SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #65

August 17, 2010

Late breaking news:
Disney sued for spying on kids with 'zombie cookies'
http://www.theregister.co.uk/2010/08/17/flash_cookie_lawsuit/

Preliminary data from the 2010 Cyber Security Salary Survey shows
government now paying a wage that is comparable to all but two
industries. Very impressive growth. If you haven't completed the
survey, do it by Friday.
http://www.surveymethods.com/EndUser.aspx?CDE9859FCC869F96CD

Alan

---

TOP OF THE NEWS

Widget Infected Sites Hosted by Network Solutions
Rim Offers Indian Government Some Message Monitoring Capability
Researchers Present Wireless Hack of Car Warning Systems

THE REST OF THE WEEK'S NEWS

Cyber Camp In Delaware Prepares Future Cyber Warriors
Virgin Media Subscribers to be Notified of Botnet Infections
Probation for Gift Card Cloner
Fixes for Opera and QuickTime
Smartphone Trojan Found in the Wild
Heartland Not Targeted in Restaurant Data Breach
Preview of Upcoming PCI DSS Update
Two Texas Colleges Choose Preventive Measures Over Cyber Insurance

---

********************** Sponsored by IBM **************************

IBM Rational(r) AppScan(r) can help you discover vulnerabilities in your Web applications and meet compliance requirements including PCI requirements. Download your complimentary e-Kit now. You'll receive white papers, demos, podcasts and additional information on the benefits of testing your Web applications. And after testing is complete, IBM can recommend ways to make them more secure.
http://www.sans.org/info/63608

********************************************************************

TRAINING UPDATE -- SANS Virginia Beach 2010, August 27-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security; Hack Back! The Advanced Persistent Threat; and Securing the Human.
http://www.sans.org/virginia-beach-2010/

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

-- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/chicago-2010/night.php

-- SANS San Francisco 2010, November 5-12, 2010 7 courses
http://www.sans.org/san-francisco-2010/

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Washington DC, Portland, London, Dubai and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/index.php

********************************************************

---

TOP OF THE NEWS

Widget Infected Sites Hosted by Network Solutions (August 16, 2010)

Between 500,000 and 5 million websites hosted by Network Solutions are believed to have been infected with a widget that serves malware to site visitors. The widget was installed by default on all parked sites, which are registered sites without owner-provided content. The widget allowed each infected domain to be turned into a drive-by attack site. Network Solutions has disabled the "Small Business Success Index" widget in parked domains. In some cases, the widget was downloaded manually; owners of those sites are urged to remove it as soon as possible.
-http://krebsonsecurity.com/2010/08/networksolutions-sites-hacked-by-wicked-widge
t/
-http://www.computerworld.com/s/article/9180783/Malicious_widget_hacked_millions_
of_Web_sites?taxonomyId=17
-http://news.cnet.com/8301-27080_3-20013751-245.html?tag=mncol;title
Update: Network Solutions pulls widget that tainted up to 5m websites
-http://www.theregister.co.uk/2010/08/17/net_sol_tainted_widget/

Rim Offers Indian Government Some Message Monitoring Capability (August 16, 2010)

According to a report in the Wall Street Journal, Blackberry parent company Research in Motion (RIM) has offered the Indian government tools for monitoring email and text messages sent with Blackberry devices. The offer will not let the government read all messages; Blackberry Enterprise Server encrypts all messages and RIM does not have the ability to decrypt them. However, Blackberry Internet Service messages are compressed, but not encrypted unless the users have used encryption software. India's government has threatened to ban RIM service in the country if its demands for data access are not met.
-http://www.h-online.com/security/news/item/RIM-offers-Indian-government-surveill
ance-tools-1059387.html
-http://www.thestar.com/business/companies/rim/article/848624--rim-to-give-india-
partial-access-reports

Researchers Present Wireless Hack of Car Warning Systems (August 12 & 13, 2010)

Researchers said they have developed an attack that allows them to access wireless warning systems in cars while the cars are in motion. The experiment sent phony tire pressure warning messages to cars. Tire pressure monitoring systems have been mandatory in all new cars in the US since 2008. The messages were sent between two moving vehicles over a distance of up to 40 meters. The findings of the research were presented at the Usenix Security Symposium in Washington, DC last week. Earlier this year, another group of researchers said they had developed an attack that gave them access to cars' onboard computer networks that control engines, brakes and other systems.
-http://www.csmonitor.com/USA/2010/0813/Scientists-hack-into-cars-computers-contr
ol-brakes-engine
-http://www.theregister.co.uk/2010/08/13/car_sensor_wireless_hack/
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=226700146&subSection=All+Stories

---

**************************** SPONSORED LINKS *****************************

1) How has the threat to control systems changed during the last year? Who are the new attackers? What kind of damage have they already done? What can they do? Find answers to these questions and more at the: SANS 2010 European SCADA Security Summit.
http://www.sans.org/info/63613



2) REGISTER NOW for the upcoming webcast: Operationalizing Security- Making the top 10 SIEM best practices work; Metrics, Processes and Technologies
http://www.sans.org/info/63618

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Cyber Camp In Delaware Prepares Future Cyber Warriors (August 16, 2010)

Twenty university students from University of Delaware and Wilmington University won places at the US Cyber Challenge camp in Delaware culminating in a capture the flag competition attended by the Governor and by Senator Tom Carper.
-http://www.npr.org/templates/story/story.php?storyId=129236426
(listen to the story there)

