SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #81

October 12, 2010

TOP OF THE NEWS

European Commission Says It's Time for Information System Attack Directive
Irish High Court Cannot Compel ISP to Implement Three-Strikes Anti-Piracy Policy
Bill Would Protect Municipalities and School Districts from Bank Fraud
Most US Agencies Will Miss November 15 CyberScope Deadline

THE REST OF THE WEEK'S NEWS

Oracle's October Critical Patch Update to Fix 82 Vulnerabilities
UAE Calls Off Planned Ban of BlackBerry Services
The Many Faces of ZeuS
Univ. of Michigan Students Found More Security Issues in Online Voting System
Student Finds Tracking Device on Car; FBI Demands it Back
FCC Considering Initiatives to Encourage ISPs to Help Fight Bot Infections

---

************************ Sponsored By IBM (ISS) ************************ Leadership in Intrusion Prevention As Demonstrated By IBM IPS technology is the cornerstone for protection against IT threats. Read this paper to understand the competitive differentiators that make particular IPS products better than others and gain insight into the attributes that make an IPS engine strong or weak, and common pitfalls that should be avoided when considering IPS technology. http://www.sans.org/info/65908 *************************************************************************

TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php

-- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments and Future Trends in Network Security
http://www.sans.org/security-east-2011/

-- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Dubai, Geneva, Bangalore, San Antonio and Sydney all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ************************* Sponsored Link ************************* 1) InstantSecurityPolicy.com - Quick, Custom IT Security Policy Templates, Delivered Online - Comprehensive, Complete and 100% Guaranteed! http://www.sans.org/info/65913 *********************************************************************

---

TOP OF THE NEWS

European Commission Says It's Time for Information System Attack Directive (October 11, 2010)

The European Commission (EC) wants to replace a five year old information system attack framework decision with a Directive that will coordinate laws regarding cyber attacks across member states. The Lisbon Treaty, which went into effect on December 1, 2009, changes the rules in the EU Council of Ministers so that passage of proposals requires a majority rather than unanimous approval, eliminating the possibility of one country blocking passage of legislation. The Directive would ensure that all EU states have laws in place that adequately deal with emerging cyber threats, particularly botnets.
-http://www.theregister.co.uk/2010/10/11/eu_new_cybercrime_law/
-http://www.scmagazineuk.com/european-commission-to-take-cyber-crime-seriously-wi
th-proposal-to-change-framework-to-directive/article/180795/

Irish High Court Cannot Compel ISP to Implement Three-Strikes Anti-Piracy Policy (October 11, 2010)

Despite an out-of-court settlement with Irish Internet service provider (ISP) Eircom which resulted in the implementation of a three-strikes anti-piracy policy at that ISP, a group of four major record labels cannot compel another ISP, UPC, to establish a similar policy. The High Court ruled that there are no laws in Ireland that allow Internet users who are suspected of illegal filesharing to be identified and have their service cut. While Justice Peter Charleton noted that the music industry was suffering significant financial losses due to online piracy, he also said there was not legislation in place in the country to enforce the system the music labels wanted. Justice Charleton also said that the nonexistence of the laws means that Ireland is not in compliance with EU law. UPC affirmed that it does not support piracy, and that its "whole premise and defence focused on the mere conduit principle which provides that an ISP cannot be held liable for content transmitted across its network."
-http://www.independent.ie/national-news/upc-scores-landmark-victory-in-illegal-d
ownloads-case-2374221.html
-http://www.siliconrepublic.com/new-media/item/18232-record-labels-fail-in-bid/
[Editor's Note (Honan): While at first reading this ruling may look like a victory for UPC, the judge's comments are very interesting. I suspect the record labels will no doubt start lobbying the Irish government to implement laws to meet the agenda of the record labels. ]

Bill Would Protect Municipalities and School Districts from Bank Fraud (October 8 & 11, 2010)

