SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #29

April 13, 2010

TOP OF THE NEWS

Agencies Fail on FDCC and TIC Implementation
Digital Economy Bill Becomes Law
ISP Customer Data Privacy Proposal Could Hinder Anti-Spam and Anti-Malware Efforts

THE REST OF THE WEEK'S NEWS

US Legislators Have Questions About Cyber Warfare Rules
Cyber Extortionists Attacks Turn to BitTorrent Users
Brokerage Firm Fined for Data Loss
Ten Percent of Windows Machines Still Vulnerable to Conficker
Oracle, Adobe and Microsoft Issue Security Updates
Trudeau Facing Contempt Charges for Urging Supporters to eMail Judge
Wordpress Sites Targeted in Redirect Attack
Zero-Day Java Flaw
UK Council Takes Action Before ICO Launches Inquiry
Northcutt Commentary on the US Cyber Command

---

******************* Sponsored By Entrust Technologies *******************
Entrust Unified Communications Certificates provide greater flexibility to support powerful communications products like Microsoft Exchange Server 2007 and Microsoft Office Communications Server 2007, without sacrificing security controls. Up to 10 host names included, 128/256-bit SSL encryption, quick issuance and one to four year certificate lifetimes available. Now from only $387 per year. Learn more at http://www.sans.org/info/57808
*************************************************************************

TRAINING UPDATE
-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

-- SANS Secure Europe Amsterdam 2010, June 21-July 3, 2010 8 courses.
http://www.sans.org/secure-amsterdam-2010/

-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, August 2-8, 2010 11 courses
http://www.sans.org/boston-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Geneva, Toronto, Singapore and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

---

TOP OF THE NEWS

Agencies Fail on FDCC and TIC Implementation

The Government Accountability Office found that Federal agencies are systematically failing to implement the Federal Desktop Core Configuration. Rather than making exceptions for specific computers that needed special configurations, they made agency wide changes to FDCC that undermine the security value provided by this important national policy.
-http://fcw.com/Articles/2010/04/12/Web-GAO-FDCC-TIC.aspx?p=1
[Editor's Note (Paller): GAO's findings are well written and important, but the GAO researchers completely failed to notice that the single most important control in FDCC was not being implemented at all and was not even being tested by NIST-approved tools. ]

Digital Economy Bill Becomes Law (April 8 & 12, 2010)

The House of Lords has approved the Digital Economy Bill, making the contentious law official. The bill is heavily supported by entertainment industry representatives, who maintain they have suffered huge financial losses due to illegal filesharing. The new law gives the UK a three-strikes policy for illegal filesharers; habitual offenders can now have their Internet access suspended. ISP TalkTalk says it will take legal action against music and movie companies that attempt to use the Digital Economy Act to obtain information about the ISP's customers.
-http://www.nytimes.com/2010/04/09/technology/09piracy.html?partner=rss&emc=r
ss
-http://www.scmagazineuk.com/talktalk-claims-that-it-will-seek-a-court-order-befo
re-surrendering-customer-details-under-the-digital-economy-act/article/167759/
-http://www.pcpro.co.uk/blogs/2010/04/12/digital-economy-bill-mps-didnt-know-what
-they-were-talking-about/
[Editor's Note (Schultz): The idea of protecting the music and movie industries against piracy is good. What I fear will be bad about this legislation is that these industries too often cause false alarms, e.g., they see that TCP port 4662 is open on a machine, and so they assume that eDonkey is being used to illegally download copyrighted material.

ISP Customer Data Privacy Proposal Could Hinder Anti-Spam and Anti-Malware Efforts (April 7, 2010)

The American Registry for Internet Numbers (ARIN) is considering a proposal that would allow Internet service providers to hide their business customers' contact information. Security experts are concerned that the proposal would make it more difficult to protect users from spam and malware. ISPs support the proposal because it says the current situation requires that they publish their customer contact lists, which are considered "one of the most proprietary and confidential pieces of information in any business."
-http://krebsonsecurity.com/2010/04/isp-privacy-proposal-draws-fire/
-https://www.arin.net/policy/proposals/2010_3.html

---

*************************** Sponsored Links ***************************
1) SIEM 2.0 - VIEW Demo of SC Magazine's Best Buy and Innovator of the Year.
http://www.sans.org/info/57813

2) Audit UNIX/Linux users, report on user sessions and monitor for suspicious activity. White paper. http://www.sans.org/info/57818
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

US Legislators Have Questions About Cyber Warfare Rules (April 12, 2010)

The Pentagon's Cyber Command has been "stalled for months" while US lawmakers question the Pentagon about its cyber warfare stance. The US military is reluctant to share information about its cyber strategy for national security reasons. Of particular concern to some is that Lt. General Keith Alexander, who has been nominated to head the Cyber Command, is also head of the National Security Agency. In addition, cyber retaliation is likely to have a ripple effect, having an impact on private citizens, hospitals, businesses and power plants.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/04/12/AR2010041203539_
pf.html
[A very brief essay on the US Cyber Command, by Stephen Northcutt, is at the end of this issue ]

