SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XII - Issue #84
October 22, 2010
Looking for a way to give back to the community? A great contribution is to share the story of a security tool that has made a measurable difference in reducing risk at a medium or large organization. We have 40 or fifty such interviews posted at www.sans.org/whatworks (under each class of tool). When users describe their actual experiences with tools they help every other organization trying to decide which tools to acquire and how to take more effective advantage of the tools they have. If you have implemented a tool that actually solves a hard problem in security, please send me a note at apaller@sans.org and I'll help you get connected to the right folks. (No tool developers or consultants, please, just end users at medium and large organizations.)
Alan
TOP OF THE NEWS
Google Street View Data Collection Violated Laws in Canada and SpainCourt Orders Google to Reveal Identity of Alleged Cyber Stalker
Frequency of Java Attacks Rises Sharply
Wiseguy Tickets CAPTCHA Case Will Go to Trial
THE REST OF THE WEEK'S NEWS
Apple Appears to be Phasing Out Java2.9 Percent of German Households Opt Out of Street View
Exploit Code Released for Shockwave Vulnerability
New South Wales Auditor General's Report Slams Government Cyber Security
Guilty Plea in Pump-and-Dump Scheme
Mozilla Releases Firefox Update
RealNetworks Issues RealPlayer Update
Kaspersky Site Attacked; Users Redirected to Scareware Site
SPECIAL RECOGNITION - NEW GSES
The most prestigious credential in information security is the GIAC Security Expert (GSE).************************ Sponsored By SANS ***************************** The SANS WhatWorks Incident Detection and Log Management Summit will also focus on which logging configurations capture the history of a hacker's activity on your machine, from the establishment of unauthorized accounts to the installation of back-doors, enabling you to quickly isolate and repair affected systems after an intrusion. Register at: http://www.sans.org/info/66233 ************************************************************************* TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid
- -- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php
- -- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/
- -- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/
- -- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/
- -- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments and Future Trends in Network Security
http://www.sans.org/security-east-2011/
- -- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus San Antonio, Sydney, Geneva, Tokyo, Manama and Muscat all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *********************************************************
TOP OF THE NEWS
Google Street View Data Collection Violated Laws in Canada and Spain (October 19 & 21, 2010)
Google has been chastised by regulators in Canada and Spain for its inadvertent collection of Wi-Fi data while gathering information for its Street View feature. An investigation in Spain determined that Google had violated that country's data protection act; the Spanish Data Protection Authority has initiated disciplinary proceedings against Google, which could impose fines of 60,000 to 600,000 Euros (US $83,000 - - $834,000) for each offense. Canadian privacy commissioner Jennifer Stoddart said an investigation there determined that Google had violated Canadian privacy law. Stoddart has asked Google to delete the data it collected in Canada by February 1, 2011.-http://news.cnet.com/8301-31921_3-20020112-281.html
-http://www.msnbc.msn.com/id/39745736/ns/technology_and_science-security/
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=227900433&subSection=Security
Court Orders Google to Reveal Identity of Alleged Cyber Stalker (October 20, 2010)
A New York court has ordered Google to reveal the identity and contact information of an individual or individuals responsible for posting comments and unauthorized videos of business consultant Carla Franklin. Franklin says she pursued the issue because "it[is ]
a safety issue." Last year, Google was ordered to provide the identity of a blogger who had posted defamatory comments about model Liskula Cohen. The blogger, Rosemary Port, maintains that her privacy was violated by the disclosure.
