SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #76

September 24, 2010

TOP OF THE NEWS

Judge Says No Harm, No Damages in Hannaford Case
T-Mobile Seeks to Dismiss Suit Over Text Blocking
Better Free Antivirus Software Spurs Improvements in Paid Products

THE REST OF THE WEEK'S NEWS

FBI Launches Investigation into "Here you have" worm
Microsoft Says ASP.Net Flaw Being Exploited in Limited Attacks
US Cyber Command Chief Wants Secure Network for Civilian Gov't. Agency and Critical Infrastructure Systems
Man Launched DDoS Attacks in Retaliation for Public Humiliation
Cisco Issues Updates for IOS and Unified Communications Manager
MouseOver Twitter Malware Exploits Old Flaw
DoJ Wants Court to Reverse Ruling on Warrantless GPS Tracking
Stuxnet Designed to Cause Damage to Specific Systems
Man Extradited to US to Face Charges Related to Running Site That Enabled Bank Fraud

---

**************** Sponsored By SANS San Francisco ********************* November marks several important reasons to visit San Francisco: mild weather, crabs, and the last West Coast SANS conference of the year -- SANS San Francisco 2010! Featured courses are in alignment with DoD Directive 8570 requirements for Baseline IA Certifications, and this is your last opportunity to get these courses while experiencing a major SANS West Coast event this year! http://www.sans.org/info/65108 *********************************************************************

TRAINING UPDATE
New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 41 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

-- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php

-- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

- - -- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus London, Dubai, Geneva, Bangalore, San Antonio and Sydney all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *********************************************************************

---

TOP OF THE NEWS

Judge Says No Harm, No Damages in Hannaford Case (September 22, 2010)

Maine's State Supreme Court has ruled that people whose personal data were compromised in the Hannaford Bros. grocery store chain security breach may not seek damages unless they incurred a tangible injury or uncompensated financial loss as a result. The decision puts an end to a class action lawsuit filed on behalf of affected consumers who were seeking compensation for time and effort spent changing payment cards and bank accounts after the breach. The judge who originally heard the case dismissed all the complaints except for one from a woman whose bank had not reimbursed her for fraudulent charges on her card.
-http://www.computerworld.com/s/article/9187340/Maine_court_limits_damage_claims_
in_data_breach_cases?source=rss_news

T-Mobile Seeks to Dismiss Suit Over Text Blocking (September 22 & 23, 2010)

T-Mobile is asking a court to dismiss a case brought by a text messaging company against the wireless provider. EZ Texting said that T-Mobile violated federal communications rules by blocking its messages from a medical marijuana site. T-Mobile maintains the decision to block the messages was not due to their content, but because EZ Texting violated the terms of its contract by not seeking approval of a short code for the site in question. T-Mobile says it has the right to determine which text messages to send over its network. At issue is the question of whether wireless carriers are subject to the same "must carry" requirements that govern wired phone service providers.
-http://www.wired.com/threatlevel/2010/09/text-message-censorship/
-http://voices.washingtonpost.com/posttech/2010/09/t-mobile_asks_court_to_reject.
html

Better Free Antivirus Software Spurs Improvements in Paid Products (September 22, 2010)

Makers of paid antivirus products are improving their products as the availability of free antivirus software increases. Among the most significant benefits of free antivirus protection is the increased use of the technology, meaning cyber criminals will have a smaller playground. This leaves the paid providers with the need to demonstrate why people should pay for their products. A USA Today survey of antivirus programs found that free packages often lack firewalls, website health checks, automatic updates and customer support. Some of the paid systems offer predictive technologies and some are using cloud computing, meaning the processing resources used to recognize and block attacks are moved from users' systems. Users are predicted to spend US $7.2 billion on antivirus protection this year.
-http://lastwatchdog.com/anti-virus-protection-case-paid-vs-free/
[Editor's Note (Schultz): Before people decide whether to purchase a commercial or free version of AV software, they need to look at the results of independent testing of a number of these products by NSSLabs. The results showed that the majority of the AV tools tested were not very proficient in detecting and eradicating malware such as Trojan horses. ]

