SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #5

January 19, 2010

Today is the first day on the job for President Obama's newly named National Cyber Coordinator, Howard Schmidt. His greatest challenge is not in knowing the right things to do; it is in getting federal agencies to act together to get those things done. Government aversion to innovation and risk taking is legendary. Our hope is that the level of threat is recognized widely enough that Mr. Schmidt can move quickly to make the federal government leads by example in risk reduction, in situational awareness, and in effective incident response.

Alan

---

TOP OF THE NEWS

Google Has No Immediate Plans to Leave China
France and Germany Warn Users Against IE Until Fix is Available
UK Man Acquitted in Filesharing Case

THE REST OF THE WEEK'S NEWS

US Will Send Official Protest to China Over Attacks
Google Attack May Have Had Inside Help
Researchers Say Malware Used in Google Attack is Too Sophisticated for Amateurs
IE Exploit Code in the Wild
Microsoft Working on Fix for Zero-Day IE Flaw
DoD Contractors Receiving Malicious PDF Attachments
FCC Proposed Rulemaking on Net Neutrality Generates Strong Comments
Lincoln National Warns Customers of Potential Data Security Breach
Guilty Plea in Spam Case
IETF Finishes SSL Fix

---

*********** Sponsored By RSA, The Security Division of EMC ***********

Virtualization and Security Information and Event Management (SIEM)

* Do you have a plan to address security and compliance needs for your virtualization project(s)?
* Do you need to incorporate VMware into your Compliance Audits?
* Do you need to monitor VMware changes?

https://www.sans.org/info/53493

Learn how to monitor a virtualized environment with RSA enVision(r) SIEM platform.

*************************************************************************

TRAINING UPDATE

-- SANS AppSec 2010, San Francisco, January 29 - February 5, 2010
8 courses and bonus evening presentations, including Social Zombies: Your Friends Want to Eat Your Brains
https://www.sans.org/appsec-2010/
-- SANS Phoenix, February 14 - February 20, 2010
6 courses and bonus evening presentations, including The Art of Incident Response and Advanced Forensic Techniques: Catching Hackers on the Wire
https://www.sans.org/phoenix-2010/
-- SANS 2010, Orlando, March 6 - March 15, 2010
38 courses and bonus evening presentations, including Software Security Street Fighting Style
https://www.sans.org/sans-2010/
-- SANS Northern Virginia Bootcamp 2010, April 6 - 13
Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
https://www.sans.org/reston-2010/
-- SANS Security West 2010, San Diego, May 7 - 15, 2010
23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
https://www.sans.org/security-west-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
Plus Tokyo, Bangalore, Oslo and Dublin all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Google Has No Immediate Plans to Leave China (January 18, 2010)

According to a Reuter's news service report, Google says it is not leaving China and is instead seeking to negotiate with authorities there over the next several weeks regarding information filtering restrictions. Google has said it will no longer filter Internet searches in China, which runs counter to its agreement with the Chinese government. Some have said that Google's decision to go public with the attack allegations and its decision to stop filtering results has put a strain on its relationship with the Chinese government and that the company may therefore find itself subject to more stringent restrictions if it decides to continue operations in the country. It has also been observed that Google's reputation among advertisers has been affected by the publicity and it may find that its advertisers have decided to move to its competitor, Chinese search engine Baidu.
-http://www.reuters.com/article/idUSTRE60E0BC20100117
-http://english.people.com.cn/90001/90776/90882/6871045.html
[Editor's Note (Schultz): Google has little choice; neither do other non-Chinese businesses in China. The government there has clearly for years been spearheading massive attacks on computers owned by businesses from other countries, but to retaliate by terminating doing business with China would put these businesses at a huge economic disadvantage. ]

France and Germany Warn Users Against IE Until Fix is Available (January 16 & 18, 2010)

