SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #52

July 02, 2010

Senator Reid and the Chairmen of Six Senate Committees Jointly Tell The President To Get Moving on Cyber Security

In a letter delivered to the White House yesterday, Senators Reid, Lieberman (Homeland Security), Rockefeller (Commerce), Leahy (Judiciary), Levin (Armed Services), Kerry (Foreign Relations), and Feinstein (Intelligence) told President that each day the threat of cyber attack increases, and that there is "an "urgent need for action." The trigger for the letter was the White House's refusal to even engage on the major issues. This is the highest profile recognition that the White House talks the talk about cyber security, but doesn't walk the walk. If the White House were a sports team, it would be as if the owner hired the top all stars in the field but then let the economists and lawyers take over the game and keep all the stars on the bench.

Alan

PS I'll get the letter posted later today at http://www.sans.org/resources/Senate_Letter_to_Obama

---

TOP OF THE NEWS

Anti-Piracy Practices Tied to Funding for Colleges and Universities
Russian Spy Ring Communicated Through Steganography
Apple Faces Privacy Questions from US Legislators and German Justice Minister

THE REST OF THE WEEK'S NEWS

Romanian Authorities Arrest 50 for Alleged Use of Cell Phone Spyware
Federal Agents Shut Down Nine Sites in Anti-Piracy Operation
Microsoft Sees Significant Uptick in Number of Machines Infected via Help Center Flaw
Facebook Privacy About-Face
Chrome Will (Eventually) Block Unsecure Plug-ins
Adobe Releases Reader and Acrobat Updates
Attorneys Allegedly Accessed WellPoint Patient Data While Pursuing Class Action Lawsuit
Australia Introduces Internet Industry Code of Practice

---

************************ Sponsored By BDNA ******************************
REGISTER NOW for the upcoming webcast: Sequencing the IT Genome: Agent-less IT Asset Visibility for an Enhanced Security Strategy Wednesday, July 7, 2010 at 1:00 PM EDT
http://www.sans.org/info/61198
Sponsored By: BDNA http://www.bdna.com/

This live web presentation and Q&A with Walker White, CTO of BDNA will provide an overview on how IT Genomics is the most effective method to manage your IT infrastructure and how BDNA provides the tools and content to ensure you can effectively sequence it and thereby manage
*************************************************************************

TRAINING UPDATE
- -- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

- -- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/

- -- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security
http://www.sans.org/virginia-beach-2010/

- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

- -- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

- -- Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current

Plus Washington DC, Singapore, Canberra and Portland all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

---

TOP OF THE NEWS

Anti-Piracy Practices Tied to Funding for Colleges and Universities (July 1, 2010)

As of July 1, 2010, US colleges and universities that receive Title IV federal aid are required to have anti-piracy procedures in place. Institutions of higher education have been plagued by their students' use of the institutions' generous bandwidth to download music and other digital media through file-sharing networks. The Higher Education Opportunity Act (HEOA) of 2008 requires that schools abide by a set of anti-piracy guidelines. The schools must provide students with information about copyright law and school policies regarding the violation thereof; the schools must employ technology-based deterrents to illegal filesharing over campus networks; and the schools must provide alternatives to illegal filesharing.
-http://news.cnet.com/8301-31001_3-20009386-261.html?tag=newsEditorsPicksArea.0
[Editor's Note (Schultz): What an ingenious way to make a significant dent in the piracy problem that plagues U.S. universities! ]

Russian Spy Ring Communicated Through Steganography (June 29 & 30 & July 1, 2010)

In the course of an investigation that led to the arrest of 11 Russian intelligence operatives, more than 100 text files were retrieved from steganographic images. The messages were discovered after law enforcement officials found a 27-character password for the Steganography program on a slip of paper during a search. The alleged spies also used ad hoc Wi-Fi networks and custom software. The 11 individuals lived in the US for years and adopted detailed cover stories.
-http://www.theregister.co.uk/2010/06/29/spy_ring_tech/
-http://www.computerworld.com/s/article/9178762/Russian_spy_ring_needed_some_seri
ous_IT_help?taxonomyId=17
-http://news.cnet.com/8301-13578_3-20009101-38.html?part=rss&subj=news&ta
g=2547-1_3-0-20
-http://www.washingtonpost.com/wp-dyn/content/article/2010/06/30/AR2010063003108.
html
-http://www.darkreading.com/insiderthreat/security/encryption/showArticle.jhtml?a
rticleID=225701866
-http://gcn.com/articles/2010/07/01/russian-spies-used-steganography-to-transmit-
messages.aspx?admgarea=TC_SECURITY
-http://documents.nytimes.com/criminal-complaints-from-the-justice-department?ref
=europe#document/p36
[Editor's Note (Ranum): As I've commented before on the various "China cyberspy" articles, real spies don't act like amateurs doing smash-and-grab over the internet. Agents in place, who have time to get into positions of trust or at foci of information, are also going to be vastly more effective (or damaging, depending on your point of view).
(Honan): It seems that even spies need some security awareness training in how to select and remember complex passwords without having to write them down.]

