SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #61

August 03, 2010

The 2010 Computer Security Salary Survey was launched this
morning. Please complete it today or at least this week (takes
5 minutes). A valid survey is probably the most valuable tool
security people have to have productive conversations with their
employers about their salaries. You get the results if you participate.
It's at http://www.surveymethods.com/EndUser.aspx?CDE9859FCC869F96CD
Alan

---

TOP OF THE NEWS

Electric Grid Vulnerabilities Exposed
Proposed Clarification of National Security Letter Authority Raises
Privacy Concerns
Texas Company Seeks Liability Settlement From Bank Over Fraudulent
Transactions
UAE to Ban BlackBerry Services as of October 11

THE REST OF THE WEEK'S NEWS

UK Government Plans to Stick With IE6 in Spite of Encouragement to
Upgrade
Mumba Botnet Uses Zeus and Fast Flux
Microsoft Issues Out-of-Cycle Patch for Remote Code Execution Flaw in
Windows Shell
Terry Childs Denied New Trial; Sentencing Rescheduled
Leak of Afghan War Documents Prompts US Military Information Security
Review
Former CIA and NSA Chief Speaks About Need for Cyber Warfare Doctrine

---

************************* Sponsored By SANS ************************
Over the past several years, virtualization has become one of the most widely deployed IT tools across the enterprise spectrum - from small businesses to Fortune 500 companies. Ranging from sandboxing technologies that address the security issues of a single application to fully virtual infrastructures that treat processing and storage as commodities. Find out What Works at the SANS Virtualization and Cloud Summit. http://www.sans.org/info/63058 ********************************************************************
TRAINING UPDATE - - -- SANS Boston 2010, August 2-9, 2010 10 courses. Special Events includes Rapid Response Security Strategy Competition; Bonus evening presentations include Exploit Discovery and Development; Embedded System Hacking and My Plot to Take Over the World
http://www.sans.org/boston-2010/

- - -- SANS Virginia Beach 2010, August 27-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security; Hack Back! The Advanced Persistent Threat; and Securing the Human.
http://www.sans.org/virginia-beach-2010/

- - -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

- - -- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

- - -- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/chicago-2010/night.php

- - -- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Washington DC, Portland, London, Dubai and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/index.php

*************************************************************************

---

TOP OF THE NEWS

Electric Grid Vulnerabilities Exposed August 2, 2010

Computer networks controlling the electric grid are plagued with security holes says a new Energy Department report based on the findings of 24 assessments of computer-control systems performed between 2003 and 2009. Many are VERY basic.
-http://online.wsj.com/article/SB10001424052748704905004575405741051458382.html
[Editor's Note (Paller): The actual mechanisms being used, and what the top SCADA vendors are doing to protect their clients will be the key topics at the EuroSCADA Security Summit in London in early October.
-http://www.sans.org/eu-scada-security-summit-2010/]

Proposed Clarification of National Security Letter Authority Raises Privacy Concerns (August 2, 2010)

The move to clarify the FBI's authority to demand electronic communications data is meeting with resistance. The change in language would allow the FBI to obtain information from Internet service providers (ISPs) with the use of national security letters, which do not require a warrant from a judge. Those targeted by the letters do not need to be suspected of wrongdoing; all that is required is that the material requested be considered relevant to counter intelligence or counter terrorism investigations. National security letters have been misused in recent years. Senate Judiciary Committee Chairman Patrick Leahy (D-Vermont) noted, "While the government should have the tools that it needs to keep us safe, American citizens should also have protections against improper intrusions into their private electronic communications and online transactions."
-http://www.washingtonpost.com/wp-dyn/content/article/2010/08/01/AR2010080103261_
pf.html

Texas Company Seeks Liability Settlement From Bank Over Fraudulent Transactions (August 2, 2010)

