SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #72

September 10, 2010

The outrage over US-CERT's security patching is silly and almost entirely misplaced. The auditors missed the big problem and the big opportunity, and so are costing the agency unnecessary funds and delaying important improvements. For details, see my comment after the first story in "THE REST OF THE WEEK'S NEWS."

If you want to avoid worrying about being infected by PDF files because of flaws in Adobe software, see the very cool (free) solution described in Stephen Northcutt's comment on the "Zero-Day Reader Flaw" story.
Alan

---

TOP OF THE NEWS

Microsoft Wins Legal Round in Fight Against Waledac Botnet
Court Says Judges May Require Prosecutors to Obtain a Warrant to Access Cell Phone Location Data
Lawsuit Challenges Laptop Border Searches

THE REST OF THE WEEK'S NEWS

DHS IG Audit Finds Security Issues on US-CERT Systems
Microsoft to Offer Unusually Large Batch of Bulletins Next Week
Hotel Parent Company Acknowledges Cyber Intrusion
New Mass-Mailing Worm Detected
Suspended Sentence for RBS WorldPay Mastermind
Zero-Day Reader Flaw Exploited in Targeted Attacks
TalkTalk Criticized for Running Secret Anti-Malware Pilot

---

************************** Sponsored By IBM ************************
Join us for a live demonstration of IBM Rational AppScan Source Edition on September 16, 2010 at 1pm EST. We will focus primarily on Source Edition for Security illustrating "power user" functionality and reporting while providing a solid overview of the AppScan Source Edition product.
For more information on AppScan Source Edition please visit: http://www.sans.org/info/64523 *********************************************************************
TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 41 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

-- SOS: SANS October Singapore, October 4-11, 2010 5 courses
http://www.sans.org/singapore-sos-2010/

-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php

-- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus London, Dubai, Geneva, Bangalore, San Antonio and Sydney all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ********************************************************

---

TOP OF THE NEWS

Microsoft Wins Legal Round in Fight Against Waledac Botnet (September 8 & 9, 2010)

The Waledac botnet may soon suffer a final blow now that a federal magistrate judge has recommended that ownership of nearly 300 addresses used to control the botnet be transferred to Microsoft. Waledac was effectively disabled in February when District Court Judge Leonie Brinkema granted a temporary restraining order to take the 276 domains in question offline. If Judge Brinkema agrees with the recent recommendation, the order would become permanent. Waledac was considered to be one of the 10 largest botnets and a significant source of spam.
-http://www.usatoday.com/tech/news/2010-09-08-botnets08_ST_N.htm
-http://www.theregister.co.uk/2010/09/08/waledac_takedown_success/
-http://news.cnet.com/8301-27080_3-20015912-245.html?tag=mncol;title
-http://blog.seattlepi.com/microsoft/archives/220697.asp
-http://www.securecomputing.net.au/News/231510,microsoft-to-assume-control-over-w
aledac-domains.aspx
[Editor's Note (Pescatore): The importance of this ruling is getting some legal precedent that, with enough evidence, a temporary restraining order can be used to immediately shut down domains hosting malware without giving the operators enough time to update compromised PCs with new command and control paths. The downside is this is a US-centric ruling to what is really an international Internet governance issue - the ICANN Uniform Dispute Resolution Policy needs to be updated to support similar rapid takedowns. ]

Court Says Judges May Require Prosecutors to Obtain a Warrant to Access Cell Phone Location Data (September 7 & 9, 2010)

A US federal appeals court has ruled that judges have the option to require prosecutors to obtain a warrant before accessing cell phone location data if judges believe it is justified. The US Court of Appeals for the Third Circuit did not address the question of whether such information is protected under the Fourth Amendment.
-http://news.cnet.com/8301-31921_3-20015743-281.html
-http://www.wired.com/threatlevel/2010/09/cell-site-data/
-http://www.computerworld.com/s/article/9184180/Warrants_may_be_needed_for_cell_p
hone_data_court_says?taxonomyId=17
-http://www.msnbc.msn.com/id/39047605/ns/technology_and_science-security/

Lawsuit Challenges Laptop Border Searches (September 7, 2010)

