SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #64

August 13, 2010

The SANS Cyber Defense Initiative training program (Washington DC, Dec. 10-17) just went live on the web with a raft of new, very advanced courses for people who have important security responsibilities in the military or other critical infrastructure organizations. We believe this is the most advanced, hands-on security training you can get anywhere. See http://www.sans.org/cyber-defense-initiative-2010/ for more data. PS all but one of the advanced courses are also offered in October at SANS Network Security in Las Vegas (http://www.sans.org/network-security-2010/).

Alan

---

TOP OF THE NEWS

India Demands Access to BlackBerry Communications
Voting Machine Company Offers Ohio Counties Settlement for Dropped Votes
ICO Says Google Wi-Fi Data Collection Case Not Closed
Judge Grants Partial Lift on Gag Order in National Security Letter Legal Challenge

THE REST OF THE WEEK'S NEWS

Apple Releases iOS Updates; Exploit Code Released
French Police Arrest "Most Wanted" Cyber Criminal
Adobe Issues Security Updates for Flash Player, Flash Media Server and ColdFusion
German Government Considering Ban on BlackBerrys, iPhones
Microsoft Releases 14 Security Bulletins to Fix 34 Flaws
Cyber Thieves Steal More Than US $1 Million From UK Bank Customers
Two Men Arrested in Thailand in Connection With Online Bank Thefts
Comcast Hacker Draws Four-Month Prison Term
FEEDBACK ON DATA RECOVERY FROM SALT WATER IMMERSED DEVICES

---

********************* Sponsored by SANS **************************
The Deputy Director of the United Kingdom's CPNI will kick off the SANS 2010 European SCADA Security Summit. The Summit, titled "changing form talk to action" will highlight the most sophisticated new attack patterns and what the most innovative and effective governments and power companies and other industries are doing to counter the threats. http://www.sans.org/info/63453
********************************************************************

TRAINING UPDATE
-- SANS Virginia Beach 2010, August 27-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security; Hack Back! The Advanced Persistent Threat; and Securing the Human.
http://www.sans.org/virginia-beach-2010/

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

-- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/chicago-2010/night.php

-- SANS San Francisco 2010, November 5-12, 2010 7 courses
http://www.sans.org/san-francisco-2010/

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current

Plus Washington DC, Portland, London, Dubai and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
********************************************************

---

TOP OF THE NEWS

India Demands Access to BlackBerry Communications (August 12, 2010)

The Indian government has informed BlackBerry parent company Research in Motion (RIM) that it has until August 31 to offer a solution that will provide Indian law enforcement agencies with access to data streams from BlackBerry Enterprise Server and Blackberry Messenger. If a suitable arrangement is not made by August 31, India will block the BlackBerry email and instant messaging services in the country. Some point to RIM's recent agreement with Saudi Arabia to put servers in that country as evidence the company is likely to propose a workable solution in India.
-http://www.computerworld.com/s/article/9180563/Indian_government_to_meet_operato
rs_over_the_BlackBerry?taxonomyId=145
-http://www.v3.co.uk/v3/news/2268076/india-wants-access-blackberry
-http://news.cnet.com/8301-30686_3-20013451-266.html?tag=nl.e703
[Editor's Note (Pescatore); RIM has issued a statement that says in part: "RIM maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries." Now, the Blackberry Messenger service isn't strongly protected anyway, I don't understand why that keeps coming up. But access to an enterprise BES server is a huge issue.
(Skoudis): Well, the dam has burst here, and I imagine most countries will push for this now. The benefits of national sovereignty, I suppose.
(Honan): It looks like the Indian government also wants to access Skype, Google and other communication services.
-http://www.itworld.com/security/117278/india-may-put-restrictions-skype-and-goog
le?source=itw_rss&utm_source=twitterfeed&utm_medium=twitter]

Voting Machine Company Offers Ohio Counties Settlement for Dropped Votes (August 12, 2010)

Premier Election Solutions has agreed to pay US $470,000 and offer up to US $2.4 million in replacement machines, free software licensing and maintenance contract discounts to settle charges of dropped votes in the March 2008 primary election in Ohio. The settlement is the outcome of a lawsuit filed by Ohio Secretary of State Jennifer Brunner over voting machines that malfunctioned and dropped votes. The settlement applies to 47 counties that used the faulty machines; each county may decide for itself whether to accept the terms of the settlement. Premier used to be part of Diebold, but was acquired by Election Systems & Software.
-http://www.computerworld.com/s/article/9180612/Former_Diebold_e_voting_unit_sett
les_Ohio_lawsuit?taxonomyId=144
-http://www.businessweek.com/ap/financialnews/D9HHUHRG1.htm