Germany and France have both issued warnings urging computer users not to use Internet Explorer (IE) until a fix for a zero-day flaw is available. Attack code that exploits the zero-day vulnerability in the browser is now in the wild; the flaw was used to attack Google and other US companies. Thus far, the flaw has been exploited only in IE6, but experts expect this to change. Attackers could modify the available code to use it against other versions of the browser. The warnings came from Germany's Federal Office for Information Security (BSI) and France's Certa. Both urged users to switch to alternative browsers, such as Chrome or Firefox. Even Microsoft is urging users to upgrade their browsers and even their operating systems to protect their computers from potential attacks.
-http://news.bbc.co.uk/2/hi/technology/8465038.stm
-http://www.h-online.com/security/news/item/Warning-over-using-Internet-Explorer-
from-German-Government-as-exploit-goes-public-906173.html
-http://arstechnica.com/microsoft/news/2010/01/microsoft-wants-you-to-ditch-windo
ws-xp-and-ie6-for-security.ars
Update: Microsoft is encouraging people to upgrade to IE 8
-http://blogs.technet.com/msrc/archive/2010/01/18/advisory-979352-update-for-mond
ay-january-18.aspx
[Editor's Note (Honan): Australia's Computer Emergency Response Team, AusCERT, says that the threat posed by this vulnerability is overblown.
-http://www.smh.com.au/technology/security/ie-security-threat-overblown-australia
n-experts-20100119-mhkj.html]

UK Man Acquitted in Filesharing Case (January 15 & 18, 2010)

A UK man has been acquitted of charges in the country's first music file sharing trial. Alan Ellis claims he established Oink's Pink Palace while a student at Teesside University to hone his computer skills and increase his employment potential. The site connected users who were looking for music files with those who were willing to share music files. Authorities found the site had 200,000 members who had downloaded music files 21 million times; they also found that Ellis had nearly GBP 185,000 (US $300,000) in his bank accounts. Ellis told authorities that he did not host music files on his computers, but instead "provide(d) a connection between people." Oink was established in 2004 and shut down in 2007 following a police raid.
-http://www.eweekeurope.co.uk/news/first-uk-file-sharing-trial-ends-in-acquittal-
3058
-http://technology.timesonline.co.uk/tol/news/tech_and_web/article6990187.ece
-http://www.siliconrepublic.com/news/article/14895/digital-life/suspected-uk-file
-sharer-acquitted

---

******************** SPONSORED LINKS ****************************

1) Participation is needed! Be a part of this years 2010 SANS Log Management Report by completing the survey and have a chance to win a $250 AMEX Card. Click here to complete the survey an be automatically registered.

https://www.sans.org/info/53498

*******************************************************************

---

THE REST OF THE WEEK'S NEWS

US Will Send Official Protest to China Over Attacks (January 15, 16 & 18, 2010)

The US government plans to issue an official protest to China's government regarding the cyber attacks against Google and more than 30 other US companies that are alleged to have originated in China. Google has already said it will no longer filter search results for Chinese users as it had been doing in accordance with Chinese government requirements. The US government also plans to demand information on how the attack occurred and what the Chinese government plans to do about it. The decision to issue the complaint marks a heightened focus on human rights. Other tech US companies doing business in China have not voiced support for Google's anti-censorship announcement, although Yahoo has condemned the attacks.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/01/15/AR2010011503917_
pf.html
-http://www.securecomputing.net.au/News/164841,google-stands-alone-on-censorship-
decision.aspx
Storm Center:
-http://isc.sans.org/diary.html?storyid=7969]

Google Attack May Have Had Inside Help (January 18 & 19, 2010)

Google China is investigating allegations that company insiders abetted the attacks. Local media reports claim that some Google China employees were put on leave or transferred to other offices and others found their access to internal networks severed. In addition to attacks on corporate computers, Gmail addresses used by foreign journalists at two bureaus in Beijing were found to have been hijacked and messages sent to those addresses forwarded to other addresses. Chinese human rights activists have made similar claims.
-http://technology.timesonline.co.uk/tol/news/tech_and_web/article6992771.ece
-http://news.cnet.com/8301-27080_3-10436618-245.html?part=rss&subj=news&a
mp;amp;tag=2547-1_3-0-20
-http://www.nytimes.com/2010/01/19/technology/companies/19google.html?ref=technol
ogy&pagewanted=print