Apple Faces Privacy Questions from US Legislators and German Justice Minister (June 28, 2010)

US legislators are questioning Apple about recent changes to its privacy policy. On Monday, June 21, the Los Angeles Times reported that a paragraph had been added to Apple's privacy policy that appears to allow Apple and unnamed "partners and licensees" to collect and store real-time geographic location data of users' Apple devices. Apple has been gathering location data since 2008, but just recently moved notification of the activity from End User License Agreements (EULAs) on individual products to its general privacy policy. Customers must agree to the terms before being permitted to download applications or other media from the Apple iTunes store. In a letter to Apple, Representatives Edward J. Markey (D-Mass.) and Joe Barton (R-Texas) said that "given the limited ability of Apple users to opt out of the revised policy and still be able to take advantage of their Apple products, we are concerned about the impact the collection of such data could have on the privacy of Apple's customers." The legislators have given Apple until July 12 to respond to the letter. Germany's justice minister has indicated that she is concerned about Apple's data collection practices for new iPhone owners. Sabine Leutheusser-Schnarrenberger has asked Apple to tell German data protection officials what kind of data it collects, how long it is stored and why it is being collected and stored.
-http://www.darkreading.com/security/privacy/showArticle.jhtml?articleID=22570161
6
-http://www.nytimes.com/2010/06/29/technology/29apple.html?src=busln
-http://latimesblogs.latimes.com/technology/2010/06/apple-location-privacy-iphone
-ipad.html

---

THE REST OF THE WEEK'S NEWS

Romanian Authorities Arrest 50 for Alleged Use of Cell Phone Spyware (July 1, 2010)

Romanian law enforcement authorities have arrested 50 people for allegedly using off-the-shelf software to monitor other people's cell phone communications. A man who is suspected of selling the spyware has also been arrested. Dan Nicolae Oproiu allegedly sold the software over the Internet for as much as US $580.
-http://www.theregister.co.uk/2010/07/01/romanian_spyware_arrests/

Federal Agents Shut Down Nine Sites in Anti-Piracy Operation (June 30 & July 1, 2010)

US government officials have seized domain names of nine websites that were allegedly being used to share free pirated copies of first-run movies. The investigation involved 100 agents in 11 US states and the Netherlands. Officials have also seized assets from 15 bank accounts. Because they seized the domain names, the sites could reappear elsewhere on the Internet. The website operators could face prison.
-http://news.bbc.co.uk/2/hi/entertainment_and_arts/10475801.stm
-http://mediadecoder.blogs.nytimes.com/2010/06/30/in-anti-theft-effort-officials-
seize-9-domain-names/?ref=technology
-http://www.latimes.com/business/la-fi-ct-piracy-20100701,0,2871905.story

Microsoft Sees Significant Uptick in Number of Machines Infected via Help Center Flaw (June 30 & July 1, 2010)

Microsoft has detected a spike in the number of machines infected through a flaw in the Windows Help and Support Center on computers running Windows XP and Server 2003. The flaw was disclosed on June 10. In the days following the disclosure, attacks exploiting the vulnerability were targeted and limited, but Microsoft now says it has detected more than 10,000 distinct computers that have become infected through the flaw. Microsoft has suggested several actions users can take to protect their computers until a fix is released.
-http://www.scmagazineus.com/microsoft-warns-of-soaring-windows-help-center-explo
its/article/173739/
-http://www.computerworld.com/s/article/9178768/Microsoft_10_000_PCs_hit_with_new
_Windows_XP_zero_day_attack?taxonomyId=17
-http://www.theregister.co.uk/2010/06/30/windows_exploit_spike/
-http://news.bbc.co.uk/2/hi/technology/10473495.stm

Facebook Privacy About-Face (June 30, 2010)

Facebook has implemented a more transparent policy for how its users share personal information with third-party applications and websites. Now when users install a new application or login to a website through Facebook for the first time, they will see a permissions box letting them know what information the application or site wants permission to access. Applications and websites will automatically be permitted to access public portions of Facebook users' accounts, but will have to obtain express permission to access information on private sections of the profiles.
-http://www.computerworld.com/s/article/9178757/Facebook_adds_new_controls_for_th
ird_party_apps?taxonomyId=17
-http://www.theregister.co.uk/2010/06/30/facebook_privacy/
-http://blog.facebook.com/blog.php?post=403443752130
[Editor's Note (Ranum): Am I the only person left on earth who finds the idea of a "private section of a public profile" to be incredibly stupid? Hint: If you don't want your information to be discovered, used, sold and re-sold - don't publish it on a website. ]

Chrome Will (Eventually) Block Unsecure Plug-ins (June 29 & 30, 2010)

