SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #77

September 28, 2010

TOP OF THE NEWS

Administration Will Seek Changes in Wiretap Rules to Cover New Technologies
RIM Exec Puts Forward Possible Compromise in Encrypted Communication Issue

THE REST OF THE WEEK'S NEWS

Microsoft to Issue Out-of-Band Fix for ASP.NET Flaw
Iran Acknowledges Stuxnet Infections
Stuxnet Propagation Method Allows Re-Infection of Cleaned Systems
Anti-Piracy-Focused Law Firm Suffers Data Breach
Alleged eBay Phisher Arrested in Romania
Bom Sabado Worm Exploits Orkut Cross-Site Scripting Flaw
Mastermind of VoIP-Stealing Scheme Sentenced to 10 Years in Federal Prison
Judge Refuses Request to Throw Out Palin eMail Hacker Guilty Verdict
Prison Sentences for Comcast Redirect Attackers
Here You Have Worm Prompts FBI Investigation

---

*********************** Sponsored By zScaler ******************************
ALERT: Ambushed by Facebook and Twitter? Whether poisoning search results through Search Engine Optimization (SEO) techniques, masquerading as a trusted colleague thanks to social networks, or sneaking into app stores; attackers are leveraging the very resources that we've grown to trust. Join experts for an educational webcast on Oct 5 with keynote by FORRESTER. http://www.sans.org/info/65228 *********************************************************************
TRAINING UPDATE
New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

- -- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php

- -- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/

- -- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

- -- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

- - - -- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus London, Dubai, Geneva, Bangalore, San Antonio and Sydney all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *********************************************************************

---

TOP OF THE NEWS

Administration Will Seek Changes in Wiretap Rules to Cover New Technologies (September 27, 2010)

The Obama administration plans to submit a bill to legislators next year that would require all communications services to have technology in place so they will be able to comply with wiretap orders. Targets include services like BlackBerry, Facebook and Skype. The administration claims that the increasing use of online communications has lessened their abilities to intercept communications of criminal and terrorism suspects. The proposal is likely to require communications services offering encryption to have method decryption; to require foreign companies doing business within the US to establish offices in the country that can intercept the requested communications; and to require peer-to-peer software developers to redesign their products to allow interception. Officials maintain the proposal is not seeking an expansion of authority, but rather is clarifying how wiretaps apply to technologies that did not exist when the original rules were established. The proposal has met with criticism. Columbia University computer science professor Steven M. Bellovin noted that "if they start building in all these back doors, they will be exploited," and Center for Democracy and Technology vice president James X. Dempsey said "They basically want to turn back the clock and make Internet services function the way that the telephone system used to function."
-http://www.nytimes.com/2010/09/27/us/27wiretap.html?_r=2&hp=&pagewanted=
all
[Editor's Note (Northcutt): Steven Bellovin is correct; there is ZERO chance of law enforcement being able to implement this and organized crime not being able to exploit it. This is a lose-lose proposal.
(Pescatore): In 1994, we went through the same drill when phone lines went digital and thus the Community Assistance to Law Enforcement Act which forced telecoms vendors to build in back doors to enable legal surveillance. There always needs to be a balance between what technology can do and what society allows law enforcement to do. ]

RIM Exec Puts Forward Possible Compromise in Encrypted Communication Issue (September 27, 2010)

Addressing what is becoming a hot-button issue, co-CEO of BlackBerry parent company Research in Motion (RIM) Jim Balsillie said that while his company does not have the capability to provide governments with encryption keys to unscramble communication s sent over its systems, the companies themselves could offer those keys to governments that request them. Balsillie observed that governments demanding the keys could scare companies away from doing business in that country. In recent months, governments of several countries have expressed concern over their inability to access plaintext versions of communications over RIM networks. The current US administration plans to introduce legislation that would require services like Blackberry to be ready to comply with wiretap orders (see story above).
-http://www.msnbc.msn.com/id/39387290/ns/technology_and_science-security/
[Editor's Note (Pescatore): This ground has been traveled before, as there is precedent for businesses having to give keys to locked cabinets, combinations to safes, etc. in response to legal search orders. The real issue is governments want the ability to do surveillance *without* the target knowing, see item 40. ]

---

*********************** Sponsored Link: ****************************
1) InstantSecurityPolicy.com - Quick, Custom IT Security Policy Templates, Delivered Online - Comprehensive, Complete and 100% Guaranteed http://www.sans.org/info/65233
2) PCI 2.0: What's new/What's still missing? Tuesday, November 16, 1 PM EST