Researchers Say Malware Used in Google Attack is Too Sophisticated for Amateurs (January 15, 2010)

According to researchers brought in to investigate the attack on Google, the malware used to exploit a zero-day vulnerability on Internet Explorer (IE) is too sophisticated for run-of-the-mill attackers to have developed; they surmise that the code was designed and deployed with the support of Chinese authorities. The malware used in the attack has been called "unique," and the researchers noted that they had never seen anything resembling it in "commercial space," but had seen similarly sophisticated attacks on government systems. Time stamps in the command and control log files indicate the attacks began in mid-December 2009 and continued through January 4, 2010. Google has acknowledged that attackers stole information from its corporate network. The researchers also said that the IE flaw was not the sole vector of attack. The same group is believed to have launched attacks on the computer networks of more than 30 US companies.
-http://www.computerworld.com/s/article/9145279/Chinese_authorities_behind_Google
_attack_researcher_claims?taxonomyId=1R
[Editor's Note (Skoudis): The information revealed about this attack so far has been fascinating. I'm hoping that the investigators working on it will be allowed eventually to share sanitized technical lessons learned so that other organizations can prevent and, just as importantly, detect when these kinds of attacks inevitably occur in the future. ]

IE Exploit Code in the Wild (January 15 & 18, 2010)

Exploit code for the zero-day Internet Explorer (IE) vulnerability used to launch attacks against Google and other us companies has been made available on the Internet, increasing the likelihood that broader attacks will follow. The invalid pointer reference flaw exists in nearly all versions of IE, but protections built into later versions of the browser make it more difficult to exploit. For example, IE 8 has data execution prevention (DEP) turned on by default, but earlier versions of the browser require that users manually enable that function. Researchers are modifying the posted code so that it will work against more versions of the browser.
-http://www.theregister.co.uk/2010/01/15/ie_zero_day_exploit_goes_wild/
-http://www.securityfocus.com/brief/1064
Storm Center:
-http://isc.sans.org/diary.html?storyid=7993
-http://isc.sans.org/diary.html?storyid=8002

Microsoft Working on Fix for Zero-Day IE Flaw (January 13, 2010)

Microsoft has issued a security advisory warning of a zero-day Internet Explorer vulnerability that was allegedly exploited to launch attacks on Google and more than 30 other US companies. Microsoft says it is working on a fix for the vulnerability, but has not specified a release date for that fix. The company's next scheduled security update is Tuesday, February 9. Microsoft has issued guidance for protecting computers against exploits targeting the remote code execution vulnerability.
-http://www.computerworld.com/s/article/9144958/Microsoft_to_patch_bug_used_in_Go
ogle_hack?taxonomyId=17
-http://blogs.technet.com/msrc/archive/2010/01/14/security-advisory-979352.aspx
-http://www.microsoft.com/technet/security/advisory/979352.mspx

DoD Contractors Receiving Malicious PDF Attachments (January 18, 2010)

Cyber attackers have targeted US Defense Department (DoD) contractors with emails that appear to come from the DoD and have malicious PDF attachments. The email messages refer to a legitimate conference that is scheduled for March in Las Vegas. If the recipients open the maliciously crafted documents, the malware they contain attempts to install a Trojan horse program on users' computers. The attack exploits a critical flaw in Adobe Reader and Acrobat that Adobe patched, just one week ago.
-http://www.theregister.co.uk/2010/01/18/booby_trapped_pdf_cyber_espionage/

FCC Proposed Rulemaking on Net Neutrality Generates Strong Comments (January 15, 2010)

