SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #68

August 27, 2010

Policemen are often forced to search for evidence of a crime after the criminal has systematically tried to erase it from their computer. A note we received last Sunday provides a short lesson on a not-widely-understood way that can be done. The note is included at the end of this issue for everyone who works in forensics, or hopes to do so.
Alan

---

TOP OF THE NEWS

Pentagon Opens Up About 2008 Cyber Attack
Cyber Security Likely to be Attached to Defense Authorization Bill
Zurich Insurance Fined Over Data Loss
Attorney Files Lawsuits Over Flash Cookies

THE REST OF THE WEEK'S NEWS

IBM X-Force 2010 Mid-Year Trend and Risk Report
China Orders Companies to Use Domestic Cyber Security Products
Apple Issues OS X Security Update
California Legislators Send Improved Breach Notification Bill to Governor Again
Ireland's Central Applications Office Site Attacked Twice in One Week
YoyoDdos Botnet Targets Chinese, US Sites
Microsoft Releases Tool to Block DLL Flaw Exploits

READER'S NOTE:

How one policeman uncovered evidence after the suspect
tried to erase it.

---

********************** Sponsored By SANS ************************
How has the threat to control systems changed during the last year? Who are the new attackers? What kind of damage have they already done? What can they do? Find answers to these questions and more at the: SANS 2010 European SCADA Security Summit.
http://www.sans.org/info/64183

******************************************************************** TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security; Hack Back! The Advanced Persistent Threat; and Securing the Human.
http://www.sans.org/virginia-beach-2010/

- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

- -- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

- -- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/chicago-2010/night.php

- -- SANS San Francisco 2010, November 5-12, 2010 7 courses
http://www.sans.org/san-francisco-2010/

- -- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

- -- SANS Cyber Defense Initiative 2010, December 10-17, 2010 24 courses.
http://www.sans.org/cyber-defense-initiative-2010/

- -- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus London, Dubai, Bangalore, San Antonio and Sydney all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/index.php

********************************************************

---

TOP OF THE NEWS

Pentagon Opens Up About 2008 Cyber Attack (August 25, 2010)

The Pentagon has acknowledged that a cyber attack in 2008 allowed an unnamed foreign intelligence agency to gain access to US military computer systems. The attack has been traced to an infected USB drive that was plugged into a computer at a US military base in the Middle East. "That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," according to an article in Foreign Affairs by Deputy Defense Secretary William J, Lynn III.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/08/24/AR2010082406528.
html
-http://news.cnet.com/8301-27080_3-20014732-245.html
-http://www.nextgov.com/nextgov/ng_20100825_9203.php?oref=topstory
Access to the full article by Secretary Lynn requires free registration on the site:
-http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-
domain?page=show
[Editor's Note (Schultz): The way these attacks spread once again give credence to the SANS term "pivot point." Additionally, it is troubling that so many attacks have crossed the border between unclassified and classified systems. ]

Cyber Security Likely to be Attached to Defense Authorization Bill (August 25, 2010)

Noting that "it's hard to get a measure like cyber security passed on its own," US Senator Tom Carper (D-Delaware) said that legislators may attach cyber security legislation to a defense authorization bill, which is likely to pass before November's mid-term elections. Pairing cyber security with defense makes sense, said Carper, because cyber security is part of national security. Senate Majority leader Harry Reid has asked the chairmen of the various panels that have drafted cyber security legislation to meld their proposals into a single bill.
-http://www.govinfosecurity.com/articles.php?art_id=2868&utm_source=feedburne
r&utm_medium=feed&utm_campaign=Feed%3A+GovinfosecuritycomRssArticles+%28
GovInfoSecurity.com+Articles+RSS%29
[Editor's Note (Northcutt): My best reading of the tea leaves suggests this is a variant of the Lieberman, Collins, Carper announcement in June. Here is a link to the stated provisions at that time and also a list of supporters of the current initiative. I guess this will be interesting for our industry:
-http://hsgac.senate.gov/public/index.cfm?FuseAction=Press.MajorityNews&Conte
ntRecord_id=227d9e1e-5056-8059-765f-2239d301fb7f
-http://www.tradingmarkets.com/news/stock-alert/msft_microsoft-corporation-others
-support-lieberman-collins-carper-cybersecurity-legislation-1080748.html]

Zurich Insurance Fined Over Data Loss (August 24, 2010)

The UK's Financial Services Authority has fined the UK branch of Zurich Insurance GBP 2.27 million (US $3.53 million) for losing data of 46,000 customers. The data were on an unencrypted backup tape that was lost en route to a data storage center in August 2008; the company did not become aware of the missing tape for a year. The information includes names and bank account, credit card and other financial data. The fine was less than it could have been; had the company not agreed early on to settle, it would have been fined GBP 3.25 million (US $5.05 million).
-http://www.h-online.com/security/news/item/Lb2-28-million-fine-for-Zurich-Insura
nce-s-data-loss-1065336.html
-http://www.bbc.co.uk/news/business-11070217