ICO Says Google Wi-Fi Data Collection Case Not Closed (August 12, 2010)

The UK Information Commissioner's Office (ICO) now says it will consider the findings of other countries regarding Google's collection of personal data while gathering information and images for Street View. The statement could be perceived as backpedaling from a statement the ICO made several weeks ago, when it said it had examined some of the data Google had collected and deemed them harmless. The ICO defended its apparent shift of position by noting that it lacks the authority to enforce the law/rule that Google allegedly violated: interception of communications. That infraction falls under the Regulation of Investigatory Powers Act (RIPA). The ICO's lack of authority to act in this case underscores a deeper problem in the UK's privacy and security laws: if the UK government does not establish an authority to regulate interception of communications by private companies, it could face legal action from the European Commission (EC).
-http://www.theregister.co.uk/2010/08/12/ico_google/
[Editor's Note (Honan): If those responsible for regulating and enforcing the law are unclear as to what they can and cannot do, then how can we expect companies to comply? The first principle of the UK's Data Protection Act requires companies to process personal data fairly and lawfully, it would appear to me that gathering personal information by sniffing someone's wireless network without their knowledge or permission would contravene that principle. ]

Judge Grants Partial Lift on Gag Order in National Security Letter Legal Challenge (August 10, 2010)

An Internet service provider (ISP) and security consultancy owner who was served a national security letter (NSL) from the FBI in February 2004 seeking a certain customer's records may now speak about the case in general thanks to a partial lift of the gag order that accompanied the NSL. Recipients of NSLs are barred from even acknowledging that they have received the notice, much less discuss specifics about the information authorities were seeking. Nicholas Merrill filed a lawsuit challenging the NSL he was served. Merrill contacted his attorney after receiving the letter because despite the letter's insistence that he not contact an attorney, he said, "I'm an American. I always have a right to an attorney." Merrill's lawsuit was filed under the name "John Doe" and challenged the legality of the letter because customer records are constitutionally protected information. The law surrounding NSLs has been changed to allow recipients to challenge the letters and their gag orders. The FBI must provide evidence in court that disclosing an NSL would be detrimental to national security.
-http://www.wired.com/threatlevel/2010/08/nsl-gag-order-lifted/
-http://www.washingtonpost.com/wp-dyn/content/article/2010/08/09/AR2010080906252_
pf.html

---

**************************** SPONSORED LINKS *****************************
SANS WhatWorks: Legal Issues and PCI Compliance in Information Security Summit 2010 is connected with the SANS Institute's major conference Network Security 2010 Summit Chair: SANS Senior Legal Instructor, Attorney Benjamin Wright. http://www.sans.org/info/63458
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Apple Releases iOS Updates; Exploit Code Released (April 11 & 12, 2010)

Apple has released updates for its iOS to fix a pair of vulnerabilities that could be exploited to install unauthorized applications on iPhones, iPod Touches and iPads. Jailbreak exploit code was also posted to the Internet. The exploit code could be used not only to allow device owners to install unauthorized applications, but also to allow attackers to download malware onto the devices by tricking users into clicking on specially crafted links. Apple's update fixes the problem in the iPhone 3G and later models running iOS 2.0 or later and for second generation iPod Touch running iOS 2.1 or later. Users with earlier models or running older versions of iOS are not protected by the update.
-http://www.theregister.co.uk/2010/08/11/critical_iphone_vuln_patched/
-http://www.computerworld.com/s/article/9180601/_Dangerous_iPhone_exploit_code_go
es_public?taxonomyId=17
-http://www.h-online.com/security/news/item/Apple-closes-iPhone-jailbreak-vulnera
bility-1056827.html
-http://www.scmagazineus.com/apple-updates-iphone-ipad-for-jailbreak-flaw/article
/176781/
[Editor's Note (Skoudis): These exploits are smooth and reliable, allowing for all kinds of mayhem. iPhone and iPad users really should upgrade right away, if you haven't already. Consider setting aside some time this weekend to do so.
(Pescatore): Hmmm, Microsoft still issues patches for Windows versions that are 7 years old, but Apple won't go back further than 2 years? Another example of the difference between consumer and enterprise needs. ]