Virgin Media Subscribers to be Notified of Botnet Infections (August 16, 2010)

Customers of UK Internet service provider (ISP) Virgin Media will now be notified by letter if their computers have become infected with malware that harnesses their machines' resources for use in a botnet. Virgin Media will identify infected computers through IP addresses provided by the Shadowserver Foundation. Subscribers with infected computers will be encouraged to download free security software to get rid of the malware and protect their computers from becoming re-infected.
-http://www.theregister.co.uk/2010/08/16/vm_malware/

Probation for Gift Card Cloner (August 14 & 16, 2010)

Sealtiel Chacon Zepeda has been sentenced to a year-and-a-half of probation for cloning gift cards. Zepeda found software on the internet that he used in his scheme. The software allowed him to query activated cards' balances. He would steal cards from store shelves, scan their identifying information with a card reader and return the cards to store shelves. The software let him know when the cards he had scanned were purchased and activated; he would then transfer the cards' information to blank cards and use them to purchase goods at a variety of stores. Zepeda was traced through his IP address and store surveillance cameras. If Zepeda violates his probation, he will be sentenced to 13 months in prison.
-http://www.theregister.co.uk/2010/08/14/gift_card_cloning_sentence/
-http://www.tomsguide.com/us/Sealtiel-Chacon-Zepeda-Gift-Card-Cyber-Crime-Fraud-c
rime,news-7780.html

Fixes for Opera and QuickTime (August 13, 2010)

Opera has released version 10.61 of its browser software to fix a heap overflow flaw in the browser's HTML5 Canvas components that could be used to inject code onto unprotected systems. The update also addresses two less severe vulnerabilities as well as some stability and interface issues. Apple has released an updated version of QuickTime for Windows to fix a critical stack buffer overflow in error-logging subroutines. The update is for Windows users only, as the flaw does not affect Mac versions of the media player. Users are urged to upgrade to QuickTime 7.6.7.
-http://www.theregister.co.uk/2010/08/13/opera_quicktime_updates/
-http://www.scmagazineus.com/apple-pushes-new-quicktime-version-for-windows/artic
le/176871/
-http://www.opera.com/support/kb/view/966/
-http://support.apple.com/kb/HT4290

Smartphone Trojan Found in the Wild (August 13, 2010)

A Trojan horse program that affects smartphones has been detected in the wild. The malware is aimed at Google's Android operating system. It masquerades as a media player application. Once a device is infected, the malware starts sending SMS messages to premium rate numbers. Google said that users can protect themselves from such scams by being vigilant about downloading apps only from trusted sources, and that "users should exercise caution when installing applications outside of Android Market."
-http://www.securecomputing.net.au/News/224996,first-smartphone-trojan-detected.a
spx
-http://www.theregister.co.uk/2010/08/10/android_sms_trojan/

Heartland Not Targeted in Restaurant Data Breach (August 12 & 13, 2010)

Heartland Payment Systems is denying reports that it is "linked' to a data security breach affecting Tino's Greek Cafe, an Austin, Texas restaurant chain. The US Secret Service has confirmed that Heartland, which suffered a massive data security breach last year, was not targeted by attackers in the Tino's case. According to Heartland CIO Steven Elefant, the incident appears to be a "localized intrusion initiated within the stores, either in their point-of-sale system or as a result of other fraud." An Austin police spokesperson said the cyber intruders had gained access to computers "somewhere between Tino's point of sale and their credit card clearinghouse company."
-http://www.computerworld.com/s/article/9180660/Heartland_denies_systems_involved
_in_new_data_breach?taxonomyId=82
-http://www.allheadlinenews.com/articles/7019587231?Update:%20Heartland%20Payment
%20Services%20Not%20A%20Target%20For%20Hackers

Preview of Upcoming PCI DSS Update (August 12 & 13, 2010)

An update to the Payment Card Industry Data Security Standard (PCI DSS) will not impose additional requirements, but will instead aim to clarify the established requirements' intent and provide further guidance on how to comply with the requirements. There will also be changes regarding evolution of existing requirements to keep up with emerging threats and technology. The next major release of PCI DSS is slated for October; the PCI Standards Council released a preview of what to expect.
-http://darkreading.com/database_security/security/vulnerabilities/showArticle.jh
tml?articleID=226700178&subSection=Vulnerabilities+and+threats
-http://www.computerworld.com/s/article/9180644/Changes_to_PCI_Data_Security_Stan
dard_leave_questions_unanswered?taxonomyId=203
-http://www.govinfosecurity.com/articles.php?art_id=2838
-https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf

Two Texas Colleges Choose Preventive Measures Over Cyber Insurance (August 9, 2010)

The University of Texas Pan-American (UTPA) and South Texas College both say they would prefer to spend their cyber security budgets on preventive measures instead of purchasing insurance to cover their liability in the event of a data breach. UTPA VP of information technology Bob Lim said, "there's better use in working to fight intrusion than being scared of it."
-http://www.themonitor.com/news/officials-41652-insurance-college.html
[Editors Note (Schultz): All things considered, cybersecurity insurance has turned out to be a far less than adequate method of security risk mitigation. As Lim has pointed out, preventative measures are more effective in that they are capable of keeping incidents from occurring in the first place. Additionally, cybersecurity insurance providers have for the most part been stingy in paying victims of cybersecurity incidents. ]

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/