SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #56

July 16, 2010

Two government security folks who have done a lot to stop the waste and
make federal systems much harder to compromise, are contending with
attacks from others who do not want to admit that change is needed. Four
thoughts help make the personal attacks less painful. They were written
by Kent M. Keith in 1968 as part of a booklet for young leaders and
adapted by Mother Teresa and posted in a more spiritual tone in her home
for children in Calcutta. I am sharing them with the NewsBites audience
in the hope that they will help you, as they do me, when we seek to make
a difference:

- - If you do good, people will accuse you of selfish ulterior motives.
Do good anyway.
- - If you are successful, you will win false friends and true enemies.
Succeed anyway.
- - The biggest men and women with the biggest ideas can be shot down by
the smallest men and women with the smallest minds.
Think big anyway.
- - Give the world the best you have and you'll get kicked in the teeth.
Give the world the best you have anyway.
Alan

---

TOP OF THE NEWS

Cyberspace Policy Review Progress Report
Senators Introduce 2010 Data Security Act

THE REST OF THE WEEK'S NEWS

Former NSA Exec Tried Established Avenues to Voice Concerns Before Talking to Reporter
Zbot Now Mimicking Credit Card SecureCode Systems
Royalty Company Proposes ISPs Pay Filesharing Fees
Adobe Site Now Offers Fully Patched Reader
Mozilla Pulls Password-Stealing Add-on
Thieves Stole 3,000 Laptops From Military Contractor in Florida
Bluetooth-Enabled Skimmers Found on Gas Pumps in Southeastern US
Microsoft Patch Tuesday Addresses Help Center Vulnerability
China and Taiwanese Government Pressure Forces Removal of Black Hat Talk

---

************************ Sponsored By zScaler ****************************
CLOUD SECURITY READY FOR PRIME TIME? July 27 -
Ask IDC panelist during online discussion. Register here: http://www.sans.org/info/62138
***************************************************************************
TRAINING UPDATE - -- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/

- -- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security
http://www.sans.org/virginia-beach-2010/

- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

- -- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Washington DC, Canberra, Portland, London and Dubai all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/index.php

*************************************************************************

---

TOP OF THE NEWS

Cyberspace Policy Review Progress Report (July 13, 14 & 15, 2010)

The White House has issued a progress report on what has been done to improve the nation's cyber security in the 14 months following the release of the Cyberspace Policy Review. Among the accomplishments listed are new guidance from the Office of Management and Budget (OMB) regarding revised compliance with the Federal Information Security Management Act (FISMA); the appointment of a Cybersecurity Coordinator; and the creation of a Cybersecurity Directorate.
-http://www.whitehouse.gov/administration/eop/nsc/cybersecurity/progressreports/j
uly2010
-http://www.computerworld.com/s/article/9179149/White_House_cybersecurity_chief_c
alls_meeting_to_discuss_President_s_agenda?taxonomyId=17

Senators Introduce 2010 Data Security Act (July 14, 2010)

US Senators Tom Carper (D-Delaware) and Bob Bennett (R-Utah) have reintroduced data protection legislation that would take precedence over current state laws governing data protection and breach notification. The legislation was originally introduced in 2007, but failed to pass. The 2010 Data Security Act would require public and private entities to protect personal data they hold and to notify individuals if the security of their information is compromised. Two other bills that address data privacy and breach notification - the Data Breach Notification Act introduced in January 2009 and the Personal Data Privacy and Security Act introduced in July 2009 - have already cleared the Senate Judiciary Committee and will be considered by the full Senate.
-http://www.nextgov.com/nextgov/ng_20100714_6555.php?oref=topnews

---

**************************** SPONSORED LINKS **************************
1) SANS Voucher Credits.Save up to 30%. Perfect for Year End budgets. Contact Vouchers@sans.org.
(http://www.sans.org/info/62143)

2) REGISTER NOW for the 7/20/10 Ask the Expert webcast: Making the Case for SIEM
http://www.sans.org/info/62148

3) Did you miss yesterday's WhatWorks Webcast: Moving 100 percent into the Cloud...Securely, sponsored by Altor? Available now
http://www.sans.org/info/62153