Attorney Files Lawsuits Over Flash Cookies (August 24, 20100

Privacy attorney Joseph Malley has filed a lawsuit against Specificmedia for using technology to respawn cookies that users have deleted. Malley has filed two other similar lawsuits: one against a number of companies, including MTV and Hulu, for using Quantcast technology to recreate cookies and another against Disney and Demand media for using a Clearspring Technology widget that does the same thing. All the technologies use Adobe Flash to store copies of browser cookies; while clearing regular cookies is fairly straightforward, clearing Flash cookies can be complicated because they cannot be managed through browser privacy controls. According to the lawsuits, the companies did not inform users about the use of Flash to store the information; the suits allege that using Flash in this way violates state and federal privacy and computer security laws. Flash cookies allow websites to store 25 times more information than traditional cookies hold.
-http://www.wired.com/epicenter/2010/08/specificmedia-zombie-cookie/
-http://www.zdnet.com/blog/btl/ad-network-at-center-of-third-flash-cookie-lawsuit
/38346
-http://www.wired.com/images_blogs/epicenter/2010/08/No.-1-Attachement-1.pdf

---

********************* INTERESTING FREE RESOURCES ************************

1) SANS ANNOUNCES A NEW, FREE WHITEPAPER RESOURCE ADDED TO THE SANS READING ROOM ON AUGUST 23: "Cloud Security and Compliance in the Cloud: A Primer" by Dave Shackleford
http://www.sans.org/info/64188

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

IBM X-Force 2010 Mid-Year Trend and Risk Report (August 26, 2010)

The IBM X-Force 2010 Mid-Year Trend and Risk Report notes a 36 percent increase in the number of new vulnerabilities reported during the first half of 2010 when compared to the same period in 2009. More than half of the 4,396 reported vulnerabilities were in web applications. The report also cites a 52 percent jump in the number of obfuscated attacks, most commonly hidden in JavaScript and PDF files. Apple, Microsoft and Adobe were listed as the three vendors with the most reported vulnerabilities.
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=227001055&cid=RSSfeed_IWK_News
-http://darkreading.com/vulnerability_management/security/vulnerabilities/showArt
icle.jhtml?articleID=227001090&subSection=Vulnerabilities+and+threats
-http://www.eweek.com/c/a/Security/IBM-Security-Report-Puts-Apple-Microsoft-as-Mo
st-Vulnerable-Vendors-190732/
-http://www-935.ibm.com/services/us/iss/xforce/trendreports/

China Orders Companies to Use Domestic Cyber Security Products (August 25, 2010)

The Chinese government has told banks and other large companies to limit their use of computer security technology from outside the country. The order is part of China's Multi-Level Protection Scheme, an effort to bolster new Chinese companies by eliminating foreign competition. The European Union wants the Chinese government to limit the restrictions to organizations involved in national security.
-http://www.technologyreview.com/wire/26123/?a=f

Apple Issues OS X Security Update (August 25, 2010)

Apple has issued a security update for OS X to address 13 security flaws. Eight of the flaws have been rated critical. The flaws could be exploited to execute arbitrary code, access sensitive data, create denial-of-service conditions or impersonate hosts within a domain. The update affects Mac OS X 10.5.8 client and server and Mac OS X 10.6.4 client and server.
-http://www.h-online.com/security/news/item/Apple-releases-Security-Update-for-Ma
c-OS-X-1065741.html
-http://www.scmagazineus.com/apple-releases-os-x-update-fixes-13-flaws/article/17
7505/
-http://support.apple.com/kb/HT4312

California Legislators Send Improved Breach Notification Bill to Governor Again (August 25, 2010)

California legislators have passed a bill that would specify what information companies must include in data breach notification letters. The measure now goes before Governor Schwarzenegger, who vetoed a similar measure last year. If passed, the legislation would require breach notification letters to include the type of information compromised, the date of the incident, a description of the incident and phone numbers of credit reporting agencies. In addition, the companies would have to explain what steps they are now taking to protect affected customers and provide suggestions about what customers can do to protect themselves. If the breach affects 500 or more people, the companies would be required to send an electronic copy of the notification letter to the state's Attorney General. The measure would put California breach notification laws in line with the Health Information Technology for Economic and Clinical Health (HITECH) Act's notification requirements.
-http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?
articleID=227001108
-http://www.scmagazineus.com/calif-breach-notification-bill-going-back-to-the-gov
ernor/article/177253/
[Editor's Note (Schultz): Given his actions (or lack thereof) in the past concerning legislation related to protection of consumers, I predict that the California governor will quickly veto this bill. ]

Ireland's Central Applications Office Site Attacked Twice in One Week (August 26, 2010)

