SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #73

September 14, 2010

TOP OF THE NEWS

Federal Appeals Court Says Software License Does Not Allow Resale of Product
Microsoft Will Grant Russian Opposition Groups Blanket Software Licenses

THE REST OF THE WEEK'S NEWS

Zero-Day Flaw in Adobe Flash Player
Microsoft Toolkit Can Protect Systems from PDF Zero-Day Exploit
Grants Available for Programs to Retrain NASA Shuttle Worker for Cybersecurity Jobs
"Here you have" and "David Leadbetter One Point Lesson" Malware Spread
Hospital Appeals Breach Notification Violation Fine
DoS Attacks Part of Arsenal in Fight Against Film Piracy
Mass. AG Objects to Hospital's Decision Not to Notify Data Breach Victims Personally
Mayo Clinic Employee Fired for Snooping

---

*********************** Sponsored By zScaler ***********************

ALERT: Ambushed by Facebook and Twitter? Whether poisoning search results through Search Engine Optimization (SEO) techniques, masquerading as a trusted colleague thanks to social networks, or sneaking into app stores; attackers are leveraging the very resources that we've grown to trust. Join experts for an educational webcast on Oct 5 with keynote by FORRESTER.

http://www.sans.org/info/64663 *********************************************************************

TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 41 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

-- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php

-- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus London, Dubai, Geneva, Bangalore, San Antonio and Sydney all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

********************************************************

---

TOP OF THE NEWS

Federal Appeals Court Says Software License Does Not Allow Resale of Product (September 13, 2010)

A decision from the 9th US Circuit Court of Appeals says that software copyright holders may prohibit resale of their products by inserting clauses that specify these terms into sales agreements, such as shrink-wrap and click-wrap licenses. The case involves software manufacturer Autodesk, which sued a man for reselling its products on eBay. The decision appears to derail the first-sale doctrine, which allows people who legitimately own copyrighted works to resell them. The court said that the doctrine does not apply "to those who are only licensed to use their copies of copyrighted works."
-http://www.wired.com/threatlevel/2010/09/first-sale-doctrine/
-http://www.theregister.co.uk/2010/09/13/autodesk_software_sale_restriction_rulin
g/
-http://www.ca9.uscourts.gov/datastore/opinions/2010/09/10/09-35969.pdf

Microsoft Will Grant Russian Opposition Groups Blanket Software Licenses (September 11 & 13, 2010)

Microsoft says it will take steps to prevent its agents in Russia from participating in software piracy investigations of non-governmental organizations (NGOs) that oppose the Russian government. The announcement comes in response to reports that Russian security services have been seizing computers from advocacy groups in Russia under the guise of investigating pirated Microsoft software. The raids often occur shortly before the NGOs are planning events or wanting to draw attention to causes. Microsoft says it will grant NGOs in Russia and other countries blanket software licenses for which they would not have to apply, effectively eliminating the possibility of software piracy investigations.
-http://www.nytimes.com/2010/09/14/world/europe/14raid.html?_r=1&ref=technolo
gy
-http://www.nytimes.com/2010/09/12/world/europe/12raids.html?sq=microsoft%20russi
a&st=cse&adxnnl=1&scp=1&adxnnlx=1284408026-j7YcmeayhoUM998KOKk2A
w
-http://www.computerworld.com/s/article/9184999/Microsoft_to_issue_blanket_licens
e_to_NGOs?taxonomyId=17

---

************************** Sponsored Link: *******************************

1) REGISTER NOW! Special Webcast with Vikram Phatak, CTO of NSS Labs: IPS in the Real World: Stopping the Latest Threats Without Sacrificing Performance http://www.sans.org/info/64668 ****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Zero-Day Flaw in Adobe Flash Player (September 13, 2010)

Adobe is warning of a second zero-day vulnerability (see story below), this one in Adobe Flash Player. The critical flaw affects Flash Player 10.1.82.76 for Windows, Mac OS X, Linux, Solaris and Android, and is being actively exploited in Windows. As with the previously disclosed flaw in Reader, this vulnerability can be exploited to crash systems and possibly take control of them. Users can protect themselves from attacks by using Firefox with the NoScript add-on, which blocks Flash content but lets users provide a list of trusted websites that will be allowed to run Flash. Adobe plans to release a patch for the Flash vulnerability in two weeks, and to issue a fix for the zero-day flaw in Reader in three weeks. Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=9544
-http://www.theregister.co.uk/2010/09/13/adobe_flash_0day_vuln/
-http://www.computerworld.com/s/article/9185218/Adobe_sounds_alarm_on_Flash_zero_
day_attacks?taxonomyId=17
-http://www.adobe.com/support/security/advisories/apsa10-03.html

Microsoft Toolkit Can Protect Systems from PDF Zero-Day Exploit (September 10, 11 & 13, 2010)

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) can be used to help protect users' computers from attacks exploiting a zero-day vulnerability in Adobe Acrobat and Adobe Reader. Adobe has yet to issue a patch for the flaw, which it has rated as critical. The vulnerability could be exploited to cause system crashes and gain control of systems that have been infected. Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=9538
-http://blogs.technet.com/b/srd/archive/2010/09/10/use-emet-2-0-to-block-the-adob
e-0-day-exploit.aspx
-http://www.h-online.com/security/news/item/Microsoft-tool-blocks-attacks-on-Adob
e-Reader-hole-1077700.html
-http://news.cnet.com/8301-1009_3-20016161-83.html?tag=mncol;title
-http://www.eweek.com/c/a/Security/Microsoft-Security-Tool-Mitigates-Adobe-Zeroda
y-Vulnerability-140681/
-http://www.computerworld.com/s/article/9184878/Microsoft_helps_Adobe_block_PDF_z
ero_day_exploit?taxonomyId=82
-http://www.adobe.com/support/security/advisories/apsa10-02.html

