SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #85

October 26, 2010

TOP OF THE NEWS

Coordinated Action Plan Addresses Bulk Power System Security Risks
Facebook to Employ Encryption to Protect User IDs
Iranian Cyber Army May be Offering Botnet for Rent

THE REST OF THE WEEK'S NEWS

Firefox Extension Makes it Easy to Steal Cookies
US Air Force Publishes Cyber Warfare Manual
UK ICO to Look Into Google Street View Issue Again
Guilty Plea in Malware Installation Scheme
Media Content Groups Urge Quick Passage of Anti-Piracy Legislation
Indian Authorities Seeking More Control Over Internet
A Pair of Vulnerabilities in Linux

---

************************ Sponsored By zScaler **************************
ONLINE FIRESIDE CHAT with Gartner: IPAD + FACEBOOK + BLENDED THREATS = IT NIGHTMARE Are you doing enough to manage your security risk in the Web 2.0 world? Join Peter Firstbrook of GARTNER who will address the growing security concerns and ways to combat them. Nov 16 at 10am PST / 1pm EST http://www.sans.org/info/66283 *************************************************************************
TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php

-- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments and Future Trends in Network Security
http://www.sans.org/security-east-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Sydney, Geneva, Tokyo, Manama and Muscat all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *********************************************************

---

TOP OF THE NEWS

Coordinated Action Plan Addresses Bulk Power System Security Risks (October 20, 2010)

A November 2009 Workshop with the North American Electric Reliability Corporation (NERC) and the US Department of Energy resulted in the publication of a summary report, "High-Impact, Low-Frequency Event Risk to the North American Bulk Power System." NERC's Electricity Sub-Sector Coordinating Council then developed a Critical Infrastructure Strategic Roadmap and NERC worked with the electric utility industry to create a Coordinated Action Plan to address the identified risks. The plan identifies four specific scenarios, describes strategic initiatives to address the scenarios and lays out a plan with specific milestones.
-http://www.scmagazineus.com/unknown-unknowns-and-the-electric-grid/article/18129
2/
-http://www.nerc.com/files/HILF.pdf
[Editor's Comment (Northcutt): The second link is the plan itself and may be valuable to you in assessing your organization's COOP/DR/BCP plans in two regards. First have you considered these threats directly against your organization. Second, if one of these threats does have a high impact on the power grid, how long can you operate on generators and batteries?]

Facebook to Employ Encryption to Protect User IDs (October 25, 2010)

Facebook says it will use encryption and other data protection measures following reports that users' data were being shared with third parties. Facebook policy forbids application developers from sharing Facebook User IDs (UIDs) with third parties, but the company said that "some developers were inadvertently sharing
[the data ]
via the HTTP Referrer header." In related news, a Minnesota woman has filed a class-action lawsuit against Zynga, the company responsible for the popular FarmVille and Mafia Wars games on Facebook, for sharing user information with third parties, and data aggregator Rapleaf said it is no longer sharing user identifiers with advertising networks.
-http://dns.tmcnet.com/topics/internet-security/articles/111215-facebook-beefs-up
-security-after-privacy-concerns-surface.htm
-http://blogs.sfweekly.com/thesnitch/2010/10/zynga_facebook_lawsuit.php
-http://business.financialpost.com/2010/10/22/13072/
-http://www.computerworld.com/s/article/9192862/Rapleaf_says_it_has_fixed_privacy
_issue_with_Facebook?taxonomyId=203
[Editor's Note (Pescatore): For all sites that are advertising-revenue driven, the real customer is the advertiser, not the user of the site. With that DNA, all security decisions are driven to assure that the integrity, and availability of the advertising is maintained. Confidentiality of the user's data, not so much. ]

Iranian Cyber Army May be Offering Botnet for Rent (October 25, 2010)

New research indicates that a group of hackers called the Iranian Cyber Army may be running a botnet in addition to their other malicious Internet activity. The group recently launched attacks against Twitter and Baidu in which they altered DNS records and redirected users to other websites. Research company Seculert found a page where the Iranian Cyber Army appeared to be offering the use of a botnet for a fee. The group is believed to be behind the botnet for hire scheme because the email address on the administration panel matches the address displayed after the attacks against Baidu and Twitter.
-http://www.computerworld.com/s/article/9192800/Iranian_Cyber_Army_running_botnet
s_researchers_say?taxonomyId=17
-http://www.techeye.net/security/iranian-cyber-army-providing-botnet-for-rent

---

************************* Sponsored Link *************************
1) InstantSecurityPolicy.com - Quick, Custom IT Security Policy Templates, Delivered Online - Comprehensive, Complete and 100% Guaranteed http://www.sans.org/info/66288 **********************************************************************

---

THE REST OF THE WEEK'S NEWS

Firefox Extension Makes it Easy to Steal Cookies (October 25, 2010)

At the ToorCon 12 conference in San Diego, researchers presented a proof-of-concept Firefox extension that is capable of stealing session cookies from Facebook, Twitter and other accounts on unencrypted Web 2.0 sites on open wireless networks. The Firesheep extension was created to raise awareness about the problem of account hijacking from public Wi-Fi connections. User logins are generally encrypted, but most sites do not encrypt regular traffic, leaving cookies vulnerable to being grabbed.
-http://www.eweek.com/c/a/Security/Firefox-Firesheep-Extension-Exposes-Dangers-of
-Lack-of-Encryption-143340/
-http://www.computerworld.com/s/article/9192923/New_Firefox_add_on_hijacks_Facebo
ok_Twitter_sessions?taxonomyId=17
-http://www.telegraph.co.uk/technology/news/8085354/Firesheep-Firefox-extension-e
xposes-Facebook-and-Twitter-passwords.html
[Editor's Note (Pescatore): If you want to push for SSL, WiFi hotspots forcing full-time SSL would stop this attack and be much less costly overall than all web servers using SSL on all sessions. ]

