Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #53

July 06, 2010

TOP OF THE NEWS

Popular Third-Party Windows Applications Not Implementing Critical Security Features

THE REST OF THE WEEK'S NEWS

Suspected Payment Processing System Breach Affects Indiana Restaurant Patrons
Google Fixes YouTube Cross-Site Scripting Flaw
Apps Removed from iTunes Store After Reports of Fraudulent Purchases Surface
Former Bank Employee Pleads Guilty in Data Theft and Fraud Case
U.S. Officials Say North Korea is Not DDoS Culprit
Firefox Chosen as IBM's Default Browser
Indian Government Seeks Access to Skype and BlackBerry Communications
Google Expands Suspicious Log Warnings to All Account Products
Missing CDs Hold Unencrypted Patient Data


*************** Sponsored By Splunk **************
FREE DOWNLOAD - SPLUNK FOR SECURITY Real-time Business Needs Real-time IT
* See incidents and attacks as they occur
* Monitor application SLAs in real time
* Correlate and analyze events on streaming data
* Track live transactions and online activity Do this and more with real-time search in Splunk. http://www.sans.org/info/61413
***************************************************

TRAINING UPDATE
- -- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

- -- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/

- -- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security
http://www.sans.org/virginia-beach-2010/

- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

- -- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

- -- Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Washington DC, Canberra, Portland and Dubai all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

*************************************************************************



TOP OF THE NEWS

Popular Third-Party Windows Applications Not Implementing Critical Security Features (July 1 & 2, 2010)

According to a study from Secunia, some popular third-party Windows applications are not using Windows Data Execution Protection (DEP) and Address Space Layout randomization (ASLR) security features. Both features help prevent rogue code execution attacks. Secunia selected 16 popular third-party applications to see if they used DEP and ASLR. Of the 16, only Google Chrome implements both DEP and ASLR. Tested versions of Apple QuickTime, Foxit Reader, Google Picasa, Sun Java JRE, OpenOffice.org, RealPlayer, VLC Media Player and AOL's Winamp do not use either feature, but feedback about the issue from some of the companies is promising. Google says that the company plans to add the features to Picasa in the future. Foxit Reader will support both features in its next major release. The most recent version of VLC also supports both DEP and ASLR.
-http://darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=2257
02255&subSection=Vulnerabilities+and+threats

-http://www.eweek.com/c/a/Security/ThirdParty-Windows-Apps-Not-Using-Microsoft-Se
curity-Features-Researchers-Find-250047/

-http://www.scmagazineus.com/third-party-apps-failing-to-use-windows-security-fea
tures/article/173746/

-http://krebsonsecurity.com/2010/07/top-apps-largely-forgo-windows-security-prote
ctions/

-http://secunia.com/blog/105


*************** SPONSORED LINK - THE EUROSCADA SUMMIT ******************
London in early October; the key players in SCADA and control systems Security; the latest threats; and very cool solutions. http://www.sans.org/eu-scada-security-summit-2010/
*************************************************************************


THE REST OF THE WEEK'S NEWS

Suspected Payment Processing System Breach Affects Indiana Restaurant Patrons (July 2 & 5, 2010)

A security breach at a Beautiful Brands International payment card processing system has affected patrons of a number of restaurants. In Indiana, the breach affected patrons of Camille's Sidewalk Cafe restaurants; reports indicate that fraudulent transactions totaling more than US $100,000 were made using the stolen payment card information. The breach reportedly affects restaurants across the United States. The Indiana franchises were unaware of the breach until they were notified by corporate headquarters. An attorney for Beautiful Brands says the breach affected no more than 20 stores.
-http://www.scmagazineuk.com/indiana-restaurant-chain-in-the-us-hit-by-credit-car
d-breach-after-hack-of-central-processing-system/article/173951/

Google Fixes YouTube Cross-Site Scripting Flaw (July 4 & 5, 2010)

Google has acknowledged that attackers exploited a cross-site scripting (XSS) vulnerability on YouTube. The attacks affected the viewer comment portions of the pages; attackers were able to insert JavaScript and HTML code onto the pages. Once Google learned of the problem, it hid the comments sections temporarily until a fix was applied. The attack itself did not involve infecting users' machines with malware; instead, when users visited certain pages, their computer screens were inundated with unwanted and sometimes offensive pop-up advertisements and messages. In some cases, users were redirected to adult-content sites. However, the sites to which the users were redirected could possibly be hosting malware. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=9130
-http://www.computerworld.com/s/article/9178861/Google_confirms_attack_on_YouTube
?taxonomyId=17