---

*********************** Sponsored Link: ****************************
1) SANS Chicago: They say location is everything, but more important is the value of the training that supports your professional development and impacts your business. What value will you get at SANS Chicago 2010? * A line-up of our top courses and instructors, including Dr. Eric Cole, Rob Lee, Jason Fossen, Jason Lam, Ted Demopoulos, and Jim Shewmaker * Evening talks from Tom Holt and John 'Kanen' Flowers * Access to our vendor expo, featuring LogMatrix, SailPoint, and Saint. The end of the year will be on us soon. If you have personal or professional certification goals for 2010/2011 don't miss the Chicago opportunity in October. http://www.sans.org/info/65093 **********************************************************************

---

THE REST OF THE WEEK'S NEWS

FBI Launches Investigation into "Here you have" worm (September 22, 2010)

The Federal Bureau of Investigation (FBI) recently launched an investigation into the "Here you have" worm that disrupted commercial and US government email services and clogged Internet traffic flow for hours. FBI agents have spoken with an employee of the IDG News Service who allegedly has been in contact with "Iraqi Resistance," the person who claims to be the worm's author. The whereabouts and true motive of the alleged author are currently unknown.
-http://www.computerworld.com/s/article/9187703/FBI_investigating_Here_you_have_w
orm

Microsoft Says ASP.Net Flaw Being Exploited in Limited Attacks (September 21 & 23, 2010)

Microsoft has updated its advisory about an unpatched vulnerability in ASP.Net to note that the flaw is being actively exploited in limited attacks to hijack encrypted web sessions. The flaw is present in all versions of Microsoft's ASP.Net web application framework and can be exploited to access web applications with full Administrator rights and access sensitive data. Microsoft said it will fix the vulnerability, but has not said when that fix would be made available.
-http://www.computerworld.com/s/article/9187519/Hackers_exploit_latest_Microsoft_
zero_day_bug?taxonomyId=17
-http://www.theregister.co.uk/2010/09/21/asp_dot_net_padding_oracle_fix/
-https://www.microsoft.com/technet/security/advisory/2416728.mspx

US Cyber Command Chief Wants Secure Network for Civilian Gov't. Agency and Critical Infrastructure Systems (September 23, 2010)

Speaking to reporters a day prior to his scheduled testimony before the House Armed Services Committee, Army General Keith B. Alexander said that he would like to see the creation of a secure network for civilian government agency and critical infrastructure computer systems. Alexander heads the Defense Department's US Cyber Command as well as the National Security Agency (NSA).
-http://www.washingtonpost.com/wp-dyn/content/article/2010/09/23/AR2010092302171.
html
-http://www.washingtonpost.com/wp-dyn/content/article/2010/09/23/AR2010092305431.
html
-http://www.nytimes.com/2010/09/24/us/24cyber.html?_r=1&ref=technology
-http://www.wired.com/dangerroom/2010/09/militarys-cyber-commander-swears-no-role
-on-civilian-networks/
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=227500515
[Editor's Note (Ranum): They already HAD a secure network. But then they made it insecure by allowing thumb drives and other tools to link it to the internet. If the taxpayers give them another "secure network" what should make us believe they won't make the exact same mistakes all over again?

Man Launched DDoS Attacks in Retaliation for Public Humiliation (September 23, 2010)

Bruce Raisley has been found guilty of creating and spreading malware and using the infected computers to launch distributed denial-of-service (DDoS) attacks. Raisley launched the attacks in retaliation for being humiliated by his former employer. Raisley had worked for an organization that attempted to identify and apprehend pedophiles by posing as minors in chat rooms, but he left the company because he questioned the legality of the group's methods. The group's founder then created a phony Internet profile of a woman who became involved in a cyber relationship with Raisley. The person then published photographs of Raisley waiting for the non-existent woman at the airport. Raisley launched the DDoS attacks against sites that ran stories about the events. The attacks occurred in 2007 and 2008; The FBI raided Raisley's home in March 2008.
-http://abcnews.go.com/Blotter/burned-sex-sting-hacker-bruce-raisley-attacks-comp
uters/story?id=11703057&page=1
-http://news.softpedia.com/news/Programmer-Found-Guilty-for-Creating-DDoS-Botnet-
157820.shtml
[Editor's Note (Schultz): The motive in this case closely aligns with what statistics regarding insider attacks indicate--that hostility and retribution are the major motives in insider attacks, and have been so for years.
(Northcutt): The statement "truth is stranger than fiction" comes to mind. I guess the only thing left to do here is create a dark, but cerebral movie based on the story. ]