US Air Force Publishes Cyber Warfare Manual (October 25, 2010)

The US Air Force has published "Cyberspace Operations: Air Force Doctrine Document 3-12," the service's "foundational doctrine publication for Air Force operations in, through, and from the cyberspace domain
[and is meant ]
to provide insight for Airmen to follow." The manual focuses largely on defensive strategies and comprises lists of definitions, acronyms and reporting hierarchies.
-http://www.e-publishing.af.mil/shared/media/epubs/afdd3-12.pdf
-http://www.washingtonpost.com/wp-dyn/content/article/2010/10/25/AR2010102500324_
pf.html

UK ICO to Look Into Google Street View Issue Again (October 24 & 25, 2010)

The UK information Commissioner's Office (ICO) has reopened its investigation into the Google Street View data collection scandal. When the story first broke earlier this year, Google said the data inadvertently collected from unprotected wireless networks contained fragments of communications with no personal details. The company has since admitted that the collected data in some cases include entire email messages, URLs and passwords. In July, following a visit to Google offices to examine captured data, the ICO issued a statement that it was "satisfied so far that it is unlikely that Google will have captured significant amounts of personal data." In light of Google's recent admission, the ICO now says it "will be making enquiries ... before deciding on the necessary course of action, including a consideration of the need to use our enforcement powers."
-http://www.scmagazineuk.com/ico-set-to-re-investigate-google-over-street-view/ar
ticle/181648/
-http://www.v3.co.uk/v3/news/2272136/ico-reopens-google-street-view
-http://www.bbc.co.uk/news/technology-11614970
[Editor's Note (Honan): This is a very unfortunate statement from the ICO as it undermines the confidence companies and individuals have in the effectiveness of any investigations conducted by the ICO. This coupled with the reluctance to impose serious fines on those found in breach of the Data Protection Act only reinforces that opinion. ]

Guilty Plea in Malware Installation Scheme (October 25, 2010)

A Scottish man who admitted to sending spam with malicious attachments has pleaded guilty to violating the Computer Misuse Act. Matthew Anderson had a major role in a scheme that used the malware successfully installed on users' computers to steal data and spy on the users through their webcams. Among the information found in Anderson's possession following a June 2006 raid on his home were wills, medical reports and photographs.
-http://www.eweekeurope.co.uk/news/scottish-hacker-faces-jail-following-malware-p
robe-10855
-http://www.theregister.co.uk/2010/10/25/scots_vxer_warpigs_jailed/
-http://news.idg.no/cw/art.cfm?id=E3EDAECB-1A64-6A71-CE60BAAAEB9E0C3E

Media Content Groups Urge Quick Passage of Anti-Piracy Legislation (October 22, 2010)

Proposed legislation in the US Senate would make it easier to go after websites believed to be promoting piracy. The bill has the support of the Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA) and other prominent media content organizations. The groups signed a letter to Senator Patrick Leahy (D-Vermont), who is one of the bill's sponsors. The Combating Online Infringement and Counterfeits Act does not allow the government to shut down the websites, but allows the US Justice Department to seize the sites' domain names and impose restrictions on credit cards and banks that would prohibit them from conducting further business with the alleged pirates.
-http://news.cnet.com/8301-13578_3-20020408-38.html
-http://www.nextgov.com/nextgov/ng_20101022_9883.php?oref=topnews

Indian Authorities Seeking More Control Over Internet (October 22, 2010)

Authorities in India are meeting to develop plans to allow them the power to cut off Internet services in the event of emergencies. Officials from law enforcement and national security agencies say the goal is to protect Indian infrastructure from cyber attacks, but there are concerns that the new policies could allow the government more overall control over the Internet. The group wants to gain control of national gateways, which are now controlled by telecommunications and Internet companies. RSA's Vikas Desai compared shutting down the Internet in the event of attacks to closing a shop if vandals start throwing stones at it. He suggested "solutions like a massive firewall
[and ]
log management."
-http://economictimes.indiatimes.com/tech/internet/Govt-plans-to-cut-internet-ser
vices-in-case-of-cyber-attacks/articleshow/6791296.cms

A Pair of Vulnerabilities in Linux (October 21, 2010)

A security flaw in the Linux implementation of the reliable datagram sockets (RDS) protocol could be exploited to obtain superuser rights on vulnerable systems. The vulnerability affects Linux kernel versions 2.6.30 through 2.6.36-rc8. Linux installations are vulnerable to the flaw only if the CONFIG_RDS kernel configuration is set and there are no restrictions on unprivileged users loading packet family modules. A patch for the flaw has been committed to the Linux kernel; distributions should be updated soon. A second, less serious vulnerability resides in the library loader of the GNU C library; this flaw could be exploited to gain root privileges on vulnerable systems.
-http://www.theregister.co.uk/2010/10/21/linux_superuser_bug/
-http://www.zdnet.com/blog/security/linux-kernel-vulnerability-coughs-up-superuse
r-rights/7509
-http://www.pcworld.com/businesscenter/article/208452/two_vulnerabilities_provide
_root_access_on_linux.html

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/