SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XII - Issue #60
July 30, 2010
TOP OF THE NEWS
Google Android Apps Reportedly Stealing DataWhite House Seeks to Add Internet Activity to List of Information That
Can be Demanded With National Security Letters
Second Pennsylvania High School Student Files Suit Over Webcam
THE REST OF THE WEEK'S NEWS
UK ICO Says Google Did Not Collect "Meaningful Personal Details"Verizon's Data Breach Investigation Report
Alleged Botnet Author Arrested in Slovenia
Russian Cyber Criminal Group Ran Counterfeit Check Operation
Safari Patches AutoFill Flaw (and 14 Others) One Day Before
Scheduled Talk
Researcher Gathers Publicly Accessible Facebook Data
New Zealand Pizza Chain Suffers Data Breach
Lawsuit Filed Over Flash Memory Cookie Resurrection
**************************** Sponsored By AccelOps ***********************
Exploring, upgrading or advancing SIEM or Log Management? * Real-time analysis, long-term log management and compliance automation * Automated infrastructure and identity discovery with rich device support * Nextgen cross-correlation, search, dashboards and reporting * Instantly detect sophisticated attacks, violations, anomalies and exceptions Fast. Intelligent. Scalable. See reviews on AccelOps.
http://www.sans.org/info/62903
***************************************************************************
TRAINING UPDATE -- SANS Boston 2010, August 2-9, 2010 10 courses. Special Events includes Rapid Response Security Strategy Competition; Bonus evening presentations include Exploit Discovery and Development; Embedded System Hacking and My Plot to Take Over the World
http://www.sans.org/boston-2010/
-- SANS Virginia Beach 2010, August 27-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security; Hack Back! The Advanced Persistent Threat; and Securing the Human.
http://www.sans.org/virginia-beach-2010/
-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/
-- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/
-- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Washington DC, Portland, London, Dubai and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************
TOP OF THE NEWS
Google Android Apps Reportedly Stealing Data (July 30, 2010)
Dozens of wallpaper apps being sold for Google Android devices have been found to be gathering personal information and sending it back to the apps' developers. Google has suspended one of the applications, which appears to send collected data to a server in China, while it investigates the situation. The application is called Jackeey Wallpaper and contains stolen copyrighted content. The issue underscores the importance of downloading applications only from known and trusted sources.-http://www.telegraph.co.uk/technology/google/7918536/Google-Android-apps-collect
ing-personal-data.html
-http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail?entry_id=68990
[Editor's Note (Ranum): Is anyone surprised by this? The idea of "download only from known and trusted sources" is also a non-starter; eventually the attackers will begin to develop software that is stealthier about what it does - when the software supply chain is controlled, it becomes the next logical point of attack. How is the manager of an application store going to know if there's a sleeper routine in an app that will cause it to start leaking data in 3 or 4 months? What we're seeing now is the early "smash and grab" stage of what is going to be a long, horrible battle unless industry begins to realize that software security is a discipline above and beyond just issuing patches. ]
White House Seeks to Add Internet Activity to List of Information That Can be Demanded With National Security Letters (July 29, 2010)
The White House is seeking to add language to a list of items the FBI can demand without a judge's approval. The new language would allow FBI field offices to issue national security letters compelling companies to turn over records of individuals' Internet activity. The information would include addresses to which email was sent, the time and date of sent and received email, and browsing history. The content of email messages would not be included. Officials say the change will eliminate ambiguity; privacy advocates see it as a continuation of the stripping away of privacy through national security letters. The letters may be issued by FBI field offices on their own authority and require that the entity to which they are issued not only supply the information requested, but keep the request a secret.-http://www.washingtonpost.com/wp-dyn/content/article/2010/07/28/AR2010072806141_
pf.html
[Editor's Note (Pescatore): This is somewhat akin to the use of "pen registers" back in the day, to collect the phone numbers of incoming and outgoing phone calls without needing a court order since you weren't listening to the conversation. Simply extending this to email addresses is not a major leap. However, there really needs to be more definition in the language here - the older definitions and privacy compromises were focused on monitoring conversations over the phone, and the extension to things like searching for information or social networks was never considered.
