SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #48

June 18, 2010

TOP OF THE NEWS

Supreme Court Rules Police Dept. Within Rights to Read Employees' Texts
House Homeland Security Committee Hearing Focuses on US-CERT Shortcomings
System Will Alert Companies When Stolen Customer Data are Found on Internet

THE REST OF THE WEEK'S NEWS

FBI Cyber Crime Division Taking Over iPad Breach Investigation
US Authorities Concerned About ICQ's Sale to Russian Company
Cyber Thieves Using Modified BlackEnergy Trojan to Rob Bank Accounts
Suspect in Wireless Hacking Case Rejects Plea Deal
Mac OS X Update Does Not Incorporate Most Recent Version of Flash
Judge Reduces Damages in Case Against Spamhaus
Windows Help Center Vulnerability is Being Actively Exploited in XP

---

*********************** Sponsored By IBM (ISS) **************************
With an end-to-end approach to web application security, IBM helps you safeguard code, identify vulnerabilities, spot malware and block attacks. Comprehensive IBM solutions also deliver security and performance in Web services and SOA, while providing ongoing management of your Web applications
http://www.sans.org/info/60688
*************************************************************************

TRAINING UPDATE
- -- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

- -- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/

- -- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security
http://www.sans.org/virginia-beach-2010/

- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

- -- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

- -- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php
Plus Amsterdam, Washington DC, Canberra and Portland all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

---

TOP OF THE NEWS

Supreme Court Rules Police Dept. Within Rights to Read Employees' Texts (June 17, 2010)

The US Supreme Court has ruled that the Ontario, California Police department did not violate a police sergeant's rights when it read transcripts of messages from his work-issued pager. The high court said that even if the police sergeant had a reasonable expectation of privacy, a departmental audit of messages on the work-issued device was not unreasonable. The issue was whether or not Sgt. Jeff Quon could sue the police chief, the police department and the city for reading personal messages that he sent and received on his work-issued pager. An unwritten policy within the department indicated that employees' messages would not be read if they paid for any overages, which Quon had done regularly. The audit of employee messages was conducted to see if the limit of 25,000 characters per month was adequate for employees to conduct official business.
-http://www.csmonitor.com/USA/Justice/2010/0617/Supreme-Court-backs-police-depart
ment-that-read-employee-s-texts
-http://www.wired.com/threatlevel/2010/06/texting-privacy/
-http://www.msnbc.msn.com/id/37760958/ns/business-careers/
-http://www.computerworld.com/s/article/9178199/Supreme_Court_ruling_lets_employe
rs_view_worker_text_messages_with_reason
[Editor's Note (Schultz): This is a landmark ruling. The Ontario police department left itself wide open legally by not having a written terms of use (acceptable use) policy. The fact that the US Supreme Court ruled in favor of the defendent anyway helps establish the precedent that implied policies may, at least under some circumstances, be adequate. ]

House Homeland Security Committee Hearing Focuses on US-CERT Shortcomings (June 16, 2010)

At a House committee hearing on the DHS's role in national cyber security, ranking Homeland Security Committee member Representative Peter King (R-New York) did not receive satisfactory answers to his questions about who would be in charge of coordinating the response to a cyber attack against US financial systems. The effectiveness of the Department of Homeland Security's (DHS) US Computer Emergency Readiness Team (US-CERT) was questioned at Wednesday's hearing as well. Department of Homeland Security (DHS) inspector general Richard Skinner said that US-CERT lacks the resources necessary to protect the country's computer networks from attacks and to compel other agencies to address security flaws in their systems. Committee Chairman Representative Bennie Thompson (D-Mississippi) said that US-CERT lacks sufficient staff and has had four directors in five years.
-http://www.cnn.com/2010/US/06/16/cyber.threats.report/?hpt=C1
-http://www.computerworld.com/s/article/9178133/Lawmakers_question_U.S._cybersecu
rity_readiness?taxonomyId=17
-http://www.nextgov.com/nextgov/ng_20100616_1933.php?oref=topstory
-http://www.govinfosecurity.com/articles.php?art_id=2656
-http://www.scmagazineus.com/report-finds-us-cert-mishandling-cybersecurity-role/
article/172637/
-http://fcw.com/articles/2010/06/16/web-dhs-cyber-hearing-ig.aspx?admgarea=TC_SEC
CYBERSEC
-http://www.nextgov.com/nextgov/ng_20100616_4311.php?oref=topnews
-http://www.wired.com/dangerroom/2010/06/dhs-geek-squad-understaffed-with-no-juic
e-and-no-plan/
[Editor's Note (Ranum): DHS' problem isn't lack of money; it's lack of just about everything else that matters; technical know-how, good management, and intellectual discipline.
(Schultz): Sadly, despite the admirable efforts of some US-CERT staff members, US-CERT is not living up to its expectations--something that is widely known among US government agencies and departments.
(Paller): The question of why DHS seems repeatedly to "grasp defeat from the jaws of victory" has come up often in the past few months, most commonly among people who had great hope when Phil Reitinger took over cyber leadership. Many of those people blame Phil, but I believe the actual reason is DHS lawyers run amuck. No official in DHS can do *anything* without lawyers' full concurrence. But when a new idea arises, the lawyers first delay, then they catastrophize (suggest terrible things will happen if the project goes ahead); then they delay some more, until all the energy and excitement goes out of the people working there. Ivan Fong, the DHS general counsel knew about the problem from the previous Administration and tried to rein the lawyers in, but he took his eye off that ball, and they went back to their old ways. If he doesn't fix the problem soon, Sec. Napolitano almost certainly will be remembered as the official who completely dropped the ball on cyber security. ]

