SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #37

May 11, 2010

The most important security web cast of the year (so far) is Thursday at 1 PM EDT, featuring John Streufert, CISO of the State Department and Matt Coose, head of (government-wide) Federal Network Security at the US Department of Homeland Security. It is titled "A Revolution in Federal Cyber Security: Continuous Automated FISMA Reporting - What's Required By OMB? What Works?"

They will be talking about how to make the shift to continuous security monitoring - what works, what DHS will do to help other agencies - how the new audits will be done. If you work in federal cyber security or want to get an early view of the future of security in the critical infrastructure and the business community, register at https://www.sans.org/webcasts/revolution-federal-cyber-security-continuous-autom
ated-fisma-reporting-required-o-93453

Alan

---

TOP OF THE NEWS

House Bill Would Create Cyberspace Office and Position of Cyberspace Director
Attack Affects Virtually All Anti-Virus Programs
Washington State Court Rules Library Internet Filters Do Not Violate Constitution

THE REST OF THE WEEK'S NEWS

Zero-Day Code Execution Flaw in Safari
Facebook Hires Consultant to Help Defend its Privacy Posture
WordPress Sites Under Attack
Verizon's Data Breach Investigation Report to Incorporate Secret Service Case Data
Small ISP Wins US $2.6 Million in Spam Case
Court Approves Preliminary Settlement in Heartland Case
DOJ Nets Thirty Felony Convictions in Phony Cisco Networking Hardware Operation
ICO Investigating Lost and Found NHS Flash Drive

---

************************* Sponsored By zScaler **************************
ALERT: THE HIDDEN DANGERS BEHIND YOUR FAVORITE SEARCH ENGINE. Hackers are exploiting search engines to infect your PCs and smart phones - do not let your company become the next victim. Join us for an educational webcast on May 26 - keynote by Peter Firstbrook, GARTNER.

Register here: http://www.sans.org/info/59023
*************************************************************************

TRAINING UPDATE
- -- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

- -- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

- -- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

- -- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/

- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 39 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Singapore, Amsterdam, Canberra and Portland all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

---

TOP OF THE NEWS

House Bill Would Create Cyberspace Office and Position of Cyberspace Director (May 7, 2010)

Proposed legislation in the US House of Representatives would create a national cyberspace office, establish a post of cyberspace director who would be confirmed by the Senate, and impose penalties on federal agencies that do not adequately secure their networks. The Executive Cyberspace Authorities Act was introduced by Representatives Jim Langevin (D-Rhode Island) and Michael McCaul (R-Texas). Langevin said that the cyber security coordinator position established by the president does not have "the proper authorities to adequately secure our networks and coordinate policy across government."
-http://www.nextgov.com/nextgov/ng_20100507_4986.php?oref=topnews
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=224701133&subSection=News
-http://fcw.com/articles/2010/05/07/web-cyber-coordinator-bill.aspx?admgarea=TC_S
ECCYBERSEC

Attack Affects Virtually All Anti-Virus Programs (May 7 & 9, 2010)

Researchers have devised an attack that sneaks past virtually all anti-virus programs. The attack affects anti-virus software that uses System Service Descriptor Table (SSDT) hooks to modify the Windows kernel. To exploit the flaw, attackers submit safe code to the driver hooks then swap it out for malicious code after it has passed security checks. The exploit works even without administrative privileges.
-http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass/
-http://www.examiner.com/x-39728-San-Jose-Technology-Examiner~y2010m5d9-Researche
rs-use-new-exploit-to-bypass-100-percent-of-tested-AV-software

Washington State Court Rules Library Internet Filters Do Not Violate Constitution (May 6, 2010)

The Washington state Supreme Court ruled that public libraries' use of content filters does not violate the state's constitution. In the 6-3 ruling, the majority wrote that just as the library has the discretion to determine the content of its physical collection, it may also determine the content of what is available online at its facilities. They also wrote that the libraries can unblock access to particular websites that contain constitutionally protected speech if adults request the action. Those justices dissenting from the ruling said that it restricts constitutionally protected speech. An attorney representing the American Civil Liberties Union (ACLU) disputed the ruling.
-http://www.msnbc.msn.com/id/37001589/ns/us_news/
[Editor's Note (Schultz): This is yet another intriguing ruling. A great deal of filtering typically occurs in the name of security. For example, ISPs selectively filter email, and firewalls and IPSs selectively filter incoming and outgoing network traffic. I would imagine that another form of filtering, filtering network traffic for the sake of security, is very likely to be challenged in a future legal case. ]

---

************************ Sponsored Link: ******************************
1) Are you responsible for managing vulnerabilities in an enterprise? How can you make sure you're getting the most value from penetration tests and vulnerability assessments - whether using in-house personnel or third-party contracts? Find out at the SANS Penetration Testing & Vulnerability Assessment Summit June, 14 -15 2010.

http://www.sans.org/info/59028
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Zero-Day Code Execution Flaw in Safari (May 10, 2010)

US-CERT has issued a vulnerability note about a zero-day flaw in the Safari web browser that could be exploited to crash the browser or allow arbitrary code execution. The flaw lies in the way Safari handles pop-ups. The vulnerability appears to affect Safari version 4.0.5 for Windows XP SP 2; earlier versions may be affected as well. There are no reports of the flaw being exploited in the wild.
-http://www.h-online.com/security/news/item/Zero-day-exploit-for-Safari-996614.ht
ml
-http://www.scmagazineus.com/critical-zero-day-flaw-found-in-apples-safari-browse
r/article/169838/
-http://www.computerworld.com/s/article/9176502/Researcher_reveals_Safari_zero_da
y_bug?taxonomyId=17
-http://www.kb.cert.org/vuls/id/943165

