SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #75

September 21, 2010

TOP OF THE NEWS

Microsoft Says Millions of ASP.net-Based Web Sites Vulnerable To Major Attack
Proposed Legislation Would Allow DoJ to Seek Injunctions to Shut Down Piracy Sites
Intel Says HDCP Master Key Leaked
Some Sites Circumvent IE Cookie Settings

THE REST OF THE WEEK'S NEWS

Stuxnet Virus May Be Aimed at Iranian Nuclear Reactor
Adobe Issues Fix for Zero-Day Flash Flaw Ahead of Schedule
Activists Launch DDoS Attacks Against RIAA, MPAA Sites
Germany Calls for Voluntary Privacy Code
Former Hospital Employee Charged with HIPAA Violations
Two Sentenced in Credit Card Fraud Scheme
New VA Cyber Security Tool
Six Year Sentence for Role in Card Fraud Scheme
FDIC Issues Guidance on Printer, Fax and Copier Data Exposure Risks

---

*********************** Sponsored By SANS ***************************
The Deputy Director of the United Kingdom's CPNI will kick off the SANS 2010 European SCADA Security Summit. The Summit, titled "changing from talk to action" will highlight the most sophisticated new attack patterns and what the most innovative and effective governments and power companies and other industries are doing to counter the threats. hhttp://www.sans.org/info/65033 *********************************************************************
TRAINING UPDATE
New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 41 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

-- SOS: SANS October Singapore, October 4-11, 2010 5 courses
http://www.sans.org/singapore-sos-2010/

-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php

-- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus London, Dubai, Geneva, Bangalore, San Antonio and Sydney all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ********************************************************

---

TOP OF THE NEWS

Microsoft Says Millions of ASP.net-Based Web Sites Vulnerable To Major Attack (September 20, 201, 2010)

Microsoft confirmed that a vulnerability disclosed at a Buenos Aires hacker conference is present in "millions of web sites" that rely on the ASP.Net framework. The researchers showed how attackers can exploit an error in ASP.Net's encryption to decrypt data on a remote server, and read and copy files from a site or Web application that relies on the framework. Especially vulnerable to theft are user names and passwords. The vulnerability is present on millions of Web sites. Microsoft has published tool to detect vulnerable ASP.Net applications and established a dedicated support forum (
-http://forums.asp.net/1233.aspx)
to answer questions from people building web sites and applications.
-http://www.computerworld.com/s/article/9186842/Microsoft_sounds_alert_on_massive
_Web_bug
[Editor's Note (Pescatore): When you learn to drive, they always try to ingrain "defensive driving" into you, as driving is dangerous. Since software engineering is still an oxymoron, and web sites represent the "LA Freeway" (Or "LIE" for you East Coasters) of software, defensive web site techniques are clearly required to protect customer and business data. ]

Proposed Legislation Would Allow DoJ to Seek Injunctions to Shut Down Piracy Sites (September 20, 2010)

Proposed US legislation would allow the US Justice Department (DoJ) to seek court orders to shut down websites that facilitate piracy anywhere in the world. The Combating Online Infringement and Counterfeits Act would allow the DoJ to ask for injunctions that would order US domain registrars and registries to cease resolving the domain name of piracy sites.
-http://news.cnet.com/8301-31001_3-20016995-261.html
-http://www.wired.com/threatlevel/2010/09/justice-department-piracy/
-http://www.wired.com/images_blogs/threatlevel/2010/09/CombatingOnlineInfringemen
tAndCounterfeitsAct1.pdf
[Editor's Note (Schultz): This approach seems much more straightforward than approaches that have been used in the past. At the same time, however, pirates will simply move from one site to another if and when this proposed legislation is passed. ]

Intel Says HDCP Master Key Leaked (September 17, 2010)

Intel has acknowledged that a master key leaked to the Internet unlocks Blu-ray High-bandwidth Digital Content Protection (HDCP) encryption. The technology was designed to protect high-definition video content. The key could be used to remove encryption from HD satellite TV broadcasts and DVRs. Intel says the hack would prove difficult, and has said that it will take legal action against anyone who uses the key to develop hardware that defeats HDCP technology.
-http://www.wired.com/threatlevel/2010/09/intel-threatens-consumers/
-http://www.theregister.co.uk/2010/09/17/hdcp_copy_protection_crack/

Some Sites Circumvent IE Cookie Settings (September 17, 2010)