The American Civil Liberties Union (ACLU) has filed a lawsuit challenging the Obama administration's border search policies that allow officials to search and seize laptops and other electronic information devices for any reason. The lawsuit calls the policy unconstitutional and seeks to end the arbitrary searches. ACLU attorney Catherine Crump says the government "should at least have some reasonable suspicion" to justify the searches."
-http://www.washingtonpost.com/wp-dyn/content/article/2010/09/06/AR2010090603221.
html
-http://www.wired.com/threatlevel/2010/09/laptop-border-searches/
-http://www.computerworld.com/s/article/9183839/ACLU_other_groups_sue_U.S._over_b
order_laptop_searches?taxonomyId=144

---

********** REALLY INTERESTING NEW PROGRAM ON SCADA SECURITY ************** How has the threat to control systems changed during the last year? Who are the new attackers? What actually happened in the Stuxnet worm attacks? What did DHS and DoD find when they conducted security assessments in control utilities and other control system users? What new technology allows some SCADA engineers to sleep well at night not worrying about attackers hacking into their control systems? Find answers to these questions and more at the: SANS 2010 European SCADA Security Summit in London next month, focusing on "changing form talk to action" You'll also learn innovative and effective governments and power companies and other industries are doing to counter the threats. http://www.sans.org/info/64398 ****************************************************************************

---

THE REST OF THE WEEK'S NEWS

DHS IG Audit Finds Security Issues on US-CERT Systems (September 8 & 9, 2010)

According to a report from the US Department of Homeland Security's (DHS) inspector general (IG), their computer systems at the United States Computer Emergency Readiness Team (US-CERT) suffer from a number of high-risk vulnerabilities. Most of the vulnerabilities are due to software patches that have not been applied to the systems. Ironically, the systems reviewed in the audit are those that "US-CERT uses to compile and analyze information about cyber security incidents that civilian agencies report." The flaws detected could be exploited to execute commands remotely, gain unauthorized access to information and create denial-of-service conditions.
-http://www.wired.com/threatlevel/2010/09/us-cert/
-http://www.nextgov.com/nextgov/ng_20100909_5549.php?oref=topnews
-http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_10-111_Aug10.pdf
[Editor's Note (Schultz): As the founder of the first US government incident response team, I am saddened to see the sad state of operations in the majority of government incident response teams today.
(Paller): The DHS auditor would find the same weak patching levels all over DHS, caused entirely by failure of the DHS CISO to keep up with proven methods of continuous monitoring. It is the CISO's job to provide the automation that ensures US-CERT systems are kept current. Forcing US-CERT to buy their own testing and automation tools is wasteful. US-CERT is one part of the National Cyber Security Division, which is one part of National Protection and Programs and that is just one of 25 major elements on the organization chart at DHS. Had the DHS CISO (with the IG's help) implemented the continuous monitoring system that the State Department deployed a year ago when he actively chose not to do so, the IG would not have found most of the problems he did at US-CERT, and more importantly all the other divisions of DHS that are connected to US-CERT would have been safer as well and less of a threat to US-CERT systems. ]

Microsoft to Offer Unusually Large Batch of Bulletins Next Week (September 9, 2010)

Microsoft will issue nine security bulletins on Tuesday, September 14. Four of the nine bulletins are rated critical; the remaining five are rated important; they will address security issues in Windows, Office and Microsoft web server software. Tuesday's release marks an unusually large number of bulletins for an odd-numbered month. Microsoft normally saves large releases of bulletins for even-numbered months; in August, the company issued 14 bulletins, the largest number it has ever issued in one month. Those bulletins addressed 34 vulnerabilities, which tied the record. There is speculation that some of the September bulletins will address the DLL hijacking vulnerability.
-http://news.cnet.com/8301-27080_3-20015997-245.html?tag=mncol;title
-http://www.computerworld.com/s/article/9184372/Microsoft_plans_double_sized_Patc
h_Tuesday_next_week?taxonomyId=17
-http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx
[Editor's Note (Liston): I always find the "bulletin count" thing to be a little silly. If you issue two "bulletins," each detailing five vulnerabilities affecting four platforms, and each of these requires ten different patches to account for language pack differences, what really happened? If you ask me, you issued "400 patches" - ask Microsoft, and they issued "two bulletins." ]

Hotel Parent Company Acknowledges Cyber Intrusion (September 9, 2010)