-http://www.msnbc.msn.com/id/39767076/ns/technology_and_science-security/
-http://www.telegraph.co.uk/technology/google/8078326/Google-ordered-to-reveal-id
entity-of-cyberstalker.html
Frequency of Java Attacks Rises Sharply (October 18 & 20, 2010)
Microsoft senior program manager Holly Stewart wrote in a blog that Java vulnerabilities have been exploited more than six million times in the third quarter of 2010. The majority of the attacks focused on just three flaws, for which Oracle has released patches. Attempted exploits in the first quarter of 2010 numbered less than half a million. The number of attacks exceeds the number of attacks on Adobe product flaws. It has been suggested that Oracle piggyback on Microsoft's security update service to better protect users' computers because users are not regularly updating Java. Eighty percent of PCs run at least one version of Java. Of those, 40 percent are running outdated versions. There is a Java update service, but user notification is slow and the service allows multiple versions of the software to run on PCs, so users' computers can be vulnerable to older attacks even if they're running a newer version of Java.-http://krebsonsecurity.com/2010/10/microsoft-a-tidal-wave-of-java-exploitation/
-http://www.eweek.com/c/a/Security/Oracle-Java-Attacks-Reach-Unprecedented-Levels
-Microsoft-Reports-471320/
-http://www.scmagazineus.com/microsoft-warns-of-unprecedented-java-exploitation/a
rticle/181205/
-http://www.computerworld.com/s/article/9191640/_Unprecedented_wave_of_Java_explo
its_hits_users_says_Microsoft?taxonomyId=208s
-http://www.computerworld.com/s/article/9192098/Users_neglect_Java_patches_leave_
attack_door_wide_open?taxonomyId=17
Wiseguy Tickets CAPTCHA Case Will Go to Trial (October 19, 2010)
A federal judge has declined to dismiss charges against Wiseguy Tickets and Seats of San Francisco for allegedly using technology to circumvent CAPTCHA security measures and snap up tickets to desirable events, reselling them at a significant profit. Attorneys for the defendants sought to dismiss the charges of wire fraud and violations of the Computer Fraud and Abuse Act by arguing that the issue was a breach-of-contract civil matter, not a criminal matter. The case is set to go to trial on March 1, 2011. The group allegedly set up a system to impersonate thousands of distinct buyers to circumvent protections in place to guard against mass purchases by a single entity.-http://www.wired.com/threatlevel/2010/10/hacking-captcha/
[Editor's Note (Schultz): The flood of vulnerabilities continues, whether they be in Java, Office, Adobe or whatever. Within large commercial organizations the war is at least to some extent winnable, but for SMB and non-profit organizations there is really no hope, save for extraordinarily dedicated and knowledgeable security and system administrators who donate large amounts of their own time. ]
************************* Sponsored Link *************************
1) REGISTER NOW! Securing Services at the Network Edge - Combining Security Enforcement and Governance WHEN: Wednesday, October 27, 2010 at 1:00 PM EDT (1700 UTC/GMT) FEATURING: Sachin Gadre and Blake Dournaee http://www.sans.org/info/66238 **********************************************************************
THE REST OF THE WEEK'S NEWS
Apple Appears to be Phasing Out Java (October 21, 2010)
Apple has issued Java security updates for Mac OS X versions 10.5 and 10.6, but says that it will not support Java at the same level in future versions of OS X and may even remove Java from the operating system in the future. Java runtime in OS X 10.6 and 10.5 "will continue to be supported and maintained through the standard support cycles of those products." New rules for developers selling their products through the Mac App Store say that "Apps that use deprecated or optionally installed technologies (e.g. Java, Rosetta) will be rejected."-http://news.cnet.com/8301-31021_3-20020338-260.html?tag=mncol
-http://www.h-online.com/security/news/item/Apple-releases-Java-security-updates-
1122472.html
2.9 Percent of German Households Opt Out of Street View (October 21, 2010)
More than 244,000 Germans have opted out of having images of their homes accessible on Google Street View. That figure is about 2.9 percent of households in Germany's 20 largest cities. Google has been highly attuned to Germany's privacy concerns since an audit of their Street View data collection practices in that country revealed that they were collecting data packets from unprotected wireless routers.-http://news.cnet.com/8301-13506_3-20020282-17.html?tag=mncol
-http://www.nytimes.com/2010/10/21/technology/21google.html?_r=1&ref=technolo
gy
Exploit Code Released for Shockwave Vulnerability (October 21, 2010)