Researchers from the Carnegie Mellon University School of Engineering's CyLab say that certain websites exploit a hole on Internet Explorer (IE) that allows cookies to install on users' computers even if they have set their privacy controls to block cookies. Twenty-one of the 100 most-visited websites, including Facebook, AOL, Amazon and Hulu, allow cookies to install even when users have set IE preferences not to allow cookies. In some cases, the website's configuration is an error; those sites do not appear to intend to circumvent IE privacy controls. But in at least half of the sites examined, efforts appear to have been made to get around the cookie block. The problem lies in the way the browser and the website exchange information to determine if the site's privacy policy agrees with the browser's settings.
-http://bits.blogs.nytimes.com/2010/09/17/a-loophole-big-enough-for-a-cookie-to-f
it-through/
[Editor's Note (Skoudis): This story is an example of why it's vitally important to actually analyze technology through careful penetration testing to make sure that it faithfully implements its own configuration. Just because something is configured "correctly" doesn't mean that the system is actually secure. We saw this kind of issue a couple years back with the configuration to disable the Windows USB autoplay feature that Conficker took advantage of, and we see it in other technologies as well.
(Pescatore): Another reason why business movement towards opt-in models would be a very good thing. The old P3P settings on browsers and websites became the V-Chip of the Internet: overly complex, unusable, ineffective. ]

---

************************** Sponsored Link: *******************************
1) Uncover new cost reduction and efficiency opportunities. Online IT Operations Maturity Assessment here: http://www.sans.org/info/65038 ****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Stuxnet Virus May Be Aimed at Iranian Nuclear Reactor (September 21, 2010)

A highly sophisticated computer worm that has spread through Iran, Indonesia and India was built to destroy operations at one target: possibly Iran's Bushehr nuclear reactor. That's the emerging consensus of security experts who have examined the Stuxnet worm. In recent weeks, they've broken the cryptographic code behind the software and taken a look at how the worm operates in test environments. Researchers studying the worm all agree that Stuxnet was built by a very sophisticated and capable attacker, possibly a nation state, and it was designed to destroy something big.
-http://www.computerworlduk.com/news/security/3240458/stuxnet-virus-may-be-aimed-
at-iran-nuclear-reactor/

Adobe Issues Fix for Zero-Day Flash Flaw Ahead of Schedule (September 20, 2010)

Adobe released a patch for a zero-day vulnerability in Flash Player on Monday, September 20, a week earlier than the company had planned on issuing a fix for the flaw. The vulnerability can be exploited to take control of systems running Flash Player by tricking users into opening specially crafted Word or PDF documents or visiting websites that have been laced with malware. The flaw is being actively exploited in limited, targeted attacks. The flaw was patched in Google's Chrome browser on Friday, September 17 because of an agreement struck between Google and Adobe last April. This arrangement bundles Flash with Chrome and delivers the updates for the plug-in when the browser gets its silent updates. The flaw affects Adobe Flash player versions 10.1.82.76 and earlier for Windows, Mac OS X, Linux and Solaris and versions 10.1.92.10 for Android handsets. The flaw also affects Adobe Reader versions 9.3.4 and earlier. There are no reports that the flaw is being exploited in Reader. Adobe will release an updated version of Reader on October 4.
-http://www.theregister.co.uk/2010/09/20/adobe_flash_vuln_patch/
-http://www.computerworld.com/s/article/9186638/Adobe_moves_up_Flash_fix_will_pat
ch_bug_today?taxonomyId=85
-http://www.h-online.com/security/news/item/Adobe-to-release-Flash-update-today-1
082317.html
-http://www.kb.cert.org/vuls/id/275289

Activists Launch DDoS Attacks Against RIAA, MPAA Sites (September 20, 2010)

Groups protesting actions taken against The Pirate Bay have launched distributed denial-of-service (DDoS) attacks against the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA) websites. The attacks were announced on 4chan; the British Phonographic Industry (BPI) website appears to be next in line for attacks. The attacks appear to have been prompted by a report that an Indian software company called Aiplex had been hired by film industry executives to take measures to stop sites hosting pirated film content; among the company's arsenal, according to the report, was launching DDoS attacks against the sites that had refused to comply with takedown orders. Aiplex was also among the activists' targets.
-http://www.bbc.co.uk/news/technology-11371315
-http://www.theregister.co.uk/2010/09/20/4chan_ddos_mpaa_riaa/

Germany Calls for Voluntary Privacy Code (September 20, 2010)

Following a meeting with Google, Apple and several other companies about the accessibility of personal information online, the German government is calling for a voluntary data protection code. Germany wants the privacy pact to be in place by December 7, 2010. At the same time, reports indicate that "several hundred thousand" people have opted out of having their homes visible on Google's Street View online feature. People in Germany have until October 15 to opt out of the service. Street View opponents want the service to be entirely opt-in; Google assumes that if users have not opted out, then they are willing to have their homes made visible through the service.
-http://www.bbc.co.uk/news/technology-11370647
-http://www.computerworld.com/s/article/9186719/Germans_flood_Google_with_Street_
View_opt_out_requests?taxonomyId=84
-http://dns.tmcnet.com/topics/internet-security/articles/103064-germany-asks-goog
le-more-stringent-privacy-standards.htm
[Editor's Note (Pescatore): Imagine if Peeping Toms could just tell the judge "well, no one said they did *not* want me to peek into their windows." (Northcutt): This is very forward thinking. Who can oppose giving people a say in how their information is used? Hopefully the system will be simple and painless to use. ]