-http://news.bbc.co.uk/2/hi/technology/10506150.stm
-http://www.h-online.com/security/news/item/Google-fixes-cross-site-scripting-vul
nerability-in-YouTube-comments-1032988.html

-http://news.cnet.com/8301-1023_3-20009660-93.html
[Editor' Note (Ullrich): It is important to note that the exploits can go beyond offensive pop-ups. XSS is an often-underestimated problem that can be used to gain control over a user's browser. The most dangerous XSS exploits are the ones you don't see. ]

Apps Removed from iTunes Store After Reports of Fraudulent Purchases Surface (July 4 & 5, 2010)

Emerging reports suggest that some iTunes customer accounts have been hijacked and that available funds were used to purchase certain applications. About 40 apps have been pulled from the iTunes App Store after complaints were spurred by a suspicious, sudden surge in the apps' popularity. iTunes customers have been complaining that their accounts have been breached and as much as US $1,000 spent on applications they did not want. The breach was detected by two developers who noticed that their own applications had begun to slip significantly in popularity. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=9136
-http://news.cnet.com/8301-13579_3-20009658-37.html
-http://www.telegraph.co.uk/technology/apple/7872836/Hackers-target-Apple-iTunes-
App-Store.html

-http://www.pcworld.com/businesscenter/article/200503/apps_disappear_from_app_sto
re_amid_hacking_complaints.html

-http://business.financialpost.com/2010/07/05/fp-tech-desk-apple-itunes-user-acco
unts-hacked-reports/

[Editor' s Note (Ullrich): Phishing for iTunes credentials is very common. As a simple defense, do not link your credit card for automatic refills to your iTunes account or use iTunes gift cards to fund the account. That way, the damage will be limited to the money you already added to the account.
(Northcutt): Some of the best and brightest coders and security people work for Google and Apple and yet they both had big software security problems. Part of the answer is more and better training and certification to enable safer, higher-quality software development and configuration, but that is probably not enough. Even if Google finds and trains extraordinary developers, what should smaller companies do if they cannot recruit superstars? I think we are seeing more and more market demand for a new type of MSSP, a cross between (1) a software security and quality consultant, (2) a monitoring company that focuses primarily on web logs and probably has some of their own routines (think Suhosin on steroids ) and (3) a high end code and configuration incident response capability. That type of service will be a key enabler of a more secure and robust online marketplace. ]

Former Bank Employee Pleads Guilty in Data Theft and Fraud Case (July 1, 2 & 3, 2010)

A man who at one time worked as a contract computer technician at Bank of New York Mellon has pleaded guilty to grand larceny, money laundering and computer tampering. Over an eight-year period, Adeniyi Adeyemi stole more than US $1.1 million from charities' bank accounts through the automated clearing house (ACH) network. He stole personal information from his co-workers and used it to set up dummy bank and brokerage accounts into which he transferred the stolen funds. He then transferred money from those accounts into a second layer of dummy accounts. Adeyemi kept the transactions below the US $10,000 threshold that triggers reports of the funds transfers to the US Treasury. Adeyemi also admitted to having stolen money directly from his co-workers' accounts. He is scheduled to be sentenced on July 21.
-http://www.computerworld.com/s/article/9178840/IT_staffer_at_New_York_bank_plead
s_guilty_to_data_theft_fraud?taxonomyId=17

-http://www.theregister.co.uk/2010/07/02/bank_insider_data_theft/
-http://www.manhattanda.org/whatsnew/press/2010-07-01.shtml

U.S. Officials Say North Korea is Not DDoS Culprit (July 3, 2010)