Proposed legislation in the US Senate would grant municipalities and school districts the same protections against financial loss through cyber theft that are already afforded individuals under the Electronic Fund Transfer Act (EFTA). The bill, introduced by Senator Charles Schumer (D-NY), would modify Regulation E of EFTA to exempt the entities from liability as long as the cyber theft is reported in a timely fashion. EFTA caps consumer liability for unauthorized EFTs at US $50. The legislation still would not provide relief for small and mid-sized businesses which have gone head-to-head with banks over hundreds of thousands of dollars in fraudulent transactions; the banks maintain that because the cyber thieves used valid credentials, they are not liable for the losses.
-http://krebsonsecurity.com/2010/10/bill-would-give-cities-towns-and-schools-same
-e-banking-security-guarantees-as-consumers/
-http://www.computerworld.com/s/article/9190103/Bill_would_protect_towns_schools_
from_cybertheft_losses?taxonomyId=17
-http://www.scmagazineus.com/banking-bill-would-treat-schools-towns-like-consumer
s/article/180818/
Text of Bill:
-http://krebsonsecurity.com/wp-content/uploads/2010/10/A-BILL-To-amend-the-Electr
onic-Fund-Transfer-Act-Schumer-as-of-October-6-2010-AYO10H67.pdf

Most US Agencies Will Miss November 15 CyberScope Deadline (October 8 & 11, 2010)

Federal officials say most US government agencies are unlikely to meet a November 15, 2010 deadline for implementing automated security monitoring tools to send Federal Information Security Management Act (FISMA) compliance data to CyberScope. The program is designed to cut down on the extraneous paperwork generated by FISMA reporting practices. The idea is to have the agencies conduct real time surveillance of their networks. Eighty-five percent of federal Cybersecurity managers have not yet implemented the CyberScope software. Agencies lacking real time surveillance systems must record certain information, save it in a digital format and submit it to CyberScope. The November 15 deadline was set by the Office of Management and Budget (OMB).
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=227701081&cid=RSSfeed_IWK_All
-http://www.nextgov.com/nextgov/ng_20101008_1048.php?oref=topnews

---

THE REST OF THE WEEK'S NEWS

Oracle's October Critical Patch Update to Fix 82 Vulnerabilities (October 8 & 11, 2010)

On Tuesday, October 12, Oracle plans to release its quarterly Critical Patch Update to address 81 vulnerabilities in hundreds of products. Thirty-one of the flaws affect the Oracle Sun Product Suite. Oracle will also fix 29 security flaws in Java SE and Java for Business.
-http://www.scmagazineus.com/oracle-fixes-add-to-massive-patch-load-expected-tues
day/article/180688/
-http://www.h-online.com/security/news/item/Oracle-plans-comprehensive-patch-day-
including-Java-1105078.html
-http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
-http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

UAE Calls Off Planned Ban of BlackBerry Services (October 8 & 10, 2010)

The United Arab Emirates (UAE) will not ban BlackBerry service within its borders. The UAE had threatened to ban the services as of October 11 if Blackberry's parent company Research in Motion (RIM) did not provide access to BlackBerry communications. The UAE Telecommunications Regulatory Authority says that Blackberry services now conform to their regulations and that "all BlackBerry services in the UAE will continue to operate as normal and no suspension of service will occur on October 11." Exactly what concessions RIM may have made to appease UAE authorities has not been clarified.
-http://www.nytimes.com/aponline/2010/10/08/business/global/AP-BlackBerry-Crackdo
wn.html?_r=1&partner=rss&emc=rss
-http://www.cnn.com/2010/WORLD/meast/10/08/uae.blackberry/index.html
-http://www.bbc.co.uk/news/technology-11499755

The Many Faces of ZeuS (October 9, 2010)

