed-neutral9-2010apr09,0,144543
6.story
-http://www.npr.org/templates/story/story.php?storyId=125709802

UK House of Commons Passes Digital Economy Bill (April 8, 2010)

UK legislators this week approved the Digital Economy Bill, which has generated controversy over its anti-piracy provisions. Some ISPs and civil rights groups are unhappy with the bill's rushed passage, maintaining that there was not adequate time to scrutinize all its details. Among the controversial provisions are giving Ofcom, the UK's Office of Communications, the power to force ISPs to disconnect users who have been accused of habitual illegal downloading. Another controversial provision would allow the secretary of state to obtain court injunctions to shut down websites that "the court is satisfied has been, is being or is likely to be, used for, or in connection with, an activity that infringes copyright." The Guardian link provides a clause-by-clause overview of the bill as passed by the House of Commons on Wednesday.
-http://www.mcvuk.com/news/38382/Digital-Economy-Bill-is-passed
-http://www.v3.co.uk/v3/news/2261005/passing-digital-economy-bill
-http://www.siliconrepublic.com/news/article/15789/digital-21/digital-britain-bil
l-now-likely-to-pass-into-law
-http://www.guardian.co.uk/media/pda/2010/apr/08/digital-economy-bill-quick-guide
-45-measures
-http://www.rogerdarlington.me.uk/Ofcom.html
-http://www.ofcom.org.uk/about/

Navy Fleet Cyber Command Expected to Have Predictive Capabilities Within Two Years (April 6, 2010)

Vice Admiral Bernard McCullough, commander of the Navy Fleet Cyber Command, estimates that the command will establish a proactive defense posture by October 2010. Speaking at the Center for Strategic and International Studies, McCullough said that the military is traditionally reactive and static, but we need to be proactive, dynamic and predictive. He noted that we have to start seeing the network as a weapons system, and the domain as the battlefield. McCullough acknowledged that transforming perceptions will take time but believes the command will have predictive capabilities within two years
-http://gcn.com/Articles/2010/04/06/Navy-cyber-command-update.aspx?Page=1
[Editor's Note (Ranum): "Proactive" and "dynamic" are good, but "predictive" is problematic; ultimately he's claiming their plan is to predict the future. I predict it won't work. ]

---

THE REST OF THE WEEK'S NEWS

Reported Data Breaches on the Rise in Ireland (April 8, 2010)

A report from Irish Data Protection Commissioner Billy Hawkes says that the number of reported data breaches in Ireland increased 50 percent over last year. Although the overall number of complaints investigated dipped slightly in the last year, the office has logged 120 reported data security breaches. Hawkes expressed disappointment at the reluctance of some State bodies to take sufficient account of data protection issues when framing new legislation or applying existing law.
-http://www.siliconrepublic.com/news/article/15794/cio/shocking-data-breaches-are
-rife-in-irish-public-sector
-http://www.rte.ie/news/2010/0408/data.html
-http://www.rte.ie/news/2010/0408/data.pdf
[Editor's Note (Honan): It should be noted that the increase in reported incidents has been predominantly from organisations in the public sector. This has been due to the guidance issued by the Irish Department of Finance in late 2008 "encouraging" government departments to report breaches to the Data Protection Commissioner (Section 4, Page 23
-http://www.dataprotection.ie/documents/guidance/GuidanceFinance.pdf).
So this is not a reflection of security controls being any more lax in the public sector than in the private and actually highlights further the need for mandatory breach disclosure laws in Ireland and the EU. ]

Microsoft to Issue 11 Bulletins to Address 25 Flaws on April 13 (April 8, 2010)

Microsoft plans to release 11 security bulletins on Tuesday, April 13. Five of the bulletins have been rated critical; all of these affect Windows. Another five of the bulletins are rated important, and affect Windows, Microsoft Office, and Microsoft Exchange. The eleventh bulletin is rated moderate and affects Windows. In all, the bulletins will address 25 security vulnerabilities. Exploit code for two of the vulnerabilities is already in the wild. Microsoft is also reminding users that as of July 13, 2010, it will no longer support Windows XP SP 2; users are urged to upgrade to XP SP 3 or Windows 7. On the same day, Microsoft will stop extended support for Windows 2000; no updates of any kind for Windows 2000 will be released after this date. Also, as of April 13, 2010, Windows Vista RTM will no longer be supported; Service Pack 1 will be supported through July 2011, but users are urged to upgrade to SP 2 or Windows 7.
-http://news.cnet.com/8301-27080_3-20002053-245.html
-http://www.microsoft.com/technet/security/bulletin/ms10-apr.mspxs
-http://blogs.technet.com/msrc/archive/2010/04/08/april-2010-bulletin-release-adv
ance-notification.aspx
-http://support.microsoft.com/gp/lifeselectindex
[Editor's Note (Skoudis): Wow! That's a lot of patches. Get ready for a very busy patch Tuesday... Remember, test thoroughly and quickly before moving things into production. ]

Adobe May Make Changes to Reader and Acrobat to Protect Users (April 6, 7 & 8, 2010)