Cyber Extortionists Attacks Turn to BitTorrent Users (April 12, 2010)

Internet scam artists have identified a new vector of attack. Instead of bullying users into purchasing ineffective anti-virus software, attackers are scaring BitTorrent users into paying to avoid fines or even imprisonment for using the filesharing application. Malware installed on BitTorrent users' computers pops up messages while users are running BitTorrent; the messages claim that a scanner has detected pirated content in the computer and offers them the chance to pay US $400 as a pre-trial settlement. The messages claim to originate from the ICCP Foundation and threaten the users with fines of US $250,000 and five years in prison.
-http://www.wired.com/threatlevel/2010/04/ransomware/
-http://www.scmagazineus.com/bittorrent-users-targeted-in-new-trojan-extortion-pl
oy/article/167808/

Brokerage Firm Fined for Data Loss (April 12, 2010)

The Financial Industry Regulatory Authority has fined Montana-based brokerage company D.A. Davidson US $375,000 for failing to adequately protect customer data. Three Latvian individuals have been extradited to face charges for allegedly stealing the customer information and attempting to blackmail D.A. Davidson in 2008. Approximately 192,000 customers were affected. The brokerage company reported the breach as soon as it became aware of the situation and worked with the US Secret Service to identify the suspects.
-http://blog.thenewstribune.com/business/2010/04/12/brokerage-fined-375000-in-dat
a-breach-case-alleged-hackers-arrested-and-extradited-from-eastern-europe/
-http://www.financial-planning.com/news/finra-da-davidson-2666466-1.html
[Editor's Note (Pescatore): That fine works out to be about $2 per account compromised, or less than 1% of the typical hard cost per account of going through a disclosure event. Whether PCI or FD or FINRA, the fines are just the tip of the iceberg of incident costs. ]

Ten Percent of Windows Machines Still Vulnerable to Conficker (April 7 & 12, 2010)

According to a report from Qualys, 10 percent of Windows computers are still vulnerable to Conficker, and about 2.5 percent of systems are currently infected with the worm. The vulnerability exploited by Conficker was addressed in an out-of-cycle Microsoft security bulletin released in October 2008 (MS08-067).
-http://www.zdnet.co.uk/news/security-threats/2010/04/12/one-in-10-systems-still-
vulnerable-to-conficker-40088599/
-http://www.computerworld.com/s/article/9174998/1_in_10_Windows_PCs_still_vulnera
ble_to_Conficker_worm?taxonomyId=82
[Editor's Note (Pescatore): This is not unusual. There are a lot of appliances out there that are *never* patched, still Windows NT and Windows 2000 machines with no easy patch paths, etc. The real issue is can these machines be exploited? ]

Oracle, Adobe and Microsoft Issue Security Updates (April 9 & 12, 2010)

Oracle plans to issue patches for 47 security flaws on Tuesday, April 13. Sixteen of the vulnerabilities are in Solaris, seven are in Oracle database, eight affect the Oracle Application Suite and six affect Oracle industry applications. The others affect Oracle Fusion Middleware, the Oracle PeopleSoft and JD Edwards suite, and the Oracle Collaboration Suite. Many of the flaws are rated critical. Starting with this release, Oracle's Solaris suite will now be included in the company's quarterly Critical Patch Update. Microsoft and Adobe will also release security updates on the same day. This month marks the official launch of the official version of Adobe's automated updater.
-http://www.scmagazineuk.com/oracle-to-join-adobe-and-microsoft-in-patching-tomor
row-as-it-prepares-plans-for-mysql-advisory-boards/article/167758/
-http://www.v3.co.uk/v3/news/2261052/solaris-quarterly-patch-updates
-http://www.h-online.com/security/news/item/Adobe-introduces-automatic-update-for
-Reader-974165.html
[Editor's Note (Pescatore): Patches rated critical are generally that, but the Windows Authenticode (MS010-019) and the Windows MP3 Codec (MS010-26) vulnerabilities should be prioritized. ]

Trudeau Facing Contempt Charges for Urging Supporters to eMail Judge (April 8 & 12, 2010)

Lawyers for TV pitchman Kevin Trudeau are attempting to keep him out of jail after a judge ordered him to serve 30 days for contempt of court. Earlier this year, Trudeau encouraged his supporters to email Judge Robert W. Gettleman to ask him to rule in Trudeau's favor. Some of the email was perceived to be threatening, and the sheer volume of the messages caused the judge's Blackberry to freeze. Trudeau is facing FTC charges that he violated a 2004 court order that prohibits him from misrepresenting products he offers on infomercials.
-http://www.theregister.co.uk/2010/04/12/spam_judge_contempt_appeal/
-http://www.wired.com/threatlevel/2010/04/virtualpresence/