French Police Arrest "Most Wanted" Cyber Criminal (August 11 & 12, 2010)

French police have arrested a man suspected of selling stolen credit card information online. Vladislav Anatolievich Horohorin allegedly sold the data through a website for about eight years. He was arrested in Nice, France while attempting to board a flight for Moscow, and will be detained in France pending extradition to the US to face charges of access device fraud and aggravated identity theft. Horohorin is a citizen of Israel and Ukraine. He was indicted in the US in November 2009. The US Secret Service said Horohorin was one of its five most wanted cyber criminals.
-http://www.computerworld.com/s/article/9180589/Russian_charged_with_selling_cred
it_card_numbers_online?taxonomyId=17
-http://www.theregister.co.uk/2010/08/12/credit_card_trafficking_arrest/
-http://www.washingtonpost.com/wp-dyn/content/article/2010/08/11/AR2010081105791.
html

Adobe Issues Security Updates for Flash Player, Flash Media Server and ColdFusion (August 11, 2010)

Adobe has released updates to address vulnerabilities in Flash Player, Flash Media Server and ColdFusion. The six flaws fixed in Flash Player could be exploited to crash the application of take control of vulnerable systems. The updates also fix four vulnerabilities in Flash Media Server and one flaw in ColdFusion. Adobe plans to issue out-of-cycle updates for Reader and Acrobat the week of August 16. Internet Storm enter:
-http://isc.sans.edu/diary.html?storyid=9364
-http://www.h-online.com/security/news/item/Adobe-closes-critical-holes-in-Flash-
products-1054085.html
-http://www.scmagazineus.com/adobe-ships-flash-player-update-coldfusion-hotfix/ar
ticle/176758/
-http://www.adobe.com/support/security/bulletins/apsb10-16.html

German Government Considering Ban on BlackBerrys, iPhones (August 10 & 11, 2010)

The German government is reportedly considering a ban (applying to government ministers) on BlackBerrys, iPhones and other smartphones because of security concerns. The email push services can route messages through servers outside Germany. German interior minister Thomas de Maiziere is recommending that politicians use the SiMKo 2 smartphone instead.
-http://www.theregister.co.uk/2010/08/10/german_government_mulls_blackberry_iphon
e_ban/
-http://www.infosecurity-magazine.com/view/11646/german-government-looking-to-dum
p-blackberry-and-other-smartphones/
[Editor's Note (Pescatore): Hmmm, since pretty much anything you do on the Internet routes messages through servers outside of Germany, this seems to be like saying German drivers should only drive on roads that don't connect to roads that leave Germany. ]

Microsoft Releases 14 Security Bulletins to Fix 34 Flaws (August 10, 2010)

On Tuesday, August 10, Microsoft released 14 security bulletins to address 34 vulnerabilities products including Windows, Internet Explorer, Office and Silverlight. Fourteen of the vulnerabilities have been rated critical. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=9361
-http://news.cnet.com/8301-27080_3-20013210-245.html?tag=mncol;title
-http://www.computerworld.com/s/article/9180505/Microsoft_delivers_monster_patch_
batch?taxonomyId=82
-http://krebsonsecurity.com/2010/08/critical-updates-for-windows-flash-player/
-http://www.theregister.co.uk/2010/08/10/microsoft_plugs_ssl_vuln/
-http://www.scmagazineus.com/microsoft-lists-4-of-its-record-14-patches-as-high-p
riority/article/176727/
-http://www.microsoft.com/technet/security/Bulletin/MS10-aug.mspx
[Editor's Note (Skoudis): As always, the Internet Storm Center's summary and recommendations on these patches is a must-read (See isc link above).