Adobe is considering making changes to its PDF programs to prevent them from being used to launch cyber attacks. An attack on Adobe Reader and Acrobat described by a researcher last week showed how attackers can alter the wording of the warnings the programs give when they are about to execute a potentially malicious program so that users are lulled into thinking that they are safer than they actually are. Adobe is reconsidering the automatic launch feature of its flagship products. Users can manually change program settings to disable automatic launch. In a separate story, Adobe plans to release its automated patch updater next week. Users will have the option of turning off the automated update feature. Windows users can also choose to download the updates and install them later.
-http://www.theregister.co.uk/2010/04/07/adobe_pdf_changes/
-http://www.theregister.co.uk/2010/04/08/adobe_reader_updater/
-http://blogs.zdnet.com/security/?p=6028&utm_source=feedburner&utm_medium
=feed&utm_campaign=Feed%3A+zdnet%2Fsecurity+%28ZDNet+Zero+Day%29
-http://www.computerworld.com/s/article/9175043/Adobe_to_switch_on_silent_PDF_upd
ates_for_Reader_Acrobat?taxonomyId=17
-http://www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-
PDF-vulnerability-971932.html
[Editor's Note (Schultz): Given that Adobe Reader vulnerabilities have for quite a while been attackers' vulnerabilities of choice to exploit, Adobe does indeed need to change its approach to security in this product. Simply patching vulnerability after vulnerability does not seem to be doing any good.
(Skoudis): Although it has taken a very long time for Adobe to come around on this, I'm really happy to see both of these proposed changes. I hope they follow through and make them because they will go a long way to improving the security stance of users of Adobe and Acrobat.
(Honan): I certainly hope Adobe review the security in their products, especially as researchers now claim to be able to develop worms specific to the PDF format
-http://www.theregister.co.uk/2010/04/06/wormable_pdfs/
and that according to F-Secure, Adobe Reader is the most attacked software so far in 2010
-http://news.techworld.com/security/3214895/adobe-reader-most-attacked-applicatio
n-says-f-secure/]

Faulty Routing Data From Chinese ISP Causes Problems Again (April 8, 2010)

Bad routing data from an ISP called IDC China Telecommunication was re-transmitted by China Telecommunications, a state-owned entity, and then spread around the globe. The incorrect information redirected roughly 35,000 networks to IDC China Telecommunications for about 20 minutes on Thursday morning. The event appears to be accidental, but points to weaknesses inherent in the Border Gateway Protocol (BGP).
-http://www.computerworld.com/s/article/9175081/A_Chinese_ISP_momentarily_hijacks
_the_Internet_again_?taxonomyId=17
[Editor's Note (Skoudid): Big routing attacks are the achilles heel of the Internet. So far, we have only seen a few widespread accidents. But, it is a legitimate worry that bigger, intentional attacks could occur. ]

Former Bank of America IT Worker Charged in ATM Scheme (April 7 & 8, 2010)

Rodney Reed Caverly has been charged with one count of computer fraud for allegedly creating a program that allowed ATMs to dispense cash without generating records of the transactions. Caverly was employed by the IT department of Bank of America (BofA); the scheme played out over a seven-month period in 2009. While the total losses to BofA have not been released, Caverly is noted to be facing up to five years in prison. He is expected to enter a guilty plea next week.
-http://www.computerworld.com/s/article/9174991/BofA_insider_to_plead_guilty_to_h
acking_ATMs?source=rss_news
-http://www.wired.com/threatlevel/2010/04/bank-of-america-hack/

Romanian Police Arrest 70 In Connection with eBay Fraud (April 7, 2010)

Romanian police have arrested 70 people believed to be members of three separate cyber crime groups. The suspects allegedly obtained eBay login credentials through phishing attacks. Nearly 800 people have been identified as victims in the scheme, which also involved selling items that did not exist or were never delivered. In all, an estimated US $1 million was lost. The investigation, named Operation Valley of the Kings, involved law enforcement authorities in cities around the world.
-http://www.wired.com/threatlevel/2010/04/romania-cyber-thieves
[Editor's Note (Honan): Here is an interesting link to an interview with Gary Dickson of the FBI and legal attache to the US embassy in Romania talking about cyber crime in Romania:
-http://www.youtube.com/watch?v=nQcxea8hTos&feature=player_embedded]

Cyber Espionage Group Stealing Indian National Security Documents (April 6, 7 & 8, 2010)

A report by US and Canadian researchers says that a cyber espionage group has been stealing national security information from India. The researchers have been monitoring the activity for eight months and the attacks have been traced to servers in China. There is no evidence to suggest that the Chinese government is involved. The researchers are calling the cyber espionage group the "Shadow Network." Among the data stolen are documents relating to security along India's northeast border, which abuts China, as well as others relating to India and Africa, Russia and the Middle East. The group also stole information from computers on other continents; the only continents on which the group did not compromise computers are Australia and Antarctica.
-http://www.wired.com/threatlevel/2010/04/shadow-network/
-http://www.msnbc.msn.com/id/36193992/ns/technology_and_science-security/
-http://news.bbc.co.uk/2/hi/technology/8605548.stm
-http://www.esecurityplanet.com/news/article.php/3875281/Report-Alleges-Vast-Cybe
r-Crime-Syndicate-in-China.htm
[Editor's Note (Honan): In what must be a "tempting fate" statement the Indian military stated last month that their systems are hack-proof
-http://timesofindia.indiatimes.com/India/Cyber-war-Army-says-its-systems-are-hac
k-proof/articleshow/4336279.cms]

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/