System Will Alert Companies When Stolen Customer Data are Found on Internet (June 17, 2010)

Microsoft and the National Cyber Forensics Training Alliance have jointly launched the Internet Fraud Alert system, a portal that alerts companies quickly if their customers' credentials or credit card information are found in online caches of stolen data. Researchers and law enforcement authorities will be able to report compromised data; banks, social networking sites, retailers and other companies can register with the system to receive alerts if their customers' data are discovered. The system fills a need because there has been no formal procedure for notifying companies about caches of stolen data. Internet Storm Center:
-http://isc.sans.edu/diary.html?date=2010-06-17
-http://www.scmagazineus.com/new-fraud-service-serves-as-repository-for-stolen-da
ta/article/172716/
-http://www.msnbc.msn.com/id/37753400/ns/technology_and_science-security/

---

**************************** Sponsored Links: **************************
1) Register now for SANS Analyst Webcast: Compliance in Cloud-based Data Centers: Key Policy Points on June 30th at 1PM ET. In this webcast, learn the difference between public and private clouds, followed by key policy points and resources. Go To: http://www.sans.org/info/60693

2) Contribute to our SANS network security survey. Help us determine how organizations are hardening their network infrastructure against attack and high-stress application load. The survey takes five minutes and makes you eligible for a $250 Gift Card. Results will be announced in a July 22nd SANS Analyst Webcast. http://www.sans.org/info/60698

3) REGISTER NOW for the re-release of webcast: A Revolution in Federal Cyber Security: Continuous Automated FISMA Reporting - What's Required By OMB? What Works? http://www.sans.org/info/60703
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

FBI Cyber Crime Division Taking Over iPad Breach Investigation (June 17, 2010)

The iPad data breach investigation has been taken over by a cyber crime division of the FBI. Authorities have detained a member of the group that allegedly exploited a flaw in an AT&T website to obtain personal information of more than 100,000 iPad users. Andrew Auernheimer was arrested after FBI agents searched his home and found drug paraphernalia. He has been released on US $3,160 bond. An AT&T spokesperson did not comment on whether the warrant served in the search was related to the iPad data breach.
-http://www.eweek.com/c/a/Midmarket/FBI-Nabs-iPad-Hacker-Allegedly-Involved-in-Se
curity-Breach-385097/
-http://www.computerworld.com/s/article/9178158/iPad_hacker_arrested_on_multiple_
drug_charges_after_FBI_search?taxonomyId=17
-http://krebsonsecurity.com/2010/06/drug-charges-against-accused-attipad-hacker/
-http://news.cnet.com/8301-27080_3-20008096-245.html
-http://www.ibtimes.com/articles/29267/20100617/goatse-hacker-blog-shows-extremis
t-views.htm

US Authorities Concerned About ICQ's Sale to Russian Company (June 16 & 17, 2010)

US law enforcement authorities are concerned that AOL's deal to sell ICQ to the Russian company Digital Sky Technology would impede their ability to access ICQ servers. ICQ is favored by criminals, and chat transcripts have proven valuable in prosecuting Internet-related crimes. US investigators have told the Committee on Foreign Investment of their concerns. That committee has the authority to block or alter business deals that could pose a threat to US national security. ICQ servers are still presently located in Israel; US authorities have in some cases been able to access chat transcripts of suspects in criminal investigations.
-http://www.theregister.co.uk/2010/06/16/aol_icq_fears/
-http://www.h-online.com/security/news/item/US-authorities-Sale-of-ICQ-would-comp
licate-prosecution-1024387.html
[Editor's Note (Northcutt): You would not know it from the controversy over Dubai Ports World and then shortly thereafter blocking the sale of SourceFire to Checkpoint, but it is fairly rare to block a sale to a foreign entity. AOL has to raise enough cash to do a total makeover if they are to have any chance of surviving a few more years. They sold their social media site Bebo for about $10 Million, which they bought for at least $766 Million in 2008, but cannot afford to maintain its operating costs. If we block the sale, we almost certainly hasten their demise and the crooks will go somewhere else:
-http://www.businessweek.com/news/2010-06-17/aol-sells-bebo-to-criterion-for-less
-than-10-million-update3-.html]

