SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #82

October 15, 2010

Stuxnet was a wake up call for every organization managing critical systems - but now what? On Thursday, Oct 21, at 3 PM ETD, SANS instructor John Strand will provide insight into how this worm first compromises a system and how it spreads. More importantly, he will also cover methods to help detect these attacks in your environment in the future. This webcast is one of the regular updates in the Human Sensor Network training program SANS developed first at Sandia National Labs, to train system administrators as the first line of hacker detection. If you are part of an organization that can benefit from this new program, and would like to see this sample of the continuing education program, contact Scott Weil, sweil@sans.org, for registration instructions.
Alan

---

TOP OF THE NEWS

DHS and NSA Announce Cyber Defense Partnership
Facebook Launches One-Time Password Service
Adobe Reader 10 Will Include Sandboxing

THE REST OF THE WEEK'S NEWS

Smart Grid Standards
In Europe, ATM Skimming is Up, but Losses are Down
Microsoft Blames Human Error for Spammers Gaining Control of Network Devices
RIM Issues BlackBerry Enterprise Server Update
US Has the Most Bot-Infected PCs
Microsoft Patches Include Fix for Flaw Exploited by Stuxnet
Pennsylvania School District Settles Webcam Lawsuits for US $610,000

---

************************ Sponsored By SANS *****************************
As energy providers move to more open, public-facing Smart Grid technologies, the integrated fabric of our most critical infrastructure is already under attack. Learn how to plug the gaps between legacy SCADA control systems using 21st-Century security technologies, with experts Jonathan Pollett, founder of infrastructure consulting firm, RedTiger, and Eric D. Knapp, director of critical infrastructure technologies at NitroSecurity. Sign in at your SANS Portal Account or follow the link, here: http://www.sans.org/info/66028 ************************************************************************* TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php

- -- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/

- -- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

- -- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

- -- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments and Future Trends in Network Security
http://www.sans.org/security-east-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Dubai, Geneva, Bangalore, San Antonio and Sydney all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ************************* Sponsored Link ************************* 1) REGISTER NOW! Securing Services at the Network Edge - Combining Security Enforcement and Governance WHEN: Wednesday, October 27, 2010 at 1:00 PM EDT (1700 UTC/GMT) FEATURING: Sachin Gadre and Blake Dournaee http://www.sans.org/info/66033 *********************************************************************

---

TOP OF THE NEWS

DHS and NSA Announce Cyber Defense Partnership (October 13 & 14, 2010)

The US Department of Homeland Security (DHS) and the National Security Agency (NSA) announced that they will work together to help protect the country's computer systems from cyber attacks. Each agency is creating a small team to work within the other's operation center. Civil liberties watchdog groups have expressed concern about the collaboration; they say that there is the possibility that citizens' privacy rights could be violated. The plan calls for oversight by legal and privacy experts. The arrangement hopes to avoid the need to duplicate the other agency's cyber security efforts.
-http://www.npr.org/templates/story/story.php?storyId=130546958
-http://www.govinfosecurity.com/articles.php?art_id=3010
-http://www.nextgov.com/nextgov/ng_20101013_7867.php?oref=topstory
-http://www.dhs.gov/ynews/releases/pr_1286984200944.shtm

Facebook Launches One-Time Password Service (October 13 & 14, 2010)

Facebook has begun a one-time password service to allow users to log in to their accounts on public computers without having to use their established passwords. The system works by users registering a certain mobile phone number with Facebook. When they text "OTP" to a number provided by Facebook (32665), they will receive back a one-time password that is good for 20 minutes. The idea is to prevent users' regular passwords from being captured by keystroke logging software on public computers. Facebook has also launched a feature that allows users to log out of their accounts remotely and a service that prompts users to update their security information.
-http://www.theregister.co.uk/2010/10/13/facebook_one_time_passwords/
-http://www.bbc.co.uk/news/technology-11535370
-http://www.h-online.com/security/news/item/Facebook-introduces-one-time-password
s-for-insecure-computers-1108163.html
[Editor's Note (Pescatore): The beauty of the cellphone as an authentication token is that is the only token that is *not* "yet another thing to carry." Not that SMS as done today is terribly secure, but by avoiding YATTC *and* raising the bar against password stealing attack, this approach (supported by Google previously, as well) is a nice step forward. ]