Exploit code for an unpatched vulnerability in Adobe Shockwave Player has been released on the Internet. The exploit code shows potential attackers how to take control of vulnerable computers. The flaw affects Shockwave Player version 11.5.8.612 and earlier for Windows and Mac OS X, but Adobe has not yet said when a fix will be released.-http://www.zdnet.com/blog/security/exploit-published-for-unpatched-adobe-shockwa
ve-vulnerability/7517?tag=content;search-results-rivers
New South Wales Auditor General's Report Slams Government Cyber Security (October 20 & 21, 2010)
According to a report from New South Wales (NSW, Australia) Auditor General Peter Achterstraat, citizens' personal information held in NSW government databases is accessible to attackers because departments fail to implement security measures mandated by the government. Security breaches of government computer systems are not routinely disclosed. Achterstraat is "calling on the government to set minimum standards departments must follow, to ensure that departments understand how important information security is and to hold people to account." NSW has a Security of Electronic Information policy, but agency compliance and certification have not been consistently monitored.-http://www.smh.com.au/technology/technology-news/open-slather-for-hackers-on-off
icial-databases-20101020-16ucw.html
-http://www.securecomputing.net.au/News/235866,audit-finds-nsw-it-security-policy
-lacking.aspx
Guilty Plea in Pump-and-Dump Scheme (October 20 & 21, 2010)
An Arizona man has pleaded guilty to conspiracy to commit securities fraud and fraud in connection with electronic mail for his role in a pump-and-dump scheme that used a botnet to distribute phony information about stocks. James Bragg used a botnet to send out spam aimed at artificially boosting the price of certain penny stocks. Bragg also gained access to online brokerage accounts and used them to make stock purchases without the account holders' knowledge.-http://www.eweek.com/c/a/Security/Man-Pleads-Guilty-in-Pump-and-Dump-Scheme-6812
36/
-http://www.computerworld.com/s/article/9192120/Man_pleads_guilty_to_using_hack_p
ump_and_dump_botnet?taxonomyId=17
Mozilla Releases Firefox Update (October 19 & 20, 2010)
Mozilla has issued nine security updates for Firefox to address 12 vulnerabilities; five of the updates are rated critical. The critical flaws include unsafe library loading vulnerabilities; a dangling pointer vulnerability in LookupgetterOrSetter; a use-after-free error in nsBarProp; buffer overflow and memory corruption; and miscellaneous memory safety hazards. Firefox 3.6.11 also addresses several performance and stability issues.-http://www.theregister.co.uk/2010/10/20/firefox_security_update/
-http://www.zdnet.com/blog/security/firefox-dirty-dozen-mozilla-patches-critical-
browser-flaws/7494?tag=content;search-results-rivers
-http://www.computerworld.com/s/article/9191958/Mozilla_quashes_12_Firefox_bugs?t
axonomyId=208
-http://www.mozilla.com/en-US/firefox/3.6.11/releasenotes/
RealNetworks Issues RealPlayer Update (October 18, 19 & 20, 2010)
RealNetworks has issued an updated version of RealPlayer that fixes seven critical security flaws in the media player software. All of the flaws could be exploited to execute code remotely. The vulnerabilities affect RealPlayer versions 1.1.4 and earlier; versions 1.1.5 and alter appear to be unaffected.-http://krebsonsecurity.com/2010/10/critical-realplayer-update/
-http://www.v3.co.uk/v3/news/2271764/realplayer-receives-critical
-http://www.zdnet.com/blog/security/highly-critical-flaws-hit-realplayer/7471
Kaspersky Site Attacked; Users Redirected to Scareware Site (October 19, 2010)
Attackers compromised the Kaspersky Lab website last weekend, redirecting users trying to purchase Kaspersky security products to a malicious website containing links to phony antivirus software called Security Tool. The malware generates pop-ups on users' computers informing them of vulnerabilities on their machines and urging them to purchase a full version of the product to fix the vulnerabilities.-http://www.eweek.com/c/a/Security/Kasperskys-Download-Site-Hacked-Directs-Users-
to-Fake-AntiVirus-336193/
SPECIAL RECOGNITION - NEW GSES
SPECIAL RECOGNITION - NEW GSEs
The most prestigious credential in information security is the GIAC Security Expert (GSE). Those who successfully complete the intensive two-day hands-on lab-based exams have demonstrated that they have what it takes to be counted as true experts in the information security field. We congratulate the following individuals who have successfully completed the GSE lab and earned the GSE credential in 2010: Erin Britz, Anthony DeRosa, Gordon Dexter, Lukasz Hall, Kevin Hoffman, John Scillieri, Bill MacCormack, Doug Burks, Mike Cardosa, Jim Clausing, Vishal Hariprasad, Seth Misenar, and Chris Mohan.**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/