SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #6

January 22, 2010

New Cyber Novel

"Fatal System Error" comes out Tuesday; it is hard to put down - like a good spy thriller should be. But this one is all true. A rare inside look at the Russian (cyber) mafia's methods. Joe Menn, the Financial Times journalist, wrote it.

http://www.amazon.com/Fatal-System-Error-Bringing-Internet/dp/1586487485/

Alan

---

TOP OF THE NEWS

Clinton Speech Addresses Internet Censorship/Google
India Says Attack on Government Computers Came From China
Chinese Search Engine Baidu Sues Domain Registrar Following DNS Attack
Heartland Will Move to End-to-End Encryption

THE REST OF THE WEEK'S NEWS

Lawyers Say Proposed Heartland Visa Breach Settlement is Too Low
Researchers Finds Evidence in Attack Code Used on Google That Points to China
Microsoft Warns of Vulnerability in 32-Bit Versions of Windows
Adobe Issues Shockwave Update
Apple's First Security Update of 2010 Fixes a Dozen Flaws
Microsoft Issues Out-of-Cycle Patch for Zero-Day IE Flaw Used in Google Attacks
Virgin to Test Deep Packet Inspection Technology to Look for Illegal Downloading
Bing to Cut Data Retention Time

---

**************** SPONSORED BY SANS 2010 *****************************

Orlando in the first week of March.

New courses:

Planning & Implementing the 20 Critical Controls; Security Engineering; Virtualization Security.

Plus the most important courses in security: penetration testing, hacker exploits, forensics, auditing, security management, reverse engineering, securing Oracle, Windows, Linux, more.

What students say:

"SANS is by far the best provider of the highest quality IT training available!" - Chris Cooper, The Regence Group.

"The greatest teachers in the world. What a great place to learn about the security operations." - Young Jin, County of Los Angeles

"Excellent content and presentation." - Daniel Linehan, Oracle

https://www.sans.org/sans-2010/event.php">https://www.sans.org/sans-2010/event.php

**********************************************************************

TRAINING UPDATE

- -- SANS AppSec 2010, San Francisco, January 29-February 5, 2010
8 courses and bonus evening presentations, including Social Zombies:
Your Friends Want to Eat Your Brains
https://www.sans.org/appsec-2010/
- -- SANS Phoenix, February 14 - February 20, 2010
6 courses and bonus evening presentations, including The Art of Incident Response and Advanced Forensic Techniques: Catching Hackers on the Wire
https://www.sans.org/phoenix-2010/
- -- SANS 2010, Orlando, March 6 - March 15, 2010
38 courses and bonus evening presentations, including Software Security Street Fighting Style
https://www.sans.org/sans-2010/
- -- SANS Northern Virginia Bootcamp 2010, April 6-13
Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
https://www.sans.org/reston-2010/
- -- SANS Security West 2010, San Diego, May 7-15, 2010
23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
https://www.sans.org/security-west-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand
Plus Tokyo, Bangalore, Oslo and Dublin all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Clinton Speech Addresses Internet Censorship/Google (January 21, 2010)

US Secretary of State Hillary Clinton said in a speech on Thursday, January 21 that her department will introduce several initiatives aimed at fighting Internet censorship. It will also develop ways to help citizens of countries where content is blocked circumvent the barriers put in place so that they can have unfettered access to information. Clinton also reiterated the US's intent to file a formal protest over the alleged attacks that targeted email accounts of human rights activists and will look to the "Chinese government to conduct a thorough review" of the attacks against Google.
-http://www.nytimes.com/2010/01/22/world/asia/22diplo.html
-http://www.computerworld.com/s/article/9146898/Clinton_U.S._gov_t_will_push_hard
er_against_Web_censorship?source=rss_security
-http://www.wired.com/dangerroom/2010/01/secstate-clinton-on-net-freedom-tear-dow
n-this-virtual-wall/
-http://www.cnn.com/2010/TECH/01/21/clinton.internet/index.html

India Says Attack on Government Computers Came From China (January 19, 2010)

India's security advisor said that Indian government computers were attacked on December 15, the same day that some US companies reported having been attacked. The attack on the Indian computers came through a maliciously crafted PDF file that arrived as an attachment to an email. A Chinese foreign ministry spokesperson called allegations that the attack originated in China "groundless."
-http://www.cio.in/topstory/report-india-claims-it-was-also-hacked-chinese
-http://news.yahoo.com/s/afp/20100119/tc_afp/chinaindiainternettechnologydiplomac
y

Chinese Search Engine Baidu Sues Domain Registrar Following DNS Attack (January 19 & 20, 2010)