Adobe Reader 10 Will Include Sandboxing (October 12 & 13, 2010)

Adobe plans to release a more secure version of Reader by the end of the year. Adobe Reader has become an increasingly popular target for exploit writers. Adobe Reader 10 will include a sandbox feature designed to prevent attacks that will harm computers. The feature will be turned on by default. Adobe director for product security and privacy Brad Arkin harbors no illusions that the new version of Reader will be immune from security issues, acknowledging that "bad guys and researchers won't give up because this is an exciting challenge."
-http://www.v3.co.uk/v3/news/2271459/adobe-confirms-reader-before
-http://www.computerworld.com/s/article/9190679/Adobe_More_secure_version_of_Read
er_out_by_year_end?taxonomyId=145

---

THE REST OF THE WEEK'S NEWS

Smart Grid Standards (October 14, 2010)

The National Institute of Standards and Technology (NIST) has released five sets of smart grid interoperability and cyber security standards for consideration and adoption by state and federal regulators.
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=227800031
-http://gcn.com/articles/2010/10/13/smart-grid-standards.aspx?admgarea=TC_SECURIT
Y

In Europe, ATM Skimming is Up, but Losses are Down (October 14, 2010)

According to statistics gathered by the European ATM Security Team (EAST), the number of reported skimming attacks on European ATMs increased during the first half of 2010, but the total monetary losses fell. There were 5,743 reported attacks in the first six months of 2010, a three percent increase over the second half of 2009 and a 24 percent increase over the first half of 2009. Total losses during the first half of 2010 were 143.5 million Euros (US $201.6 million), down seven percent from the second half of 2009, when losses were 154.1 million Euros (US $216.5 million). The decline in losses is believed to be due in part to the growing use of chip and PIN technology.
-http://www.computerworld.com/s/article/9191120/Europe_s_ATM_skimming_attacks_ris
e_but_losses_fall?taxonomyId=82
-http://www.allmediascotland.com/media_releases/27424/skimming-attacks-at-europea
n-atms-rise-24-although-related-losses-fall-8-
[Editor's Note (Pescatore): The fact that skimming works so well against swipe cards points out that adding "what you have" authentication only works well when the "what you have" isn't easily duplicated. That's the benefit of chip and pin, and the benefit of SIM chips in cellphones, too. ]

Microsoft Blames Human Error for Spammers Gaining Control of Network Devices (October 13 & 14, 2010)

Microsoft says human error is to blame for spammers gaining control of two computers on the company's network. An internal investigation found that "two misconfigured network hardware devices in a testing lab were compromised." Those devices have been removed. The servers had been manipulated to route traffic to more than 1,000 fraudulent websites. The devices were running a Linux kernel. One of the compromised IP addresses was used to launch a distributed denial-of-service (DDoS) attack against KrebsOnSecurity.com in late September.
-http://www.theregister.co.uk/2010/10/14/microsoft_confirms_ip_hijack/
-http://www.computerworld.com/s/article/9191059/Human_error_gave_spammers_keys_to
_Microsoft_systems?taxonomyId=82
-http://krebsonsecurity.com/2010/10/pill-gang-used-microsofts-network-to-attack-k
rebsonsecurity-com/
[Editor's Note (Schultz): Microsoft security has improved *so* much over the years, yet at the same time, this company too often continues to conveniently blame forces it claims are out of its control when security within goes awry, as in this news item. I find Microsoft's singling out Linux security as one of the causes of incidents discussed in this news item to be particularly amusing. ]

RIM Issues BlackBerry Enterprise Server Update (October 13, 2010)