HEI Hospitality, the company that owns and operates upscale hotel chains such as Marriott, Sheraton and Weston, has sent letters to 3,400 customers to notify them that their credit card data may have been compromised in a security breach. The incident occurred in March or April and involved an intrusion into a point-of-sale system at some properties operated by HEI.
-http://www.computerworld.com/s/article/9184398/Hotel_operator_warns_of_data_brea
ch?taxonomyId=17

New Mass-Mailing Worm Detected (September 9, 2010)

There are reports that a new mass-mailing worm is spreading. The worm spreads through email messages with the subject line "Here you have;" the body of the message includes a link that appears to lead to a PDF file, but instead leads to a malicious executable file. For users' machines to become infected, they must agree to install what claims to be a screensaver, but is actually the worm, which tries to disable security software and then sends itself to everyone in the infected computer's email contact list. The worm is the first wide-spread infection of this type in nearly a decade. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=9529
-http://www.scmagazineus.com/mass-email-worm-found-spreading/article/178577/
-http://www.computerworld.com/s/article/9184438/_Here_you_have_e_mail_worm_spread
s_quickly

Suspended Sentence for RBS WorldPay Mastermind (September 8, 2010)

Viktor Pleshchuk, who helped orchestrate the US $9 million RBS WorldPay cyber heist, has reportedly received a six-year suspended sentence in Russia. He was ordered to serve four years probation. He was also reportedly ordered to pay US $8.9 million in restitution. Pleshchuk's reduced sentence is believed to be due to his cooperation with authorities; he revealed the names of some of his accomplices and the location of about US $60,000 in cash. Pleshchuk faces additional charges for the theft in the US.
-http://www.wired.com/threatlevel/2010/09/viktor-pleshchuk/
-http://www.computerworld.com/s/article/9184179/Report_RBS_WorldPay_hacker_gets_f
our_years_probation?taxonomyId=17

Zero-Day Reader Flaw Exploited in Targeted Attacks (September 8 & 9, 2010)

A zero-day flaw in Adobe Reader is being actively exploited, according to researchers. The attack spreads through a maliciously crafted PDF file that accompanies email messages. The attacks thus far appear to be targeted, as those who have received the malicious messages "work on common issues." The flaw affects Adobe Reader versions 9.3.4 and earlier for Windows, Mac OS X and Unix. The flaw affects Adobe Acrobat as well. Until a patch is available, users are urged to use caution when opening PDF files. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=9523
-http://www.theregister.co.uk/2010/09/08/adobe_reader_0day/
-http://www.computerworld.com/s/article/9184146/Hackers_exploit_new_PDF_zero_day_
bug_warns_Adobe?source=rss_news
-http://www.h-online.com/security/news/item/Adobe-warns-of-zero-day-vulnerability
-in-Reader-and-Acrobat-1075787.html
[Editor's Note (Northcutt): I now have gPDF, the plug-in for Firefox and Chrome that intercepts PDF links and opens them in Google Apps working on 32 bit Vista and 64 bit Windows 7. The beauty of this is it never runs on your system so it cannot infect your system. There are limitations (the file has to be named .pdf), but it is a huge step forward for home systems.
-https://addons.mozilla.org/en-US/firefox/addon/14814/]

TalkTalk Criticized for Running Secret Anti-Malware Pilot (September 7, 2010)

The UK Information Commissioner's Office (ICO) has chastised Internet service provider (ISP) TalkTalk for not informing its customers or the ICO about running a trial of anti-malware technology. The system keeps track of the URLs of websites visited by TalkTalk customers and checks them for malware. TalkTalk customers were automatically included in the trial. The omission has been compared to BT's silent testing of behavior tracking technology to help target online advertising to its users, which met with criticism. TalkTalk dismisses the comparison, saying its program is designed to keep its customers safe.
-http://www.bbc.co.uk/news/technology-11213488
-http://www.zdnet.co.uk/news/security/2010/09/07/privacy-watchdog-raps-talktalk-o
ver-url-scanning-40090025/

[Editor's Note (Honan): This story highlights the difficulties many ISPs within the EU and in other jurisdictions have when they proactively attempt to clean up their networks.
(Schultz): The issue here is intriguing--how far can a service provider go in stemming the tide with respect to customers picking up malware from malicious Web sites and do customers need to be informed about what the provider is doing? By informing its customers in advance, TalkTalk could have avoided much or perhaps even all the controversy that has arisen. ]

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/