Comments have poured in to the US Federal Communications Commission (FCC) in response to its notice of proposed rulemaking on net neutrality. Focus on the issue has been heightened because of a court hearing regarding whether the FCC acted outside its scope of authority when it ordered Comcast to stop blocking users' access to BitTorrent. Based on lines of questioning from the judges, it looks like that case may be decided in Comcast's favor, in which case the FCC will take other action to ensure the availability, affordability, openness of the Internet and broadband service. The FCC wants the same authority it has to regulate public access to telephone and television to apply to the Internet. The FCC policy regarding broadband has been more hands off in an attempt to promote innovation and competition, but there are some who argue that competition has actually been throttled and prices driven higher than they should be.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/01/14/AR2010011404717_
pf.html
-http://www.wired.com/epicenter/2010/01/skype-ctia-net-neutrality/
-http://www.computerworld.com/s/article/9145198/RIAA_tells_FCC_ISPs_need_to_be_co
pyright_cops?taxonomyId=17&pageNumber=1
-http://voices.washingtonpost.com/posttech/2010/01/att_google_net_neutrality_high
.html

Lincoln National Warns Customers of Potential Data Security Breach (January 14 & 15, 2010)

Lincoln National Corp. has begun notifying about 1.2 million customers of an incident that may have compromised the security of their personally identifiable information. The Financial Industry Regulatory Authority (FINRA) learned of the breach last August when an unidentified source provided the organization with a username and password that allowed access to Lincoln's portfolio management system. An investigation conducted by Lincoln found other instances of shared usernames and passwords at one of its subsidiaries. The shared passwords were established a decade ago to perform administrative activities. All shared access information has been changed. The management system in question is not used to conduct transactions, but does contain Social Security numbers (SSNs), account numbers and balances and other personal information valuable to identity thieves.
-http://www.darkreading.com/vulnerability_management/security/privacy/showArticle
.jhtml?articleID=222301034&cid=RSSfeed
-http://www.computerworld.com/s/article/9145240/Financial_firm_notifies_1.2M_afte
r_password_mistake?taxonomyId=17
-http://doj.nh.gov/consumer/pdf/lincoln_financial.pdf
[Editor's Note (Pescatore): While the high profile targeted attacks got all the press coverage, this incident is indicative of the types of problems (shared passwords, weak internal practices) that cause way more material damage to businesses in the long run. Lincoln National did the right thing in taking the very expensive step to notify customers event though there is no evidence that any compromise actually occurred. The cost of avoiding this incident (detecting and stopping the use of shared administrative passwords) would have been a small fraction of the cost of going through this disclosure event. ]

Guilty Plea in Spam Case (January 15, 2010)

A Romanian man has pleaded guilty in court in US District Court in Bridgeport, Connecticut to conspiracy to commit fraud related to spam. The associated phishing scheme attempted to defraud customers of Wells Fargo, Citibank, eBay and other companies. Tonita was arrested in Romania last July and extradited to the US. Cornel Ionut Tonita faces up to five years in prison for his role in the scheme. Tonita worked with six other men on the scheme; Ovidiu-Ionut Nicola-Roman was sentenced to 50 months in prison last March.
-http://www.computerworld.com/s/article/9145079/Romanian_faces_five_years_in_pris
on_for_phishing_scheme?taxonomyId=17
-http://www.scmagazineus.com/romanian-accused-of-email-address-theft-pleads-guilt
y/article/161526/
-http://newhaven.fbi.gov/dojpressrel/pressrel10/nh011410.htm

IETF Finishes SSL Fix (January 12 & 14, 2010)

The Internet Engineering Task Force (IETF) has completed a fix for a vulnerability in the secure sockets layer (SSL) protocol that was disclosed last summer. The fix involves a security extension to SSL to address a gap in the renegotiation portion of the authentication process that allows man-in-the-middle attacks. The fix will not be applied immediately, as vendors will require a testing period before it is ready to ship. IETF:
-http://tools.ietf.org/id/draft-ietf-tls-renegotiation-03.txt
-http://www.eweek.com/c/a/Security/IETF-Completes-Fix-for-SSL-Security-Vulnerabil
ity-589986/
-http://www.darkreading.com/vulnerability_management/security/vulnerabilities/sho
wArticle.jhtml?articleID=222300635
[Editor's Note (Skoudis): While the recent IE flaw is getting all the publicity lately, it's problems like this one in SSL that really worry me. Fundamental protocol flaws are usually much harder to deal with than a bug in a piece of software. For that reason, they are juicier to not only researchers, but also bad guys. I shudder to think about what other problems underly some of our most critical protocols. ]

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/