Facebook Hires Consultant to Help Defend its Privacy Posture (May 10, 2010)

In the wake of a string of complaints filed with the Federal Trade Commission (FTC) against Facebook, reports have surfaced that former FTC chairman Tim Muris is helping the social networking company with its privacy policy. Facebook has issued a statement denying that it has hired Muris; it is likely that he is being brought in as a consultant. Facebook's revamped policy allows the site to share user information with other websites.
-http://www.csoonline.com/article/593155/Reports_Facebook_hires_former_FTC_chair_
to_defend_privacy_issues
-http://www.pcmag.com/article2/0,2817,2363576,00.asp
-http://www.nbcbayarea.com/news/local-beat/Facebook-Hires-Former-FTC-Chairman-jw-
93319084.html

WordPress Sites Under Attack (May 10, 2010)

There are reports that websites powered by WordPress have come under attack. The code injection attacks affect sites hosted by DreamHost, GoDaddy, Bluehost and Media Temple. The affected pages appear to be infected with scripts that install malware on the systems of site visitors and that also prevent browsers from issuing warnings about unsafe sites. It appears that sites powered by Zen Cart eCommerce have also been attacked.
-http://www.h-online.com/security/news/item/Large-scale-attack-on-WordPress-99662
8.html
-http://news.softpedia.com/news/Mass-Injection-Attack-Hits-WordPress-Blogs-Across
-Multiple-Hosters-141694.shtml

Verizon's Data Breach Investigation Report to Incorporate Secret Service Case Data (May 6 & 8, 2010)

Starting this year, Verizon's annual Data Breach Investigation Report will incorporate data from cyber crime cases investigated by the US Secret Service. The added information includes hundreds of case studies from Secret Service investigations; companies can use the information to help them extradite and prosecute cyber criminals who attack their systems from outside the US. It should also help "identify emerging trends and techniques used to execute large-scale data breaches." The 2010 version of the report will be released this summer.
-http://www.zdnet.com/blog/security/verizon-partners-with-us-secret-service-on-da
ta-breach-report/6387
-http://www.esecurityplanet.com/features/article.php/3880666/Verizon-Secret-Servi
ce-Team-Up-on-Breach-Reports.htm
-http://www.internetnews.com/security/article.php/3880691/Verizon+Secret+Service+
Tackle+Cybercrime.htm

Small ISP Wins US $2.6 Million in Spam Case (May 6 & 7, 2010)

A US District Court in California has awarded Asis Internet Services nearly US $2.6 million for spam messages sent over the Internet service provider's (ISP) network between November 2006 and May 2008. The ISP has approximately 1,500 customers; the spam caused Asis to lose business and incur costs associated with fixing the problem. The judge awarded Asis US $865,000, but tripled the damages because of aggravated circumstances. The defendants, the principals of a business called Find a Quote, were found to have violated 2003's CAN-SPAM Act.
-http://www.scmagazineus.com/california-isp-wins-26m-judgment-against-spammers/ar
ticle/169696/
-http://www.theregister.co.uk/2010/05/06/spam_judgment/

Court Approves Preliminary Settlement in Heartland Case (May 7, 2010)

Heartland Payment Systems will establish a US $4 million fund to settle a consumer class action suit brought against the payments processor, according to preliminary approval granted by a federal court in Texas. An estimated 130 million payment cards were compromised in the breach that is the focus of the case brought last fall. Under the terms of the proposed settlement, affected consumers could claim up to US $175 for out of pocket expenses related to card cancellations and replacements and up to US $10,000 if the stolen data were used fraudulently.
-http://www.computerworld.com/s/article/9176431/Court_gives_preliminary_OK_to_4M_
consumer_settlement_in_Heartland_case?taxonomyId=84
-http://www.bankinfosecurity.com/articles.php?art_id=2498
[Editor's Note (Schultz): I suspect that the amount of the settlement for the credit card compromises would have been far greater had Heartland Payment Systems were not able to show that it practiced due diligence in protecting credit card information. It is difficult to argue that a credit card information processing company that had recently passed a PCI-DSS audit was negligent in securing credit card data. ]

DOJ Nets Thirty Felony Convictions in Phony Cisco Networking Hardware Operation (May 6 & 7, 2010)

The US Department of Justice (DOJ) says that a law enforcement initiative targeting phony networking hardware has netted 30 felony convictions. One of those convicted attempted to sell counterfeit hardware to the US Marine Corps. DOJ seized US $143 million worth of phony Cisco hardware. Operation Network Raider is responsible for 700 seizures of networking equipment since 2005. The schemes not only cost Cisco money, but potentially threatened national security by selling unreliable equipment.
-http://www.computerworld.com/s/article/9176412/DOJ_discloses_U.S._convictions_fo
r_sale_of_counterfeit_networking_hardware?taxonomyId=17s
-http://www.theregister.co.uk/2010/05/07/operation_network_raider/

ICO Investigating Lost and Found NHS Flash Drive (May 6, 2010)

The UK Information Commissioner's Office (ICO) is investigating the loss of a flash drive that contains information about psychiatric patients from the NHS Forth Valley trust in Scotland. The drive was found and turned in to a Glasgow newspaper. The ICO was recently granted the authority to impose fines of up to GBP 500,000 (US $742,000) for serious data breaches. A staff member has been suspended pending an investigation into the scope of the data breach. The medical trust's director says they are contacting affected patients. The NHS is the single largest source of data breaches in the UK, according to deputy ICO commissioner David Smith.
-http://www.zdnet.co.uk/news/security-threats/2010/05/06/privacy-watchdog-looks-i
nto-nhs-data-breach-40088863/

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/