Cyber Thieves Using Modified BlackEnergy Trojan to Rob Bank Accounts (June 16 & 17, 2010)

Cyber thieves are using the BlackEnergy 2 Trojan to drain bank accounts in Russia and Ukraine by bypassing the banks' java authentication systems while launching distributed denial-of-service attacks on the same systems to distract the bank employees. The malware used in this series of attacks appears to be based on the BlackEnergy Trojan that was used to launch cyber attacks in the 2008 conflict between Russia and Georgia.
-http://www.net-security.org/malware_news.php?id=1377
-http://www.theregister.co.uk/2010/06/16/blackenergy2_ddos_attacks/

Suspect in Wireless Hacking Case Rejects Plea Deal (June 16, 2010)

The Minnesota man who allegedly used his neighbor's wireless network to send threatening messages to US Vice president Joe Biden has rejected a plea deal in favor of a trial. The plea agreement addressed Barry Vincent Ardolf's alleged misuse of his neighbor's network and the threats, but if he goes to trial, Ardolf is likely to face additional charges for allegedly sending child pornography to a neighbor's colleagues and posting offensive images on a website set up in the neighbor's name. The judge has ordered that all computers and electronic devices be removed from Ardolf's home and that he have no contact with his neighbor.
-http://www.theregister.co.uk/2010/06/16/ardolf_drops_plea/
-http://wcco.com/crime/joe.biden.threaten.2.1754748.html

Mac OS X Update Does Not Incorporate Most Recent Version of Flash (June 16, 2010)

On Tuesday, June 15, Apple released a security update for Mac OS X to address 28 vulnerabilities. OS X 10.6.4 fixes flaws in 17 of the operating system's components, including iChat and Flash Player. Although the update addresses a pair of flaws in Flash, the version of Flash included with the update is not the most recent, and safest one available. Adobe released Flash 10.1.53.64 last week to address a number of flaws, including a zero-day vulnerability that was being actively exploited. The Mac update comes with Flash version 10.0.45.2. Mac users should check to see which version of Flash they have on their computers; the OS X update does not appear to downgrade those who have already updated to Flash 10.1.53.64. If Mac users find they are running an older version of Flash, they are urged to download the most recent version of Flash from Adobe's website.
-http://www.scmagazineus.com/mac-update-plugs-28-flaws-does-not-include-flash-101
/article/172605/
-http://www.computerworld.com/s/article/9178140/Adobe_knocks_Apple_for_serving_up
_outdated_Flash_Player?taxonomyId=17
-http://www.h-online.com/security/news/item/Apple-releases-Mac-OS-X-10-6-4-update
-1023402.html
-http://support.apple.com/kb/HT4188

Judge Reduces Damages in Case Against Spamhaus (June 16, 2010)

US Judge Charles P. Kocoras has slashed the amount of a judgment against anti-spam group Spamhaus from US $11.2 million to just over US $27,000. The plaintiffs, e360 Insight, were awarded the exorbitant sum in a default ruling, but an appeals court threw out that verdict and sent the case back to lower court to determine damages. Judge Kocoras said the initial damages were not calculated in a credible manner. E360 has sued Spamhaus for blocking about 3 billion emails it sent on its clients' behalf. The messages were blocked by service providers that subscribed to the Spamhaus blacklist.
-http://www.theregister.co.uk/2010/06/16/spamhaus_judgment_eviserated/
-http://arstechnica.com/tech-policy/news/2010/06/accused-spammer-demands-135m-fro
m-spamhaus-gets-27002.ars

Windows Help Center Vulnerability is Being Actively Exploited in XP (June 15, 2010)

Microsoft has updated its advisory about a critical vulnerability in the Windows Help and Support Center that is being actively exploited. While the flaw exists in both Windows XP and Windows Server 2003, the attack code affects only Windows XP. The man who disclosed the flaw publicly has met with criticism for allowing Microsoft just five days after he notified them of the flaw before he went public with the information. Until a patch is available, users can protect their computers by disabling certain Help Center features. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=8995
-http://gcn.com/articles/2010/06/16/hackers-exploiting-windows-xp-help-flaw.aspx?
admgarea=TC_SECURITY
-http://www.theregister.co.uk/2010/06/15/windows_help_bug_exploited/
-http://www.computerworld.com/s/article/9178084/Hackers_exploit_Windows_XP_zero_d
ay_Microsoft_confirms?taxonomyId=17
-http://www.csoonline.com/article/596877/controversial-windows-xp-vulnerability-n
ow-being-exploited-
-http://krebsonsecurity.com/2010/06/unpatched-windows-xp-flaw-being-exploited/
-http://www.securecomputing.net.au/News/215569,microsoft-confirms-exploits-target
ing-ormandy-zeroday.aspx
-http://support.microsoft.com/kb/2219475

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/