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Former NSA Exec Tried Established Avenues to Voice Concerns Before Talking to Reporter (July 14, 2010)

Former National Security Agency (NSA) executive Thomas A. Drake fruitlessly pursued several sanctioned paths to address his concerns about the exorbitant cost and neglect of privacy concerns in a new data mining tool before deciding to approach a journalist. Drake was concerned that the NSA was planning to replace a data mining system known as ThinThread with one called Trailblazer. ThinThread protected privacy by encrypting identifying information; only when there was ample evidence to justify a warrant would the information be decrypted. Trailblazer did not have the same privacy protection in place and cost ten times more. Thwarted at each turn, Drake at last turned to Baltimore Sun journalist Siobhan Gorman and gave her documents that supported his case. Drake is presently awaiting trial for mishandling classified information and obstruction of justice. He could face up to 35 years in prison.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/07/13/AR2010071305992_
pf.html
-http://www.wired.com/threatlevel/2010/07/thomas-drake/
[Editor's Note (Schultz): US government agencies and departments neither appreciate nor deal with concerns very well. Although whistleblowers are in theory protected, for example, in reality they are not. Recently a long-employed employee who turned whistleblower at a Department of Energy site was fired not long after he reported that an employee of that site was not showing up for work. Drake must also have been very frustrated by what he believed amounted to waste--too bad that he stood up for what he believed was the right course of action to the point that he now may be convicted of a crime and end up in prison. (Paller): When a person signs up to work for a government agency, he is agreeing to abide by the rules. Whistleblower laws protect employees who follow those rules. And if Mr. Drake's complaints to higher-ups in NSA did not have the impact he wanted, he could have taken his concern to a cleared staffer on one of the Congressional intelligence committees. ]

Zbot Now Mimicking Credit Card SecureCode Systems (July 13, 14 & 15, 2010)

The latest attack from the Zbot botnet masquerades as a credit card verification system. The botnet appears to be injecting pages into systems that ask for information to complete either the verified by Visa or MasterCard SecureCode security programs. The attack waits silently for users to visit certain banking websites. When they do, they are greeted with the page that appears to be from their own bank.
-http://www.scmagazineus.com/zeus-now-spoofing-visa-mastercard-programs/article/1
74635/
-http://www.v3.co.uk/v3/news/2266494/zeus-takes-aim-credit
-http://www.infosecurity-magazine.com/view/10992/financial-hackers-attacking-visa
mastercard-users-with-fake-3d-secure-logins/
-http://darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=2258
00175&subSection=Vulnerabilities+and+threats
-http://www.theregister.co.uk/2010/07/13/zeus_goes_local/

Royalty Company Proposes ISPs Pay Filesharing Fees (July 15, 2010)

A UK organization that collects and pays music royalty fees has suggested that Internet service providers (ISPs) pay for pirated music on their networks. PRS for Music/The Mechanical-Copyright Protection Society represents approximately 65,000 songwriters and music publishers. The proposal would have ISPs pay a fee that would be commensurate with the volume of unlicensed music shared; the "fee would be reduced in line with reductions in the volume of unlicensed media transmitted." The Internet Service Providers' Association UK is opposed to the idea.
-http://www.computerworld.com/s/article/9179202/UK_royalty_society_suggests_ISPs_
pay_for_pirated_music?taxonomyId=17

Adobe Site Now Offers Fully Patched Reader (July 14 & 15, 2010)

Users visiting Adobe's download center can now get the fully patched version of Reader instead of the most recent major release. Adobe was criticized for its practice of making users download the full release, then updating it with the latest fixes the first time it ran. The previous practice meant that users' versions of Reader were vulnerable until the fixes were installed. Adobe has also introduced an automatic updater in version 9.3.2 of Reader.
-http://news.softpedia.com/news/Latest-Adobe-Reader-Version-Distributed-from-Offi
cial-Download-Site-147669.shtml
-http://www.h-online.com/security/news/item/Adobe-now-only-offers-fully-patched-v
ersions-of-Reader-for-download-1038130.html