The ZeuS Trojan horse program has been getting a lot of press lately for its use in online bank fraud, but a computer forensics researcher at the University of Alabama points out that the malware could also be used to steal proprietary information from companies. Gary Warner says he has seen cyber criminals using ZeuS to gather information about which companies the targets work for and has observed discussions in online forums suggesting they are trying to figure out how to cash in on that information, perhaps by selling access to computers of specific organizations.
-http://www.computerworld.com/s/article/9190239/Zeus_hackers_could_steal_corporat
e_secrets_too?taxonomyId=17
[Editors Note (Northcutt): I cannot emphasize how important it is for security professionals to learn what they can about Zeus. It is the poster child for modern malware. The wake up moment for me was when Hal Pomeranz gently pointed out that even though I do online banking with two banks that both have two factor token authentication (one bank receives my paychecks, sends money in the same transfer amount every time to the other bank that I use to pay bills or buy things from), Zeus could still steal my money during the online session because I have authenticated. Maybe, just maybe, since I always send the same amount of money from the receiving bank to the paying bank, fraud detection software would kick in, but this is life on the edge. So, I strongly suggest you read the article. There are ways to defeat Zeus, but organizations still do not find the available solutions palatable even though every week another organization gets hit hard. ]

Univ. of Michigan Students Found More Security Issues in Online Voting System (October 8, 2010)

Two weeks ago, the DC Council's Board of Elections and Ethics (BOEE) tested an online voting system for overseas voters by challenging people to try to break in. University of Michigan computer science Professor J. Alex Halderman posed the offer to his graduate students, who gained control of the system. They had the ability change votes, and were inside the system for two days before being discovered. At a recent hearing of the DC Council, Halderman provided additional details about his students' experience. Halderman told the Council that while inside the system, they had seen evidence that intruders who appeared to be from China and Iran were trying to access the system. The students modified the firewall and changed the password from its default state to help keep the intruders out. Halderman and his students were able to gain control of routers and switches that allowed them access to security cameras in a BOEE server room. Halderman also told the Council that his students found a document on the test server that contained information about 900 people who were eligible to use the system to vote; those data could have been used by unauthorized persons to request ballots and cast votes.
-http://voices.washingtonpost.com/debonis/2010/10/more_about_vote-hacking_incide.
html
-http://www.nytimes.com/2010/10/09/us/politics/09vote.html

Student Finds Tracking Device on Car; FBI Demands it Back (October 7, 2010)

When California college student Yasir Afifi took his car in for an oil change, he noticed an unexpected wire near the rear right wheel; the mechanic removed a tracking device and battery pack that had been attached to the chassis to his car magnetically. A friend of Afifi's put pictures of the device online; it was quickly identified as an older tracking device issued only to law enforcement. Two days later, FBI agents showed up at Afifi's home demanding that he return the device. Afifi is an American citizen whose father died in Egypt a year ago. Comments made by the FBI agents who visited his home suggested Afifi had been under surveillance for three to six months. A recent ruling from the 9th Us Circuit Court of Appeals, which covers California, said that law enforcement can place GPS devices on suspects' cars without a warrant. Another court, the US Court of Appeals for the District of Columbia Circuit, ruled that placing a GPS device on a car for an extended period of time requires a warrant.
-http://www.wired.com/threatlevel/2010/10/fbi-tracking-device/all/1
-http://www.msnbc.msn.com/id/39583860/ns/technology_and_science-security/
-http://www.time.com/time/nation/article/0,8599,2013150,00.html

FCC Considering Initiatives to Encourage ISPs to Help Fight Bot Infections (October 6, 2010)

Federal Communications Commission (FCC) asked for input regarding a national cyber security roadmap. The FCC is considering initiatives to encourage ISPs to help protect home users from bot malware. Among the possibilities is an ISP code of conduct/best practice scheme to follow when they find a customer is infected with botware. Brian Krebs (the top security blogger in Ameica, who wrote for several years for the Washington Post) has previously suggested that the FCC act as a clearinghouse for information about which ISPs were doing a good job of keeping their networks clean and which had more bad stuff happening. Other entities are starting to offer approaches as well: Comcast is rolling out bot infection notification nationwide after initial test run in Denver, and Microsoft's Scott Charney called for ISP industry standards for bot infestations based on public health model of immunization and quarantine.
-http://krebsonsecurity.com/2010/10/fcc-may-confront-isps-on-bot-malware-scourge/

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/