Dallas, Texas-based Hi-Line Supply, Inc. is attempting to get its bank to settle a liability claim over US $50,000 in fraudulent transfers. The bank claims that the entity requesting the transactions knew all the company's passwords. Hi-Line maintains that the bank should have been wary of the transactions because the payments were going to individuals who had never before done business with the company; the requests were made from IP addresses that were physically more than 1,500 miles from the bank and had not been used before to conduct any transactions; and the amount was out of the ordinary. The fraudulent transactions were made last August. Hi-Line has convinced a court to seek depositions from the bank to find out exactly what it knew about the transactions.
-http://krebsonsecurity.com/2010/08/texas-firm-blames-bank-for-50000-cyber-heist/
[Editor's Note (Liston): Let me get this straight: you let yourself get 0wned and had all your banking passwords stolen, and you have the stones to walk into court and claim that the *BANK* should've known better...? ]

UAE to Ban BlackBerry Services as of October 11 (August 1, 2010)

Authorities in the United Arab Emirates (UAE) have decided to suspend Blackberry services until concerns about the security of the services are addressed. The Telecommunications Regulatory Authority will suspend services to Blackberry Messenger, Blackberry email and Blackberry web browsing as of October 11, 2010. The concerns lie in the fact that Blackberry data are exported off-shore and managed by a foreign corporation. The Emirates News Agency said, "Today's decision is based on the fact that. In their current form, certain BlackBerry services allow users to act without any legal accountability, causing judicial, social and national security concerns for the UAE." The issue of control is not unique to the UAE; other countries have expressed concerns about not being able to access communications conducted through BlackBerry devices.
-http://www.nytimes.com/2010/08/02/business/global/02berry.html?_r=1&partner=
rss&emc=rss
-http://www.nytimes.com/2010/08/03/technology/03blackberry.html?ref=technology
-http://money.cnn.com/2010/08/01/technology/uae_blackberry/index.htm
[Editor's Note (Pescatore): RIM couldn't ask for better security marketing than this!
(Schultz): Rumor has it that recent Blackberry models come with interceptor software. I wonder if UAE investigated this possibility before it suspended Blackberry services. ]

---

**************************** SPONSORED LINKS **************************

1) Replace Cisco CS-MARS from the original MARS creators. See what SC Magazine & MARSblog reviews say about AccelOps. A Better SIEM-Beyond SIEM. New competitive trade-up program.
http://www.sans.org/info/63063

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

UK Government Plans to Stick With IE6 in Spite of Encouragement to Upgrade (July 30 & August 2, 2010)

Despite an online petition signed by more than 6,000 people urging them to upgrade away from Internet Explorer 6 (IE6), the UK government says it will keep using IE6, noting that "Regular software patching and updating will help defend against the latest threats." The government also cited the time and expense consumed by testing upgrades and said that it has not seen evidence that later versions of the browser provide improved security. Both French and German governments have changed their browsers from IE 6 precisely because they wanted to improve security.
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=226500069&subSection=News
-http://www.scmagazineuk.com/uk-government-continues-to-use-internet-explorer-6-a
s-it-bemoans-a-lack-of-evidence-on-the-security-of-improved-browsers/article/176
161/
-http://www.theregister.co.uk/2010/07/30/uk_government_sticks_with_ie_6/
[Editor's Note (Pescatore): Wow, what an incredibly bad decision. When there is a safety recall on UK government vehicles, do they just day "ah, too expensive - with a bit of duct tape and some finger crossing, the brakes probably won't fail"?
(Liston): The issue here has little to do with "browsers" and everything to do with a government which allowed itself to be locked into a narrowly defined platform by the vendors it chose to develop its (to use the British term) "bespoke" applications. The short-sightedness of accepting software that uses browser/platform-specific features as a means of accelerating/cheapening the development cycle has come home to roost. ]

Mumba Botnet Uses Zeus and Fast Flux (August 2, 2010)

The Mumba botnet comprises more than 55,000 compromised PCs and has been used to steal more than 60 GB of personal data. The botnet hides its activity with technology known as fast flux, which uses constantly-changing compromised hosts acting as proxies. Mumba began infecting computers in late April, when 35,000 machines became infected. Mumba uses several variants of Zeus malware to steal data. Half of the infected computers are located in the US and Germany.
-http://www.theregister.co.uk/2010/08/02/mumba_botnet_infiltrated/
-http://www.scmagazineus.com/new-zeus-botnet-steals-60-gb-of-sensitive-data/artic
le/176225/
-http://www.networkworld.com/news/2010/080210-avg-uncovers-new-data-stealing-mumb
a.html