Learn what''s new with PCI DSS 2.0, what''s still missing, and what security controls are needed to cover the gaps. Sponsored by SecureWorks and featuring David Hoelzer, Dave Shackleford and Eric Browning, SecureWorks Senior Security Consultant http://www.sans.org/info/65238
3) REGISTER NOW for the upcoming Tool Talk Webcast: Magic Numbers: An In-depth guide to the five key metrics for application security, Sponsored By HP http://www.sans.org/info/65243 **********************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft to Issue Out-of-Band Fix for ASP.NET Flaw (September 27, 2010)

Microsoft has announced that it will issue an out-of-band patch for the ASP.NET vulnerability. Microsoft has already acknowledged that the flaw is being exploited in limited attacks. The flaw, which has been given a severity rating of Important, affects all versions of the .NET framework on Windows Server operating systems. Microsoft projects that the fix will be available at approximately 10:00 am PDT (5:00 pm GMT) on Tuesday, September 28. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=9619
-http://news.cnet.com/8301-27080_3-20017781-245.html?tag=mncol;title
-http://mcpmag.com/articles/2010/09/27/microsoft-revises-asp.net-security-advisor
y.aspx
-http://blogs.technet.com/b/msrc/archive/2010/09/27/out-of-band-release-to-addres
s-microsoft-security-advisory-2416728.aspx
-http://www.microsoft.com/technet/security/advisory/2416728.mspx
[Editor's Note (Northcutt): When Microsoft issues and out-of-band patch, download, test and install as quickly as possible. They have become the masters of patching and they do not like to do out-of-band, but when the need is that great, they escalate to out-of-band. ]

Iran Acknowledges Stuxnet Infections (September 25, 26 & 27, 2010)

An Iranian IT official said that 30,000 IP addresses in the country are infected with the Stuxnet worm. The project manager at the Bushehr power plant, which is scheduled to go online in just a few weeks, said the plant has not been harmed, and that only personal computers of staff members have been infected; some have speculated that the worm was designed to attack that specific plant and/or the uranium enrichment facility in Natanz. The Stuxnet worm's sophistication has led to conjectures that it was created "with nation-state support and backing." Discovered by researchers in Belarus, the worm was designed to attack specific configurations of Siemens Simatic WinCC supervisory control and data acquisition (SCADA) software.
-http://www.nytimes.com/2010/09/26/world/middleeast/26iran.html?_r=1&hp
-http://www.washingtonpost.com/wp-dyn/content/article/2010/09/26/AR2010092600971.
html
-http://www.cnn.com/2010/TECH/innovation/09/24/stuxnet.computer.malware/index.htm
l
-http://www.theregister.co.uk/2010/09/27/stuxnet_analysis/
-http://www.computerworld.com/s/article/9188018/Iran_confirms_massive_Stuxnet_inf
ection_of_industrial_systems?taxonomyId=82
-http://www.bbc.co.uk/news/world-middle-east-11414483
-http://www.nytimes.com/2010/09/27/technology/27virus.html?partner=rss&emc=rs
s

Stuxnet Propagation Method Allows Re-Infection of Cleaned Systems (September 27, 2010)

Liam O'Murchu, a Symantec researcher who has been analyzing Stuxnet since July, has described another way Stuxnet spreads and keeps machines infected. The worm injects a malicious DLL into all Step 7 projects on compromised computers, so when that file is opened, the machine becomes re-infected.
[Step 7 is the Siemens software used to program and configure the German company's industrial control system hardware ]

-http://www.computerworld.com/s/article/9188238/Stuxnet_worm_can_re_infect_scrubb
ed_PCs?taxonomyId=17

Anti-Piracy-Focused Law Firm Suffers Data Breach (September 27, 2010)

A law firm known for sending letters to suspected filesharers demanding payment and threatening possible legal action is being investigated by the UK Information Commissioner's Office (ICO) for possible violations of the Data Protection Act. ACS:Law was one of several websites that came under attack last week from a group protesting anti-piracy activity; the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (RIAA) were also targeted. The problem arose following the attack; when ACS:Law put its website back up, a compressed file containing sensitive personal information was exposed. The information has subsequently been uploaded to The Pirate Bay. Of particular concern is an unencrypted list of approximately 5,300 people who received letters from ACS:Law accusing them of illegal sharing of adult films online. Human rights watchdog organization Privacy International advisor Alexander Hanff said that while the Anonymous group is behind the DDoS attacks, "there's no evidence at all that they hacked the server."
-http://www.bbc.co.uk/news/technology-11418962
-http://www.zdnet.co.uk/news/security-threats/2010/09/27/privacy-group-takes-on-a
cslaw-over-porn-data-breach-40090288/
-http://www.guardian.co.uk/technology/2010/sep/27/email-leak-data-online-activist
s
-http://www.theregister.co.uk/2010/09/27/anti_piracy_lawyer_email_leak/