Former Hospital Employee Charged with HIPAA Violations (September 16 & 18, 2010)

A former surgical instrument technician at UPMC Shadyside Hospital in Pittsburgh, Pennsylvania, has been charged with violations of the Health Insurance Portability and Accountability Act (HIPAA). Paul C. Pepala allegedly accessed the names, birth dates and Social Security numbers (SSNs) of UPMC Shadyside Hospital patients in February 2008 and disclosed the information to other people. The information was used to file phony tax returns. If convicted of all charges in the 14 count indictment, Pepala faces up to 80 years in prison and a maximum fine of US $4.73 million.
-http://www.phiprivacy.net/?p=3786
-http://www.pittsburghlive.com/x/pittsburghtrib/news/pittsburgh/s_699655.html

Two Sentenced in Credit Card Fraud Scheme (September 17, 2010)

Two men involved in a forgery ring that used information stolen from grocery stores in Florida and New England to make phony credit cards have been sentenced to prison terms. Jerome Abaquin Gonzales was sentenced to one year in prison; earlier this month, he pleaded guilty to felony conspiracy to commit credit card fraud and trafficking and possessing access card materials. Thomas Michio Taniguchi has been sentenced to 92 months in prison; he pleaded guilty to 50 counts of fraudulent possession of access card account information. Taniguchi used stolen information to make phony credit cards and used them to buy merchandise and gift cards and to obtain cash at more than 30 stores in Orange County, California. Gonzales helped to sell some of the merchandise and gift cards obtained with the phony cards.
-http://www.dailynews.com/crime/ci_16105486
-http://articles.dailypilot.com/2010-09-18/news/tn-dpt-0919-taniguchi-20100918_1_
credit-card-bogus-cards-access-card

New VA Cyber Security Tool (September 17, 2010)

Department of Veterans Affairs (VA) assistant secretary for information and technology Roger Baker said that his agency expects to have a new security tool up and running by the end of the month. Once fully deployed, the tool will allow information security officials access to real-time security status information of nearly one million computers, printers and other devices on the VA's network. The tool will allow the VA to identify and remove unauthorized and unencrypted devices that are connected to the network. Information that will be accessible includes operating systems and when and where devices last connected to the network.
-http://fcw.com/articles/2010/09/17/va-installs-cybersecurity-software-on-its-net
work.aspx?admgarea=TC_SECCYBERSEC

Six Year Sentence for Role in Card Fraud Scheme (September 16 & 17, 2010)

Cesar Carranza has been sentenced to six years in prison for his participation in a stolen credit card cash laundering scheme. Carranza pleaded guilty in December to one count of conspiring to launder unlawful proceeds. Prosecutors allege Carranza was part of a group of cyber criminals who operated through websites that traded in stolen credit card information. Carranza appears to have been involved in laundering cash obtained from ATMs using stolen credit information. He also appears to have sold technology to those who stole the card information that allowed them to encode blank cards with the stolen data.
-http://www.theregister.co.uk/2010/09/17/ubuywerush_sentenced/
-http://www.wired.com/threatlevel/2010/09/ubuywerush/

FDIC Issues Guidance on Printer, Fax and Copier Data Exposure Risks (September 15, 2010)

The US Federal Deposit Insurance Corporation (FDIC) has issued a document for financial institutions titled "Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers." The document describes the risks inherent in the use of the devices because they may contain hard drives or flash memory that retains information transmitted by the devices. Many financial institutions lease these devices and return them at the end of the lease period. The guidance recommends that financial institutions establish and enforce "written policies and procedures to identity devices that store digital images of business documents and ensure their hard drive or flash memory is erased, encrypted or destroyed prior to being returned to the leasing company, sold to a third party or otherwise disposed of." The guidance was issued because field examiners "felt the vast majority of bankers that they dealt with ... were completely unaware of the problem."
-http://www.fdic.gov/news/news/financial/2010/fil10056.pdf
-http://searchfinancialsecurity.techtarget.com/news/article/0,289142,sid185_gci15
20280,00.html
[Editor's Note (Pescatore): good advice for just about everything you use today that has either a power cord or a battery, since pretty much anything that has power stores something. (Honan): The European Network and Information Security Agency (ENISA) has also published a whitepaper on "Secure Printing" and the risks associated with document printing and copying. It is available free from
-http://www.enisa.europa.eu/act/ar/deliverables/2008/secure-printing]

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/