Microsoft Issues Out-of-Cycle Patch for Remote Code Execution Flaw in Windows Shell (July 30 & August 2, 2010)

Microsoft has released an out-of-cycle fix for the critical shortcut vulnerability in Windows that is being actively exploited. The flaw has been exploited to install malware on supervisory control and data acquisition (SCADA) systems, software that manages elements of critical infrastructure. Microsoft has recently noted an increase in attempts to exploit the flaw. The vulnerability affects all supported versions of Windows. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=9313
-http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx
-http://www.computerworld.com/s/article/9180035/Microsoft_ships_rush_patch_for_Wi
ndows_shortcut_bug?taxonomyId=17
-http://www.h-online.com/security/news/item/Emergency-patch-closes-LNK-hole-in-Wi
ndows-1049507.html
-http://www.bbc.co.uk/news/technology-10837232
-http://www.theregister.co.uk/2010/07/30/emergency_microsoft_patch/
-http://krebsonsecurity.com/2010/07/microsoft-to-issue-emergency-patch-for-critic
al-windows-bug/
[Editor's Note (Ullrich): This is a "must apply" patch. Note that the initial announcement did not mention Windows XP SP2. As of last month, Windows XP SP2 is no longer supported and an upgrade to SP3 is adviced. However, in this case, unlike stated in Microsoft's advisory, Windows XP SP2 is still supported (silently?). ]

Terry Childs Denied New Trial; Sentencing Rescheduled (July 30, 2010)

Superior Court Judge Teri L. Jackson has denied Terry Childs's motion for a new trial and a request for arrested judgment. Childs is the former San Francisco city network administrator who refused to reveal passwords for one of the networks to his managers in 2008. Childs was scheduled to be sentenced on Friday, July 30, but the two defense motions consumed so much time that sentencing was delayed until August 6. In April, Childs was found guilty of denying computer services. Childs claimed that his actions were founded on security concerns; he was worried that the passwords would be shared indiscriminately. He eventually surrendered them to San Francisco Mayor Gavin Newsom when the mayor visited him in jail.
-http://www.computerworld.com/s/article/9179918/Terry_Childs_is_denied_motion_for
_retrial
-http://cbs5.com/crime/sf.computer.tampering.2.1835231.html

Leak of Afghan War Documents Prompts US Military Information Security Review (July 30, 2010)

The US military will review information security practices in the wake of the leak of tens of thousands of classified documents about the war in Afghanistan through WikiLeaks. Defense Secretary Robert Gates says that procedures for restricting the access and transportation of data have already been put in place.
-http://www.computerworld.com/s/article/9179897/U.S._military_launches_review_of_
IT_security_after_Wikileaks_breach?taxonomyId=17

Former CIA and NSA Chief Speaks About Need for Cyber Warfare Doctrine (July 29, 2010)

Speaking at the Black Hat conference in Las Vegas, Nevada, former CIA and National Security Agency (NSA) director Michael Hayden said that the US needs to establish rules for cyber warfare before the country becomes engaged in such a conflict. The arrangement might include an agreement not to target systems that support banks and electrical grids. The rules for cyber warfare engagement are not clear. Hayden acknowledged that attribution of attacks is difficult; one way to circumvent the issue would be to hold countries accountable for attacks emanating from their cyber space.
-http://news.cnet.com/8301-31921_3-20012121-281.html
-http://www.wired.com/threatlevel/2010/07/hayden-at-blackhat/
-http://gcn.com/articles/2010/07/29/black-hat-michael-hayden-cyberwar.aspx
-http://www.computerworld.com/s/article/9179873/U.S._should_seek_world_cooperatio
n_on_cyber_conflict_says_ex_CIA_director?taxonomyId=82
[Editor's Note (Ranum): That last line - attribution based on address domain - beggars the imagination. I hope more technology-literate minds get involved, quickly.
(Liston): Over the past 4 years I've run various incarnations of honeypot systems and I've rarely, if ever, seen an attack that I could conclusively attribute to a specific actor. Do we really want to go down a path where a country may be held responsible for an attack because it was "sourced" from Aunt Trudy's unpatched install of WinXP? What level of control would be required at the national level to make a system founded on that notion acceptable? ]

---

**********************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/