(Northcutt): That is so wrong; this kind of stuff always leads to abuse. Obama campaigned against these abuses. In fact he still has those promises on his web site (at least for now):
-http://www.nytimes.com/2010/07/30/opinion/30fri1.html?partner=rssnyt&emc=rss
-http://www.barackobama.com/pdf/CounterterrorismFactSheet.pdf]
]
Second Pennsylvania High School Student Files Suit Over Webcam (July 27, 2010)
A second Lower Merion (Pennsylvania) High School student has filed a lawsuit against the school district, its board of directors, the superintendent and two school employees alleging a civil rights violation for the misuse of a laptop computer theft tracking program. In February 2010, the family of a student filed a lawsuit after the school used a remote webcam program to take pictures of him in his own home. Administrators alleged that the student was taking pills, but his family said he was eating candy. The district had the program installed on the laptops issued to its high school students to use if the computers were lost or stolen. However, in the more recent case, a student reported his computer missing. When it was found and returned to him, the webcam feature was not turned off, resulting in pictures of him being taken in his own home as well. The program also takes screen shots from the computer.-http://www.wired.com/threatlevel/2010/07/webcam-spy-scandal-broadens/
-http://www.wired.com/images_blogs/threatlevel/2010/07/hasan.pdf
**************************** SPONSORED LINKS **************************
1) Attend the SANS WhatWorks in Virtualization and Cloud Computing Summit and discover real-world solutions for securing your virtual infrastructure recommended by experts and deployed by your peers.
http://www.sans.org/info/62908
*************************************************************************
THE REST OF THE WEEK'S NEWS
UK ICO Says Google Did Not Collect "Meaningful Personal Details" (July 29, 2010)
The UK Information Commissioner's Office (ICO) has examined some of the data Google collected while gathering information from unsecured Wi-Fi networks for its Street View feature and concluded that Google did not collect "meaningful personal details." The ICO called what Google did "wrong" and recognizes that it only saw a portion of the data collected, and that investigations in other countries may produce different results.-http://www.bbc.co.uk/news/technology-10805090
-http://www.zdnet.co.uk/news/security-threats/2010/07/28/ico-google-wi-fi-data-co
ntained-no-meaningful-details-40089672/
[Editor's Note (Pescatore): The headline should be "Google violated privacy but accidentally did not collect meaningful personal details. The issue is the culture, business practices and processes that lead to surreptitious over-collection. ]
Verizon's Data Breach Investigation Report (July 28 & 29, 2010)
According to Verizon's Data Breach Investigation Report from the Verizon Business RISK Team, 70 percent of breaches were committed by outsiders. The report comprises information from 57 private investigations conducted by Verizon in 2009 as well as from 84 cases the US Secret Service investigated in 2009. In more than a third of the breaches, cyber criminals used stolen login credentials, accounting for 86 percent of compromised records. In many cases, cyber thieves relied on configuration errors instead of security vulnerabilities to steal data. Internet Storm Center:-http://isc.sans.edu/diary.html?storyid=9283
-http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_x
g.pdf
-http://krebsonsecurity.com/2010/07/hacked-companies-hit-by-the-obvious-in-2009/
-http://content.usatoday.com/communities/technologylive/post/2010/07/cybercrimina
ls-having-easy-time-cracking-corporate-networks/1
-http://www.theregister.co.uk/2010/07/29/data_breaches_dissected/
-http://www.computerworld.com/s/article/9179848/Verizon_Data_breaches_often_cause
d_by_configuration_errors?taxonomyId=17
[Editor's Note (Schultz): This study should put to rest the lingering information security legend that most attacks are due to insiders. It is true that in the past, e.g., 15 years ago, more attacks originated from the within than from the outside, but to say that insider attacks are now more prevalent than outsider-originated attacks is simply wrong.