Google has announced that its Chrome browser will soon block some outdated plug-ins. The goal is to prevent unsecure versions of the plug-ins from running. The browser will also help users find updated versions of the plug-ins. Google did not provide a specific timeline for implementation of the new feature beyond saying it will be a "medium-term" project. Google also plans to have Chrome warn users when the browser runs seldom-used plug-ins. Chrome already lets users disable individual plug-ins or run only plug-ins that they have added to a permitted list. Firefox plans to add automatic plug-in updating later this year
-http://www.theregister.co.uk/2010/06/30/google_chrome_plug_in_blocker/
-http://news.cnet.com/8301-27080_3-20009231-245.html?tag=mncol;title

Adobe Releases Reader and Acrobat Updates (June 29 & 30, 2010)

Adobe has pushed out updates for Reader and Acrobat to fix 17 vulnerabilities, including one that is being actively exploited. The flaw, which lies in authplay.dll, AuthPlayLib.bundle and libauthplay.so.0.0.0, allows attackers to install malware on users' computers by tricking them into opening a maliciously crafted document. The flaw affects Reader and Acrobat for Windows, Mac and Linux. Adobe patched the same flaw in Flash Player in June. Adobe released the fixes two weeks ahead of its scheduled quarterly update. Adobe plans to release its next security updates on October 12, 2010.
-http://www.eweek.com/c/a/Security/Adobe-Patches-Critical-Bugs-in-Reader-Acrobat-
303582/
-http://www.theregister.co.uk/2010/06/29/adobe_emergency_patch/
-http://www.computerworld.com/s/article/9178740/Adobe_patches_PDF_bugs_hackers_al
ready_exploiting?taxonomyId=17
-http://www.adobe.com/support/security/bulletins/apsb10-15.html
*Stephen Northcutt shares reader feedback on alternatives to Adobe Reader at the end of NewsBites.
[Editor's Note (Schultz): Adobe deserves considerable credit for taking so much initiative to fix serious vulnerabilities in its products in so timely a manner. ]

Attorneys Allegedly Accessed WellPoint Patient Data While Pursuing Class Action Lawsuit (June 29 & 30, 2010)

WellPoint has acknowledged that a botched security update resulted in a customer being able to view her own and other enrollees' personal information. The health insurer also alleged that an unspecified number of records were accessed by attorneys working on a class action lawsuit against the company. The compromised data include medical histories and payment information. WellPoint became aware of the problem in March when it was subpoenaed in a lawsuit about the breach. Within hours, the company fixed the problem. An internal investigation turned up evidence that information was accessed without authorization. WellPoint has requested "that the attorneys return all information improperly obtained from the individual application system."
-http://www.thetechherald.com/article.php/201026/5807/WellPoint-Data-breach-cause
d-by-attorneys-and-faulty-security-update
-http://www.reuters.com/article/idUSN2916223420100629
-http://www.californiahealthline.org/articles/2010/6/30/wellpoint-breach-could-ha
ve-exposed-enrollees-medical-financial-data.aspx
-http://www.latimes.com/business/la-fi-wellpoint-20100629,0,7282434.story

Australia Introduces Internet Industry Code of Practice (June 28 & 29, 2010)

Australia's proposed Internet Industry Code of Practice would help mitigate the threat posed by computers that have been compromised and have become part of a botnet. The code was written by the Australian Internet Industry Association, Australia's broadband, Communications and the Digital Economy Department and the Attorney General's Department. The voluntary code provides a framework to help ISPs inform, educate and protect their users.
-http://fcw.com/articles/2010/06/29/web-aussie-isp-code.aspx

*NewsBites reader feedback on Adobe Reader alternatives*

In our last edition, we reported Adobe Reader was being actively compromised and Stephen Northcutt asked if people have recommendations. The only suggestion for Internet Explorer was Brava Reader. Several people pointed out that Google Chrome either has, or is very close to having its own self contained reader. gPDF is a really nifty idea; it is a Firefox plug-in to intercept the call to open a .pdf and use the Google viewer instead. That way, the .pdf is not executing on your system. However, we could not make it work on either a 32 bit Vista system or a 64 bit Windows 7. A number of readers suggested FoxIT; they are a great reader, but they also install a toolbar and ebay icon. However, you can request a version without ads by email. Another suggestion was Evince. It was a huge download and it wants a lot of system access to install; according to Kaspersky Anti-Virus it wants system shutdown and debug privilege. And as far as xpdf, let's just say the Windows operating system was clearly an afterthought. The closest to a corporate solution seems to be FoxIT, I will keep trying a few things and thank you for sharing your wisdom.
-http://www.bravaviewer.com/reader.htm
-http://blog.arpitnext.com/gpdf
-http://www.foxitsoftware.com/pdf/reader/
-http://projects.gnome.org/evince/
-http://www.foolabs.com/xpdf/home.html
-http://blog.kowalczyk.info/software/sumatrapdf/index.html

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/