Chinese search engine company Baidu has filed a lawsuit against a US domain registrar following a DNS attack that redirected computer users from Baidu's site to a page that claimed the attack was the work of the Iranian Cyber Army, the same group that launched an attack on Twitter late last year. The site itself was not harmed in the attack. The lawsuit alleges gross negligence and seeks damages. The domain registrar, Register.com, says the suit is entirely without merit.
-http://www.theregister.co.uk/2010/01/20/baidu_dns_hack_lawsuit/
-http://www.computerworld.com/s/article/9146218/China_s_Baidu_sues_US_domain_regi
strar_after_hack?source=rss_security
-http://news.cnet.com/8301-1023_3-10437763-93.html

Heartland Will Move to End-to-End Encryption (January 20, 2010)

Heartland Payment Systems is moving to an end-to-end encryption system so merchants will not ever store cleartext card data on their computers. Last January, Heartland acknowledged that it suffered a massive data security breach, compromising a significant number of payment cards. The end-to-end encryption is right now an opt-in choice for merchants because it requires purchasing new hardware. However, if the merchant has the new technology correctly deployed and still suffers a breach, Heartland will assume liability.
-http://www.computerworld.com/s/article/9146339/Heartland_moves_to_encrypted_paym
ent_system?source=rss_security
[Editor's Note (Pescatore): Less sensitive data in the clear is a good thing, whether in motion or at rest. However, doing encryption (especially managing keys) effectively and efficiently isn't easy - encryption done badly can be the worst of both worlds.

(Paller): Sadly the encryption that Heartland is proposing would not have stopped the attacks that stole the data that damaged so many Americans.

(Ranum): People who think end-to-end encryption between insecure end-points is going to solve any meaningful security problem simply do not understand security. ]

---

******************** SPONSORED LINKS ****************************

1) Participation is needed! Be a part of this years 2010 SANS Log Management Report by completing the survey and have a chance to win a $250 AMEX Card.

Click here to complete the survey an be automatically registered.

https://www.sans.org/info/53689

2) Data Loss Prevention and Security Information and Event Management Working Together Read Solutions Brief: Streamlining Security Operations

https://www.sans.org/info/53694

*******************************************************************

---

THE REST OF THE WEEK'S NEWS

Lawyers Say Proposed Heartland Visa Breach Settlement is Too Low (January 21, 2010)

Lawyers for the financial institutions in the Heartland Payment Systems-Visa settlement said that the proposed US $60 million is inadequate. Heartland offered the settlement to reimburse the card issuing institutions for costs incurred by the Heartland data breach disclosed a year ago. If the financial institutions had agreed to the settlement, Heartland and Visa would not be liable for any claims regarding the breach in the future.
-http://www.computerworld.com/s/article/9146758/Heartland_s_60M_breach_settlement
_offer_not_enough_lawyers_say?source=rss_security

Researchers Finds Evidence in Attack Code Used on Google That Points to China (January 19, 20 & 21, 2010)

A security researcher says he has found evidence linking the recent attacks on Google to China. Analysis of the software used in the attacks revealed that it contains an algorithm from a Chinese technical paper that was published only on Chinese-language websites.
-http://www.nytimes.com/2010/01/20/technology/20cyber.html?ref=technology
-http://gcn.com/articles/2010/01/20/google-china-cyber-attacks.aspx
-http://www.computerworld.com/s/article/9146239/Security_researcher_IDs_China_lin
k_in_Google_hack?source=CTWNLE_nlt_dailyam_2010-01-20
-http://www.theregister.co.uk/2010/01/21/aurora_attack_origins/
-http://www.secureworks.com/research/blog/index.php/2010/1/20/operation-aurora-cl
ues-in-the-code/

Microsoft Warns of Vulnerability in 32-Bit Versions of Windows (January 19, 20 & 21, 2010)

Microsoft has issued a security advisory warning users of a vulnerability in 32-bit versions of Windows that could be exploited to install programs, alter data, and create new user accounts. The problem affects 32-bit versions of Windows 7, Vista, XP, 2000 and Windows Server 2003 and 2008. 64-bit versions of the operating system are not affected by the vulnerability. To exploit the flaw, attackers would need to log on to a system locally. Until a patch is available, users are advised to disable the Windows Virtual DOS Machine (NTVDM).
-http://news.cnet.com/8301-27080_3-10438924-245.html
-http://www.computerworld.com/s/article/9146820/Microsoft_confirms_17_year_old_Wi
ndows_bug?source=rss_security
-http://www.h-online.com/security/news/item/Windows-hole-discovered-after-17-year
s-Update-908917.html
-http://www.theregister.co.uk/2010/01/19/microsoft_escalation_bug/