Thanks to the handlers for their awesome (and quick) work in putting together these highly useful summaries each month! ]

Cyber Thieves Steal More Than US $1 Million From UK Bank Customers (August 10 & 11, 2010)

A targeted attack against customers of a UK bank netted cyber thieves more than US $1 million. The attack used the combined forces of drive-by exploits, Zeus malware, a botnet and hijacked online bank transactions. The bank has not been named because the investigation is still open. The thefts are believed to affect approximately 3,000 UK bank customers. In all, about GBP 675,000 (US $1.05 million) has been stolen since July 5, 2010; the attacks are ongoing.
-http://www.darkreading.com/smb-security/security/attacks/showArticle.jhtml?artic
leID=226600381&cid=RSSfeed
-http://www.msnbc.msn.com/id/38663120/ns/technology_and_science-security/
-http://www.computerworld.com/s/article/9180488/U.K._bank_hit_by_massive_fraud_fr
om_ZeuS_based_botnet?taxonomyId=82
-http://www.theregister.co.uk/2010/08/11/zeus_cyberscam_analysis/
[Editor's Note (Honan): An interesting aside to this story is that 4,000 victims in this case were users of Apple machines, which demonstrates that no matter what operating system you are using you need to have your machine patched with the latest updates and employ a reputable anti-virus solution. ]

Two Men Arrested in Thailand in Connection With Online Bank Thefts (August 10, 2010)

Two German men have been arrested in Pattaya, Thailand. Dominik Ianoco and Dave Ackermann are believed to be responsible for the theft of 100 million baht (US$3,115,600) through online banking fraud. Their victims are in Thailand, Europe and the US. The arrest followed the theft of 700,000 baht (US$22,000) from the account of one individual. The scheme used Trojan horse programs to infect computers and steal information necessary for committing the cyber theft. The men are believed to be part of an international cyber theft ring.
-http://www.bangkokpost.com/news/local/190305/police-arrest-german-hacker-suspect
s
-http://www.pattayadailynews.com/en/2010/08/10/german-hackers-arrested-in-pattaya
-over-internet-banking-scam/

Comcast Hacker Draws Four-Month Prison Term (August 9, 2010)

James Robert Black Jr. has been sentenced to four months in prison for hijacking Comcast.net for several hours in May 2008. Black had two accomplices in the attack that took down the Comcast homepage and Comcast webmail service for five hours. Following completion of his prison term, Black will serve three years of supervised release; during the first four months, he will be under house arrest. He was also ordered to perform community service and pay restitution. Black cooperated with authorities' efforts to bring in his accomplices, Christopher Allen Lewis and Michael Paul Nebel.
-http://www.wired.com/threatlevel/2010/08/comcast-black/

FEEDBACK ON DATA RECOVERY FROM SALT WATER IMMERSED DEVICES

In NewsBites Volume 12, Number 63 we asked for feedback on the data recovery process for devices that have been immersed in salt water. Here is some of the information that you shared with us:

Tom McGrane suggests: For electronics in general, once they're in water for any length of time you need to leave them in water until they can be properly cleaned and dried, especially if it was salt water. As soon as air hits the wet metal parts corrosion really takes off. Much slower while under water. Do remove any batteries.

Leaving it in saltwater is better than out in the air, but if you can move it to fresh water that's better--the more water the better to dilute the salt. Letting fresh water flow through the container would be good.

There are companies that do electronics cleaning where they'll submerge the appropriate parts in special cleaning fluid. Often used with smoke damaged stuff, but would probably work with water damage, too.

For quick dunks, like dropping a cell phone into a pond or toilet, it makes sense to quickly remove it, pull the battery to reduce possible damage, open it up in any easy way and shake out as much water as possible, then if you can, put it in a bag of rice and leave in a warm place to dry. Or just open and set up however seems logical to allow moisture to drain out. Leave it to dry as long as practical before applying power again. Use a fan to blow air through it.

I've lived on the Alaskan coast and it's often surprising what can be rescued when live-aboard boats have taken on water if you keep stuff away from air.

Rob Blader did some research and found moisture removing bags:
-http://www.rei.com/product/793223
And then did further research and found a similar thread on the High Tech Crime Consortium Listserv:

"I used the NoWrite Hard Drive Evidence case, filled it with silica bags, closed the case and left it in a warm place. One day, the phone was dry inside and out."

" I've had good luck so far just removing the battery and putting the items in a bag of rice for a couple of days. Worked on a cell phone left on the ground overnight in the rain, and a cell phone dropped in the dog's water bowl."

We do not think we have enough definitive information for a SCORE checklist yet. If you have experience with recovering data from devices that have been exposed to salt water, please drop stephen@sans.edu a note. Thanks!

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/