For the second time in a week, the website of Ireland's Central Applications Office (CAO) was the target of a cyber attack.
[Ed: The CAO oversees the majority of college applications in Ireland. ]
The attack caused passwords to be reissued to 22,000 applicants. The CAO shut down portions of the site "while
[the ]
IT team assessed the site." Several days earlier, the site was the target of a denial-of-service attack which rendered results of course offers unavailable to applicants. The CAO will conduct an internal inquiry into the attacks.
-http://www.enn.ie/story/show/10125896
-http://www.independent.ie/education/latest-news/cao-site-probe-as--hackers-strik
e-again-2311981.html
-http://www.irishtimes.com/newspaper/ireland/2010/0826/1224277612217.html
-http://www.irishtimes.com/newspaper/ireland/2010/0824/1224277444876.html

YoyoDdos Botnet Targets Chinese, US Sites (August 24 & 26, 2010)

A botnet family dubbed YoyoDdos is believed to be responsible for nearly 200 attacks on websites in China, the US, Germany and South Korea. There are at least 70 variants within the YoyoDdos bot family and 34 command and control servers have been identified, the majority of which are in China. The attacks have targeted a variety of sites, including online merchants, blogs and hosting providers. Some attacks have lasted just a few hours, while others have gone on for two days.
-http://www.scmagazineus.com/ddos-botnet-family-discovered-targeting-scores-of-si
tes/article/177429/
-http://darkreading.com/database_security/security/attacks/showArticle.jhtml?arti
cleID=227100032&subSection=Attacks/breaches

Microsoft Releases Tool to Block DLL Flaw Exploits (August 23, 24 & 26, 2010)

Microsoft has issued an advisory about the insecure DLL loading vulnerability. The issue affects certain applications running on the Windows platform. Exploits for the vulnerability have been released in the wild. Microsoft is checking to see if any of its own applications are vulnerable to exploit and has released a tool to block known exploits of the DLL preloading vulnerability. The flaw does not lie in Windows, but instead in the applications. Microsoft cannot address the problem in Windows without "breaking expected functionality."
-http://www.theregister.co.uk/2010/08/24/binary_planting_attack_advisory/
-http://www.csoonline.com/article/605391/microsoft-releases-tool-to-block-dll-loa
d-hijacking-attacks?source=CSONLE_nlt_update_2010-08-24
-http://darkreading.com/vulnerability_management/security/vulnerabilities/showArt
icle.jhtml?articleID=226900209&subSection=Vulnerabilities+and+threats
-http://www.computerworld.com/s/article/9181699/Windows_DLL_load_hijacking_exploi
ts_go_wild?source=rss_news
-http://www.h-online.com/security/news/item/Microsoft-warns-of-DLL-vulnerability-
in-applications-1064584.html
-http://www.microsoft.com/technet/security/advisory/2269637.mspx
-http://www.us-cert.gov/cas/techalerts/TA10-238A.html
[Editor's Comment (Northcutt): I think Microsoft is starting to turn the corner: ASLR, DEP and mitigation tools like this added to their patching methodology will, I expect, start to make it harder to attack their OS over the next year or so. For the last couple years the defensive community has been on the run, but I would love to see us gain at least a bit of the ground back.]

---

READER'S NOTE:

The following note
[included here with permission ]
came to Rob Lee who is one of the nation's top forensics people and who directs the six-course SANS Forensics Curriculum and manages the principal forensics portal.
[
-http://computer-forensics.sans.org/]

Hey Rob:

I had to stall the SANS 508 course I was taking (via on-demand) due to a high profile case I was working on. The case involved online file sharing where the target was visited by police for items found in his publicly shared folder. When the search warrant took place, police members found out that the suspect had been discovered by his wife and had removed all the child pornography (C.P.) videos, including the ones that were documented in the investigation.

When I got the computer and imaged the drive, nothing was there except deleted partial videos. Keyword searches discovered that at one time, he had hundreds of videos on the computer in his online file shares and incomplete folders. No external devices were located and found in the registry. We located a number of video artifacts in unallocated space and one in the recycle bin (I guess he forgot about that one). Keyword hits also pointed me to the System Volume Information. Not having done

I returned to the course and got to the fourth segment that included the Restore Point and Shadow Forensics section, and this set me in the right direction. After seeing how I could follow the processes and leads from the course, I went into work on Sunday (annual leave) as I wanted to try this right away and see what I could find. Two hours into the process using the leads you document in this course and using Shadow Explorer, I hit on 7 videos of confirmed C.P. that I can now use to charge the suspect with possession and accessing C.P. I am guess that the rest are overwritten by the limitation of the Restore Points (15% of the hard drive in Vista) in the OS, unless you have any other ideas how I can recover move videos. In either case, I have enough to charge the suspect.

The perma grin has not left my face since then (OK, it has only been a few hours) and when I informed the investigators, they were equally excited. Thanks for the SANS Forensics training and especially this course (my third so far), it has been a godsend. The course manuals will always be a great reference for me.

Cheers,

Bob

Detective Bob Elder,

Computer and Mobile Phone Forensics Unit, Victoria Police Department

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/