An interim security update for Blackberry Enterprise Server (BES) 5.0 Service Pack 2 for Microsoft Exchange and IBM Lotus Domino addresses a vulnerability that could be exploited to gain access to BES infrastructures, create denial-of-service conditions or possibly execute arbitrary code. The flaw affects BES Express as well. For an attack to be successful, users would need to be manipulated into opening a maliciously crafted PDF file on a BlackBerry smartphone associated with a user account on a BES. Research in Motion (RIM) urges administrators to update their software as soon as possible, but cautions that the update must be done carefully, because if it is done incorrectly, it could cause additional problems.
-http://www.computerworld.com/s/article/9190964/Blog_RIM_patches_another_flaw_in_
BlackBerry_Enterprise_Server?taxonomyId=85
-http://www.blackberry.com/btsc/microsites/microsite.do?cmd=displayKC&docType
=kc&externalId=KB24547&sliceId=1&docTypeID=DT_SECURITY_1_1

US Has the Most Bot-Infected PCs (October 13 & 14, 2010)

According to Microsoft's Security Intelligence Report, the US has 2.2 million PCs infected with bot software, more than any other country in the world. Brazil ranks second with 550,000. The highest rate of infection was found in Korea, where 14.6 of every 1,000 PCs, or 1.5 percent of PCs, are infected with bot software. The types of botnet malware detected most often were Rimecud, Alureon and Hamweq. A botnet named Lethis was reportedly responsible for 56 percent of botnet spam between March and June 2010. The statistics were gathered through 600 million PCs that use Microsoft's update services and/or its Essentials and Defender security products.
-http://www.bbc.co.uk/news/technology-11531657
-http://www.h-online.com/security/news/item/Microsoft-says-botnets-widely-distrib
uted-1107609.html
-http://www.eweek.com/c/a/Security/Microsoft-US-Home-to-Most-Botnet-PCs-216614/
-http://www.microsoft.com/security/sir/keyfindings/default.aspx#section_1

Microsoft Patches Include Fix for Flaw Exploited by Stuxnet (October 12, 2010)

On Tuesday, October 12, Microsoft issued 16 security bulletins to address 40 vulnerabilities in Windows, Internet Explorer and Office. Microsoft considers patches described in two of the bulletins - MS10-071 and MS10-076 - to be the most critical to apply as soon as possible. Both address vulnerabilities that could be exploited through drive-by attacks. One of the vulnerabilities addressed in Tuesday's release (MS10-073) is exploited by Stuxnet. Two of the four zero-days in Windows that Stuxnet has been exploiting have already been fixed; the fourth will be addressed in a future update. Microsoft has also updated its Malicious Software Removal Tool to detect the ZeuS Trojan horse program.
-http://www.computerworld.com/s/article/9190719/Microsoft_releases_biggest_ever_s
ecurity_update?source=CTWNLE_nlt_pm_2010-10-12
-http://news.cnet.com/8301-27080_3-20019353-245.html?part=rss&subj=news&t
ag=2547-1_3-0-20
-http://www.theregister.co.uk/2010/10/12/microsoft_october_2010_patch_tuesday/
-http://www.h-online.com/security/news/item/Microsoft-Patch-Tuesday-One-Stuxnet-h
ole-remains-open-1106886.html
-http://krebsonsecurity.com/2010/10/microsoft-plugs-a-record-49-security-holes/
-http://www.microsoft.com/technet/security/Bulletin/MS10-oct.mspx

Pennsylvania School District Settles Webcam Lawsuits for US $610,000 (October 12, 2010)

The Pennsylvania school district accused of using embedded webcams to spy on students at home has agreed to pay a US $610,000 settlement to bring an end to litigation brought by two students. Roughly 70 percent, or US $425,000, of the settlement amount will go to attorneys' fees; the remaining US $185,000 will go to the students. The tracking software at issue in the case was placed on 2,300 school-owned laptop computers that were issued to Lower Merion County high school students. The software was supposed to be used to locate missing or stolen computers, but the school allegedly allowed the feature to remain on after missing computers were located, resulting in pictures being taken of students in their homes.
-http://www.wired.com/threatlevel/2010/10/webcam-spy-settlement/
-http://www.csoonline.com/article/624492/school-district-settles-webcam-spy-suit?
source=rss_news
[Editor's Note (Northcutt): $425K to the lawyers, $185k to the students. Does this seem wrong? In Rising Above the Gathering Storm, the author writes that US companies spend more money on litigation than they do on R&D.
-http://books.nap.edu/openbook.php?record_id=12999&page=R1]

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/