Adobe Issues Shockwave Update (January, 20, 2010)

Adobe has released an update for Shockwave to fix a pair of vulnerabilities that could be exploited to inject and execute code. The flaws affect both Mac OS X and Windows versions of Shockwave, through versions 11.5.2.602. Adobe's recommended update method for this particular patch involves uninstalling older versions of Shockwave, rebooting the computer and installing Shockwave version 11.5.6.606.
-http://www.h-online.com/security/news/item/Adobe-fixes-critical-holes-in-Shockwa
ve-909319.html
[Editor's Note (Schultz): What an awful patch installation procedure! Given its complexity, I seriously wonder how many organizations (let alone individuals) will be willing to invest the effort to make this patch. Surely Adobe could do better than this. ]

Apple's First Security Update of 2010 Fixes a Dozen Flaws (January, 20, 2010)

Apple computer has released a security update to address a dozen flaws in Mac OS X 10.5 and 10.6. Security Update 2010-001 includes fixes for seven arbitrary code execution flaws in the Adobe Flash Player plug-in and a denial-of-service vulnerability in the CUPS printing service; it also disables Transport Layer Security renegotiation in OpenSSL to prevent man-in-the-middle attacks.
-http://news.cnet.com/8301-27080_3-10438313-245.html
-http://www.h-online.com/security/news/item/Apple-releases-Security-Update-for-Ma
c-OS-X-908586.html

Microsoft Issues Out-of-Cycle Patch for Zero-Day IE Flaw Used in Google Attacks (January 21, 2010)

Microsoft has released an emergency, out-of-cycle patch to fix the zero-day memory corruption vulnerability in Internet Explorer (IE) that was used in attacks against Google and other US companies in the last few weeks. At first, the vulnerability was limited to attacks on IE 6, but the code has been modified so that it presents a threat to newer versions of the browser as well; Symantec is reporting that malicious code attempting to exploit the vulnerability has been detected on hundreds of websites. Microsoft has acknowledged that it first learned of the vulnerability last August.
-http://www.theregister.co.uk/2010/01/21/ie_emergency_patch_released/
-http://www.computerworld.com/s/article/9147058/Microsoft_patches_IE_admits_it_kn
ew_of_bug_last_August?source=rss_security
-http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx
[Editor's Note (Northcutt): We depend on vendors like Microsoft to develop safe software and release a patch in a timely fashion when a critical vulnerability is discovered. To have known about this in August and not to have patched it is a breach of trust with their customers. That said, Microsoft and Adobe are clearly not going to change. How many years have we been reading about vulnerabilities in Internet Explorer? Prudent businesses need to start thinking about a backup plan, an alternative to today's massively complex Internet browser based services, for instance a browser that does not support any scripting. When Firefox was first released, it did not support Active X and yet it survived and prospered, I am able to do most things with NoScript, but NoScript is a plugin in another massively complex piece of software (Firefox) that also has had a large number of vulnerabilities. A display only browser might be an idea whose time has come. ]

Virgin to Test Deep Packet Inspection Technology to Look for Illegal Downloading (January 19 & 21, 2010)

Virgin Media will test a system that uses deep packet inspection to find out if its broadband customers are downloading media files illegally. Once traffic has been identified as being of the file sharing variety, the content will be tested against a database of music and movies. The system currently does not note the associated IP address of the downloader, but Virgin would not rule out the possibility of identifying copyright violators in the future. The test will monitor traffic of about 40 percent of Virgin Media broadband customers; they will not be made aware that their activity is being monitored.
-http://www.theregister.co.uk/2010/01/21/virgin_begins_cview_trials/
-http://www.networkworld.com/news/2010/011910-virgin-media-starts-monitoring-cust
omers.html

Bing to Cut Data Retention Time (January 19 & 20, 2010)

Microsoft will reduce the amount of time it Bing search engine retains search data to six months. The change will occur over the next year-and-a-half. The policy until this point had been to remove data from the retained information that could be used to identify the individuals requesting the information, but other data, including the associated IP address, remained accessible for 18 months. Microsoft's decision to make the change came in response to an April 2008 recommendation from the European Union's Article 29 Data Protection Working Party.
-http://www.theregister.co.uk/2010/01/19/microsoft_ip_addresses_cookies_bing/
-http://www.computerworld.com/s/article/9145739/Microsoft_cuts_time_Bing_stores_s
ome_user_data_to_six_months?taxonomyId=17
-http://www.siliconrepublic.com/news/article/14925/comms/microsoft-to-put-time-li
mit-on-bing-search-data
-http://news.zdnet.co.uk/security/0,1000000189,39996280,00.htm

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/