Mozilla Pulls Password-Stealing Add-on (July 14 & 15, 2010)

Mozilla has pulled a Firefox extension that has been discovered to steal login information and send it to a remote location. The add-on, known as Mozilla Sniffer, had been downloaded nearly 2,000 times before it was removed. It gathers login information from all websites that users visit. The add-on was placed on Mozilla's Firefox blocklist, which uninstalls dangerous extensions from users' computers. Mozilla also warned of a critical vulnerability in the CoolPreviews add-on; it has been temporarily placed on the blacklist as well.
-http://www.h-online.com/security/news/item/Mozilla-disables-login-stealing-Firef
ox-add-on-1038441.html
-http://www.zdnet.com/blog/security/mozilla-blacklists-password-theft-add-on/6841
-http://www.computerworld.com/s/article/9179167/Mozilla_yanks_password_stealing_F
irefox_add_on?taxonomyId=85

Thieves Stole 3,000 Laptops From Military Contractor in Florida (July 13 & 14, 2010)

Three thousand laptops were stolen from a military contactor's office in March. The theft occurred at the Tampa, Florida offices of iGov, which it contracted to supply the computers to the US Special operations Command. The incident, which unfolded over the course of nine hours, was caught on surveillance camera; thus far, about 1,900 items have been recovered. The details of the incident were made public when a search warrant seeking phone records of one of the suspects was filed. The stolen laptops reportedly did not contain any military data.
-http://www.channelregister.co.uk/2010/07/14/specops_robbery/
-http://www.tampabay.com/news/publicsafety/crime/article1108521.ece

Bluetooth-Enabled Skimmers Found on Gas Pumps in Southeastern US (July 13, 2010)

Law enforcement officials in the southeastern US say that criminals are using Bluetooth-enabled skimmers to steal credit card data from gas station pumps. In Alachua County Florida, detectives have been sent to all gas stations within a mile of Interstate 75; four skimming devices have been discovered. All gas station operators are urged to examine their pump payment systems for skimmers.
-http://www.computerworld.com/s/article/9179136/Bluetooth_at_heart_of_gas_station
_credit_card_scam_in_Southeast_?taxonomyId=85

Microsoft Patch Tuesday Addresses Help Center Vulnerability (July 13, 2010)

On Tuesday, July 13, Microsoft released four security bulletins to fix five vulnerabilities in Windows and Office. Three of the four bulletins had ratings of critical, and four of the five vulnerabilities were given exploitability indices of "1," meaning that Microsoft expects that exploit code for the flaws will appear within the next 30 days. Among the issues that Microsoft fixed is the Help Center URL Validation vulnerability in Windows XP, which has been actively exploited for several weeks.
-http://www.computerworld.com/s/article/9179133/Microsoft_patches_critical_bugs_i
n_Windows_Office?source=rss_news
-http://www.microsoft.com/technet/security/Bulletin/MS10-jul.mspx

China and Taiwanese Government Pressure Forces Removal of Black Hat Talk (July 15, 2010)

A planned talk on the offensive capabilities and operations of China's cyber army has been pulled from the Black Hat line up. Wayne Huang, CTO of Armorize, was scheduled to speak at the conference, but the talk was withdrawn after objections from the Chinese and Taiwanese governments. A description of the talk on the Black Hat website called it "a study of the Cyber Army based on incidences, forensics, and investigation data since 2001." One of the elements of the talk was how China and Taiwan are working together to attack targets worldwide.
-http://threatpost.com/en_us/blogs/talk-chinese-cyber-army-pulled-black-hat-07151
0
-http://www.eweek.com/c/a/Security/China-Cyber-Army-Talk-Pulled-From-Black-Hat-66
8887/
[Editor's Comment (Northcutt): I happen to be the marketing chair for SANS Boston starting August 2, if Wayne or Caleb want to contact a few reporters, I will set up a room for them to give their talk in Boston.
-http://www.sans.org/boston-2010/]

---

**********************************************************************

The Editorial Board of SANS NewsBites Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, http://www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/