There is no conclusive evidence that the distributed denial-of-service (DDoS) attacks that hampered US and South Korean government websites a year ago were perpetrated by North Korea, according to cyber security experts. However, there is no word on who is responsible for the attacks, and it is unlikely that the culprit will ever be found. Initial analysis suggested that the attacks originated in North Korea, but investigators have backed off from that position. The attacks are not considered to be critical. What is known is that the attack traffic was controlled by nine servers in four different countries. In all, approximately a botnet of 60,000 computers was used to launch the DDoS attack.
-http://www.google.com/hostednews/ap/article/ALeqM5j5BPCmNgjLgWUCjVvE7kavTFIssQD9
GNISE80

[Editor's Note (Northcutt): There was very little evidence presented to support the North Korea allegation. We need to be careful about blaming all computer attacks on communist Asian countries. Some part of this is certainly valid, but I think they are getting more credit than is supportable. ]

Firefox Chosen as IBM's Default Browser (July 1 & 2, 2010)

IBM has chosen Firefox to be its default browser for all 400,000 employees. IBM VP of Open Source and Linux Bob Sutor said that the shift to Firefox was in part prompted by cloud computing. Sutor cited "the longstanding commitment of Mozilla to open standards and the quality of the implementation of them in Firefox." Sutor also noted that employees would not be required to use the browser, but would be strongly encouraged to do so.
-http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?a
rticleID=225702156

-http://blog.seattlepi.com/microsoft/archives/213366.asp
-http://www.sutor.com/c/2010/07/ibm-moving-to-firefox-as-default-browser/
[Editor's Note (Schultz): I wonder if those in IBM who made the decision to go with Firefox were aware of the results of NSS Labs' independent testing of the effectiveness of security functions in browsers earlier this year. ]

Indian Government Seeks Access to Skype and BlackBerry Communications (July 1, 2 & 3, 2010)

The Indian government is seeking to ensure that it will have access to the content of communications sent over Gmail and the Skype and BlackBerry networks in a readable format. The government wants the power to access communications as a means to combat terrorism. Skype and BlackBerry parent company RIM have been given two weeks to comply, or they could find themselves banned in India.
-http://www.pcworld.com/businesscenter/article/200257/reports_blackberry_skype_go
ogle_face_india_data_demand.html

-http://www.business-standard.com/india/news/govt-may-get-access-to-foreign-firms
%5C-networks/400107/

-http://economictimes.indiatimes.com/Infotech/Hardware/BlackBerry-has-to-pass-sec
urity-muster-in-15-days/articleshow/6112344.cms?curpg=1

-http://www.thehindubusinessline.com/2010/07/01/stories/2010070153420100.htm
-http://asia.cnet.com/blogs/tech-curry/post.htm?id=63019606&scid=rvhm_ms

Google Expands Suspicious Log Warnings to All Account Products (June 30 & July 1, 2010)

Google has expanded its suspicious activity warnings from Gmail to all Google Account products. In March, Google began alerting Gmail users when their accounts were accessed via IP addresses that appear out of the ordinary. The system works by associating the IP address used to access the account with a general geographic location. If the account is accessed from another geographic location, an alert is triggered. Users who receive alerts are not automatically locked out of their accounts; they will be allowed to change their passwords on the spot or dismiss the warning. The new alerts will appear on users' Google Dashboards.
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=225702120&cid=RSSfeed_IWK_All

-http://arstechnica.com/tech-policy/news/2010/06/suspicious-login-protection-exte
nded-to-all-google-accounts.ars

-http://googlepublicpolicy.blogspot.com/2010/06/better-dashboard-helping-detect.h
tml

Missing CDs Hold Unencrypted Patient Data (June 30, 2010)

More than 130,000 patients of New York's Lincoln Medical and Mental Health Center are being notified that their personal information may have been compromised. A billing processor sent seven unencrypted CDs through FedEx, but the disks never arrived at their destination. The disks contain personal data, including Social Security numbers (SSNs), health plan numbers, driver's license numbers and diagnostic and procedural codes and descriptions. In a June 4 letter to affected patients, the hospital wrote, "FedEx has suggested that the CDs likely became separated from their shipping envelope at one of its facilities, were swept up and destroyed."
-http://www.computerworld.com.au/article/351659/new_york_hospital_loses_data_130_
000_via_fedex/

-http://www.nyc.gov/html/hhc/lincoln/downloads/pdf/lincoln-security-notice-2010-0
6-eng.pdf



**********************************************************************

The Editorial Board of SANS NewsBites Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/