(Honan): An excellent resource for anyone responsible for information security. ]
Alleged Botnet Author Arrested in Slovenia (July 28, 2010)
Slovenian police have arrested a 23-year-old man in connection with the Mariposa botnet. Identified by authorities only as Iserdo, his online nickname, the man is believed to have created the Mariposa botnet, which infected 12 million computers around the world. Three of Iserdo's alleged associates were arrested several weeks ago in Spain; they are believed to have used the botnet to steal financial information. Sources say that Iserdo charged several hundred dollars for copies of the bot kit. Iserdo is believed to be Dejan Janzekovic, although authorities have called Janzekovic only a person of interest in the case. Internet Storm Center:-http://isc.sans.edu/diary.html?storyid=9292
-http://krebsonsecurity.com/2010/07/alleged-mariposa-botnet-author-nabbed/
-http://www.theregister.co.uk/2010/07/28/mariposa_vxer_cuffed/
[Editor's Note (Pescatore): Pretty good example of both private industry/law enforcement cooperation and international law enforcement cooperation here. Still was almost 18 month process, though - sorta like how long it took them to catch John Dillinger back in the old days... ]
Russian Cyber Criminal Group Ran Counterfeit Check Operation (July 28, 2010)
A presentation at the Black Hat Conference in Las Vegas described the activity of a group of Russian cyber criminals involved in a counterfeit check scheme. Using a combination of malware, botnets, VPNs and money mules, the group made as much as US $9 million in 2009. The scheme is noteworthy because rather than exploiting wire transfer systems and other technologically advanced capabilities, these thieves are using technology to perpetrate an old-school crime. The group appears to be responsible for more than 3,000 bad checks written on more than 1,000 actual accounts.-http://news.cnet.com/8301-27080_3-20011885-245.html
-http://blogs.ft.com/techblog/2010/07/russian-hacking-ring-specialises-in-counter
feit-checks/
-http://www.theregister.co.uk/2010/07/28/automated_check_counterfeiting/
-http://www.computerworld.com/s/article/9179771/Massive_check_fraud_botnet_operat
ion_tied_to_Russia?taxonomyId=17
-http://darkreading.com/database_security/security/attacks/showArticle.jhtml?arti
cleID=226300183&subSection=Attacks/breaches
Safari Patches AutoFill Flaw (and 14 Others) One Day Before Scheduled Talk (July 28 & 29, 2010)
Apple issued updates for Safari 4 and 5 just one day before a scheduled presentation on one of the flaws at the Black Hat conference. The updates fix 15 vulnerabilities, some of which could be exploited to allow arbitrary code execution or information disclosure. Thirteen of the 15 patched flaws could be exploited in drive-by attacks, meaning no user interaction is required. The flaw slated for presentation is an AutoFill vulnerability that could be exploited to disclose information. Jeremiah Grossman said the same vulnerability affects Internet Explorer.-http://www.scmagazineus.com/safari-update-fixes-auto-fill-flaw-ahead-of-black-ha
t-talk/article/175727/
-http://www.computerworld.com/s/article/9179783/Apple_patches_Safari_ahead_of_Bla
ck_Hat_talk_launches_add_on_gallery?taxonomyId=17
-http://www.eweek.com/c/a/Security/Apple-Safari-Security-Update-Patches-AutoFill-
Flaw-207056/
Researcher Gathers Publicly Accessible Facebook Data (July 28 & 29, 2010)
The man who wrote a web crawler that collected data of more than 100 million Facebook users says he did it as part of his work on a security tool. Ron Bowes compared his actions to taking information found in a telephone directory and putting it into a simplified format. The data were gathered from publicly available directory maintained by Facebook. The crawler compiled a list of names and URLs of public profiles. Facebook's policy allows the site to make users' public profiles available to anyone unless the user takes certain steps to prevent it. Bowes made the data he collected available as a downloadable file along with the crawler he used to compile the information.-http://www.h-online.com/security/news/item/Facebook-crawler-collects-more-than-1
70-million-data-sets-1046910.html
-http://www.bbc.co.uk/news/technology-10802730
-http://www.theregister.co.uk/2010/07/29/facebook_user_data_published/
[Editor's Note (Pescatore): Good example of why "opt out" always gives advantage to the data abuser, while "opt in" transfers power to the data owner.
(Northcutt): I have to wonder if this isn't going to prove to be bad for Bowes' career as a security researcher. The best analysis and advice I have seen is the PC World story:
-http://www.pcworld.com/article/202167/the_facebook_data_torrent_debacle_qanda.ht
ml?tk=hp_new]
New Zealand Pizza Chain Suffers Data Breach (July 25 & 28, 2010)
The personal information of as many as 230,000 New Zealanders, including a handful of celebrities, has been compromised following the theft of information from the database of a popular pizza chain. The compromised data include names and physical and email addresses, but no credit card information. The celebrity information was released by the attackers as proof of their exploit.-http://www.networkworld.com/community/blog/new-zealand-pizza-lovers-suffer-infor
mation-t?t51hb
-http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10661073
Lawsuit Filed Over Flash Memory Cookie Resurrection (July 27 & 28, 2010)
A lawsuit filed in federal court on Tuesday, July 27, 2010 alleges that a number of popular websites violated federal law by using Adobe Flash storage to recreate cookies that users had deleted. A company called Quantcast developed the technology that resurrected deleted cookies as part of an effort to accurately track web traffic. When Quantcast became aware of the inadvertent side effect of the technology last year, the company fixed the issue so the technology would no longer recreate cookies. Users can delete regular cookies with relative ease, but Flash cookies are more difficult to remove.-http://www.wired.com/threatlevel/2010/07/zombie-cookies-lawsuit/
-http://www.bbc.co.uk/news/technology-10787882
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/