Grants Available for Programs to Retrain NASA Shuttle Workers for Cybersecurity Jobs (September 10, 2010)

The US Commerce Department has opened a competition for US $35 million in grants for projects that help retrain people who used to work on the NASA Space Shuttle program for jobs that meet the needs of their regions. Among those competing for funding is the Global Institute for Cybersecurity and Research near the Kennedy Space Center; the National Institute of Standards and Technology (NIST) is helping to establish the institute.
-http://www.nextgov.com/nextgov/ng_20100910_7598.php?oref=topnews

"Here you have" and "David Leadbetter One Point Lesson" Malware Spread (September 10, 12 & 13, 2010)

A person claiming to be responsible for the spread of an old-school email virus last week says the attack was designed to be used "to reach my voice to people maybe ... or maybe other things." The unidentified individual says the worm spread more widely than he had expected and that he is opposed to the US war in Iraq. The worm hit some large US organizations, clogging email systems with messages. The worm contains malicious components including keystroke-logging capability and a backdoor. The worm is named for the subject line that it arrived with: "Here you have." In a separate story, a targeted malware attack that arrived with the subject line "David Leadbetter One Point Lesson" set its sights on golf-playing executives and managers at certain organizations. This attack asked recipients to click on an attached PDF document that was crafted to exploit a zero-day flaw in Adobe Reader and Acrobat.
-http://www.computerworld.com/s/article/9184818/Anti_US_hacker_takes_credit_for_H
ere_you_have_worm?taxonomyId=17
-http://darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleI
D=227400137&subSection=Attacks/breaches
-http://www.theregister.co.uk/2010/09/13/hacker_claims_credit_for_here_you_have_w
orm/
-http://www.scmagazineus.com/major-us-organizations-hit-by-here-you-have-email-wo
rm/article/178636/
-http://content.usatoday.com/communities/technologylive/post/2010/09/here-you-hav
e-and-david-leadbetter-email-viruses-target-corporations/1

Hospital Appeals Breach Notification Violation Fine (September 10, 2010)

A California hospital is appealing a US $250,000 fine for allegedly waiting too long before reporting a data security breach. The California Department of Public Health imposed the fine on the Lucile Packard Children's Hospital at Stanford University for failing to report the theft of a computer that contained sensitive patient information in a timely manner. A California state statute requires that breaches of health data be reported to government agencies and affected individuals within five days.
-http://www.computerworld.com/s/article/9184679/Hospital_appeals_250_000_fine_for
_late_breach_disclosure?taxonomyId=17

DoS Attacks Part of Arsenal in Fight Against Film Piracy (September 8 & 10, 2010)

An Indian company says it was hired to help Indian film distributors fight film piracy; in some cases, the company launches denial-of-service (DoS) attacks against websites that fail to comply with takedown orders. Aiplex Software first searched for sites that were offering downloads of newly released movies and sent orders to stop the illegal activity. Most sites took down the offending content, but those that ignore the orders found their sites under attack.
-http://www.theregister.co.uk/2010/09/10/bollywood_cyber_vigilantes_fight_movie_p
irates/
-http://www.smh.com.au/technology/technology-news/film-industry-hires-cyber-hitme
n-to-take-down-internet-pirates-20100907-14ypv.html?from=smh_sb
[Editor's Note (Northcutt): I really have to wonder where they are getting their firepower. If it is a single site, I imagine it is only a matter of time till the torrents fire back. And of course this is not legal in many countries, I predict this will be short lived, but fun press for a short period. ]

Mass. AG Objects to Hospital's Decision Not to Notify Data Breach Victims Personally (September 8 & 10, 2010)

South Shore Hospital in South Weymouth, Massachusetts, will not send notification letters to 800,000 people whose personal information may have been compromised in a data security breach involving missing boxes of computer backup tapes. The hospital released a report last week that said an investigation concluded that the missing backup data poses "little to no risk" to patients; the hospital plans to notify the public of the breach through announcements in newspapers and on the Internet. The Massachusetts attorney general's office has objected to the hospital's decision not to send breach notification letters. While the hospital maintains that its plan is consistent with Massachusetts breach notification law, the AG's office says that more stringent breach notification requirements under HITECH take precedence.
-http://bostonherald.com/business/healthcare/view.bg?articleid=1280045&positi
on=1
-http://www.govinfosecurity.com/articles.php?art_id=2907&opg=1

Mayo Clinic Employee Fired for Snooping (September 9, 2010)

The Mayo Clinic has fired an employee who snooped on patient medical and financial information. The snooping occurred between 2006 and 2010, and was discovered in July 2010. The employee, who worked at Mayo Clinic offices in Arizona and Minnesota, appears to have looked at the files of approximately 1,700 patients. The employee's position entailed access to patient information, but the data accessed in this case went beyond the defined scope of the position. The motive appears to be curiosity.
-http://www.postbulletin.com/newsmanager/templates/localnews_story.asp?z=2&a=
469014

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/