Cisco Issues Updates for IOS and Unified Communications Manager (September 22 & 23, 2010)

Cisco has issued six security advisories to address vulnerabilities in its Internetwork Operating System (IOS) and Cisco Unified Communications Manager. Cisco IOS software is used on the company's routers and network switches. The advisories address a total of 12 vulnerabilities. Some of the flaws could be exploited to crash vulnerable systems. Cisco issues IOS security patches twice a year.
-http://www.net-security.org/secworld.php?id=9907
-http://www.csoonline.com/article/617975/cisco-releases-critical-ios-security-pat
ches?source=rss_news
-http://www.h-online.com/security/news/item/Cisco-scheduled-bug-fixes-1095153.htm
l
-http://news.softpedia.com/news/Cisco-Patches-Twelve-Denial-of-Service-Vulnerabil
ities-in-IOS-157656.shtml

MouseOver Twitter Malware Exploits Old Flaw (September 21 & 22, 2010)

An Australian student said he tweeted the MouseOver JavaScript code that was eventually exploited to redirect users to pornographic or malicious websites. The malware spreads when users put their cursors over a tweet infected with the code. Twitter said that the flaw exploited by the code was fixed about a month ago, but a site update reintroduced the problem.
-http://www.pcmag.com/article2/0,2817,2369491,00.asp
-http://voices.washingtonpost.com/fasterforward/2010/09/twitter_users_hit_with_mo
useov.html
-http://www.scmagazineuk.com/twitter-hit-by-worm-that-infects-other-tweets-with-r
ogue-code/article/179251/
-http://www.guardian.co.uk/technology/2010/sep/21/twitter-internet-worm-hacking-a
ttack

DoJ Wants Court to Reverse Ruling on Warrantless GPS Tracking (September 21, 2010)

The US Justice Department wants the full US Court of Appeals for the District of Columbia to reverse a ruling from a three judge panel earlier this year that overturned the conviction and prison sentence for a cocaine dealer whose activities were tracked for a month with a GPS device affixed to his vehicle without a warrant. Three other US Circuit Courts have ruled that law enforcement agents do not need warrants for tracking vehicles with GPS devices. The appeals court said that a US Supreme Court case from 1983 in which a tracking beacon was used without a warrant to follow a suspect to a secluded location did not apply in this case because of the scope of the surveillance.
-http://www.wired.com/threatlevel/2010/09/public-privacy/

Stuxnet Designed to Cause Damage to Specific Systems (September 21 & 22, 2010)

Emerging analysis of the Stuxnet worm indicates it was designed to attack supervisory control and data acquisition (SCADA) systems rather than steal company secrets. Researchers have noted that Stuxnet was created to attack specific configurations of Siemens Simatic SCADA system software, leading some to speculate that the worm's creators had specific targets in mind. In particular, some believe the worm was created to cause damage at Iranian nuclear facilities.
-http://www.wired.com/threatlevel/2010/09/stuxnet/
-http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-
Iran-s-Bushehr-nuclear-plant
-http://www.theregister.co.uk/2010/09/22/stuxnet_worm_weapon/
-http://www.pcworld.com/businesscenter/article/205827/was_stuxnet_built_to_attack
_irans_nuclear_program.html
[Editor's Note (Paller): Gary McGraw describes what he learned about the internal workings of Stuxnet in a briefing he called "Stunning. And awful." Stunning. And awful."
-http://www.informit.com/articles/article.aspx?p=1636983
(Honan): Symantec has a good write up of this worm at
-http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process.]

Man Extradited to US to Face Charges Related to Running Site That Enabled Bank Fraud (September 21, 2010)

Dmitry M. Naskovets has been extradited to the US from the Czech Republic to face charges that he operated a website that helped people conduct fraudulent bank transactions. Naskovets's site connected fraudsters with people who spoke English and German and were willing to call banks and pretend they were account holders to authorize transactions. The indictment charges Naskovets with conspiracy to commit wire fraud, conspiracy to commit credit card fraud and aggravated identity theft. Co-conspirator Sergey Semasko was arrested by authorities in Belarus.
-http://www.theregister.co.uk/2010/09/21/id_theft_website_extradition/
-http://www.scmagazineus.com/alleged-ringleader-of-id-theft-operation-extradited-
to-new-york/article/179274/

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/