Wordpress Sites Targeted in Redirect Attack (April 9, 2010)

Hundreds of bloggers who use Wordpress have reported that their sites have been hijacked to direct visitors to a webpage that attempts to install malware. Almost all of the Wordpress users affected by the apparent attack are using Network Solutions as their web hosting provider. Network Solutions is investigating the problem; the company believes the problem may stem from a rogue plug-in. According to one security expert, Wordpress stores database credentials in plaintext at the wp-config file; he also said that a Network Solutions users wrote a script that searches for the configuration files that are readable by all users.
-http://krebsonsecurity.com/2010/04/hundreds-of-wordpress-blogs-hit-by-networkads
-net-hack/#more-2351
-http://www.scmagazineus.com/wordpress-users-report-hacked-blogs/article/167711/

Zero-Day Java Flaw (April 9 & 12, 2010)

A vulnerability in a NPAPI plug-in and ActiveX control called Java Deployment Toolkit could be exploited to execute malicious code. The flaw affects all recent versions of Windows and may affect versions of Linux as well. Attackers can exploit the flaw through maliciously crafted websites that pass commands to Java components that start certain applications, including Internet Explorer and Firefox. Disabling the Java plug-in does not protect users from attacks.
-http://www.theregister.co.uk/2010/04/09/critical_java_vulnerability/
-http://news.cnet.com/8301-27080_3-20002199-245.html?tag=mncol;title
-http://www.scmagazineus.com/sun-java-vulnerability-could-lead-to-web-attacks/art
icle/167796/
-http://www.h-online.com/security/news/item/Java-exploit-launches-local-Windows-a
pplications-974652.html
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=224202510
Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=8608

UK Council Takes Action Before ICO Launches Inquiry (April 9, 2010)

After experiencing a data security breach, the London (UK) borough of Barnet took a proactive stance in managing the incident. After notifying the parents of 9,000 children whose unencrypted personal information was compromised, the council published information about the breach on its website. It also explained the steps it was taking to address the incident and provided contact information for those with questions. The incident was likely to prompt an undertaking by the Information Commissioner's Office (ICO); it remains to be seen if the ICO will move forward with an inquiry or let the incident stand, as the council has already taken the actions an undertaking would require.
-http://www.theregister.co.uk/2010/04/09/data_loss_aftermath/

Northcutt Commentary on the US Cyber Command

US Lawmakers should be taking a close look at the US Cyber Command. Computers are Cheap; the Internet is easy to access; this is the perfect playground for the gorilla fighter. We think we are smarter, higher tech, better equipped than any adversary. But we have boys coming home in boxes from Afghanistan where the same things are supposed to be true. The USA has more to lose than almost any other country. We are more dependent on computers and networks. I am sitting here typing this note on Windows 7 with a 5 yr old Linux box on my left and an Apple on my right; and all three are online. Can you say "huge target?" I love my country; I want us to be ready with the best and the brightest; but no sane person should agree that the rules of engagement are a state secret. Rather the rules should be clearly posted on www.defense.gov for the world to see, and we should hold the Cyber Command accountable to follow them. We have already learned what happens when we go off half-cocked thinking we are so big and bad that we can do whatever we want to do. We need to continue to strengthen IT defense, (20 critical controls anyone), build a strong offense, and use said offense sparingly and in a manner that does not put us all at risk.

The Bit Torrent scam story in this issue ties right into my DOD rules-of-engagement comment. Every month more evidence emerges that attackers are getting better and better at reaching the everyday citizen. I think what the BitTorrent folks are doing is wrong, but let me tell you what is going to happen. The U.S. Cyber Command (aka NSA) is going to evade accountability and transparency citing national security. Then, one day, Cyber Command will issue a press release about an operation they just concluded probably against Islamics and it will be just like President George Bush landing on the USS Abraham Lincoln to give his "mission accomplished" speech for Iraq in 2003. For a few days, everyone will cheer; Twitter users will retweet. However, then US English language specific worms will start to spread; attacks we never thought about will start to happen; people signed up to porn sites, wife swapping sites, sites you don't even want to know exist will be infected. And this malware will not be benign; it will destroy data. It will send grammatically correct notes to your siblings telling them they suck and that you never want to hear from them again. Will it throw us back to the stone age? Of course not, but more than a few people will lose all their family pictures because they are not backed up and wills and business plans, designs that will one day be patents and more will all be lost. It is easy to create a scenario where billions of dollars of effort and productivity is lost. Perimeter security is fading fast. Now it is all about the end point and the attacker sense that and they are focusing on the endpoint and end user. Near as I can understand the DoD's primary purpose is to keep us from being invaded and that means regular folks like you and I. Whatever the Cyber Command does, it should first focus on keeping the citizens of the United States of American safe from invasion from afar. If 80% of budget is focused on that, I am very pleased to see my taxes used to support the US Cyber Comamnd.

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/