Alleged eBay Phisher Arrested in Romania (September 27, 2010)

Romanian officials have arrested a man in connection with phishing attacks that targeted eBay employees. Liviu Mihail Concioiu allegedly launched two attacks in 2009 in which he tried to get eBay employees to divulge their IDs and passwords; he also allegedly used the account information he obtained through the attacks to access an eBay database and steal information. Concioiu also allegedly worked with two other men to steal money from Italian bank accounts with phony ATM cards.
-http://www.eweekeurope.co.uk/news/ebay-phishing-suspect-arrested-in-romania-1006
5
-http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=22750066
3
-http://www.theregister.co.uk/2010/09/24/ebay_spear_phishing_attack/

Bom Sabado Worm Exploits Orkut Cross-Site Scripting Flaw (September 27, 2010)

More than 400,000 users of Google's Brazilian social networking site Orkut have been hit by a cross-site scripting (XSS) vulnerability. The worm reportedly spreads through a malicious iFrame. It targets the site's scrapbook feature. The attack also adds infected profiles to a community that is described as an effort to force a faster fix for the vulnerability from Orkut parent company Google.
-http://www.scmagazineuk.com/google-owned-orkut-social-network-sees-400000-users-
hit-by-xss-vulnerability/article/179667/
-http://www.networkworld.com/news/2010/092710-googles-orkut-battered-by-bom.html

Mastermind of VoIP-Stealing Scheme Sentenced to 10 Years in Federal Prison (September 24 & 26, 2010)

The ringleader of a scheme to steal voice over Internet protocol (VoIP) services has been sentenced to 10 years in federal prison. Edwin Pena ran a pair of companies that sold discounted VoIP services. Although the companies claimed to be legitimate VoIP resellers, Pena and an accomplice, Robert Moore, figured out how to gain access to other companies' networks and routed customers' calls through those networks. Pena was also ordered to pay more than US $1 million in restitution. Moore received a two-year sentence for his part in the scheme.
-http://www.scmagazineus.com/extradited-voip-hacker-sentenced-to-10-years/article
/179538/
-http://www.theregister.co.uk/2010/09/24/voip_hacker_sentenced/
-http://www.computerworld.com/s/article/9187919/Man_gets_10_years_for_VoIP_hackin
g?taxonomyId=82

Judge Refuses Request to Throw Out Palin eMail Hacker Guilty Verdict (September 25, 2010)

The guilty verdict against the college student who broke into then-vice presidential candidate Sarah Palin's Yahoo! Mail account will stand. A federal judge has refused a motion from David C. Kernell's attorney to have Kernell's convictions thrown out. Kernell is scheduled to be sentenced next month. His defense attorney is appealing his case to the 6th Circuit Court of Appeals. According to testimony during the trial, Kernell tried to access the account after reading in the New York Times that Palin used that account to conduct business while she was governor of Alaska. In April, Kernell was found guilty of misdemeanor illegal email access and felony anticipatory obstruction of justice for attempting to clear his computer of evidence. As part of the bid to have his client's convictions thrown out, Kernell's attorney argued that the FBI had not even launched a probe when kernel cleared his computer.
-http://www.knoxnews.com/news/2010/sep/25/palin-hackers-verdict-stands/

Prison Sentences for Comcast Redirect Attackers (September 24, 2010)

Two men who hijacked Comcast's domain name in May 2008 and redirected users to a website they had created have each been sentenced to 18 months in prison. Christopher Allen Lewis and Michael Paul Nebel have also been ordered to pay nearly US $90,000 in restitution and will serve three years of supervised release once they have completed their prison terms. In August, a third man involved in the prank, James Robert Black Jr., was sentenced to four months in prison. The indictment says the men gained control of the Comcast.net domain with two phone calls and one email to domain name registrar Network Solutions.
-http://www.wired.com/threatlevel/2010/09/comcast-hijackers/
-http://www.theregister.co.uk/2010/09/24/comcast_hijack_sentencing/
-http://www.computerworld.com/s/article/9187978/Comcast_hackers_get_18_months_in_
prison?taxonomyId=82

Here You Have Worm Prompts FBI Investigation (September 23, 2010)

The FBI is investigating an email worm that affected email systems at major US businesses earlier this month. The "here you have" worm, which was named for its subject line, affected email systems at Disney, NASA and other large companies. The FBI sought information from IDG News Service because the individual claiming to be responsible for the attack has been communicating with IDG via email. The individual uses the moniker Iraq Resistance.
-http://www.computerworld.com/s/article/9187703/FBI_investigating_Here_you_have_w
orm?taxonomyId=82

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/