SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #86

October 29, 2010

TOP OF THE NEWS

FTC Closes Google Street View Investigation, Prompting Call for Congressional Hearing
LimeWire Squeezed Out
Judge Says Amazon Does Not Have to Surrender Customer Records

THE REST OF THE WEEK'S NEWS

Adobe Will Issue Fix for New Flash Zero-Day in Two Weeks
Skimming Attacks Net US $500,000 a Month
Koobface Variant Uses Java to Spread to Mac OS X
Dutch Police take Down Bredolab Botnet; Alleged Mastermind Arrested in Armenia
Mozilla Updates Firefox to Fix Flaw Exploited on Nobel Peace Prize Web Site
Apple Will Patch iPhone Password Vulnerability Next Month
RIAA vs. Jammie Thomas-Rasset, Round Three

---

************************ Sponsored By SANS *****************************
The SANS WhatWorks Incident Detection and Log Management Summit, chaired by Mike Poor, is being held in Washington DC on December 8 and 9 and offers two full days of content in a single track, consisting of expert keynotes, professional briefings and dynamic panels. It will concentrate on network-centric and host-centric methods to detect intruders that work in the real world. http://www.sans.org/info/66373 ************************************************************************* TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php

-- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments and Future Trends in Network Security
http://www.sans.org/security-east-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus San Antonio, Geneva, Tokyo, Sydney, Manama and Muscat all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *********************************************************

---

TOP OF THE NEWS

FTC Closes Google Street View Investigation, Prompting Call for Congressional Hearing (October 27 & 28, 2010)

The US Federal Trade Commission (FTC) has closed its investigation into Google's inadvertent collection of personal data from unprotected wireless networks while gathering images for Street View with nothing more than a warning to Google. In a letter Google, FTC Bureau of Consumer Protection director David Vladek indicated that no penalties were levied because Google was implementing new privacy measures. Consumer advocacy groups have called the FTC's decision "premature and wrong," and have called for a Congressional hearing into the agency's lack of action. Investigations and government inquiries at the state level and in other countries around the world are proceeding.
-http://www.wired.com/threatlevel/2010/10/ftc-google-wifi-sniffing/
-http://www.computerworld.com/s/article/9193383/FTC_ends_probe_into_Google_s_Wi_F
i_snooping?taxonomyId=144
-http://content.usatoday.com/communities/technologylive/post/2010/10/critics-call
-for-congressional-hearings-on-googles-wi-fi-data-harvesting/1?loc=interstitials
kip

LimeWire Squeezed Out (October 26 & 27, 2010)

A US federal court judge in New York has issued an injunction effectively shutting down LimeWire. The order from US District Judge Kimba Wood directs LimeWire to immediately cease distributing and supporting its filesharing software. LimeWire must also report to the court within two weeks about the steps it has taken to disable the software and inform its users, employees and stakeholders of the order. A May ruling from Judge Wood found LimeWire and its chief executive Mark Gorton liable for inducing and enabling copyright infringement.
-http://www.bbc.co.uk/news/technology-11635320
-http://www.computerworld.com/s/article/9193199/Court_orders_LimeWire_to_cease_fi
le_sharing_business?taxonomyId=144
-http://www.wired.com/threatlevel/2010/10/limewire-riaa-defeat/

Judge Says Amazon Does Not Have to Surrender Customer Records (October 25 & 27, 2010)

A US federal judge has ruled that Amazon does not have to disclose customer records to the North Carolina's Department of Revenue (DOR). The DOR had demanded the records of purchases made by Amazon's North Carolina customers so it could collect appropriate sales tax. In her ruling, US District Judge Marsha Pechman wrote that the DOR's request for information "runs afoul of the First Amendment." Amazon has provided the North Carolina DOR with anonymized lists of which items were sent to which ZIP codes, but the DOR was seeking the names and addresses associated with individual order.
-http://www.theregister.co.uk/2010/10/27/amazon_sales/
-http://news.cnet.com/8301-31921_3-20020680-281.html

---

THE REST OF THE WEEK'S NEWS

Adobe Will Issue Fix for New Flash Zero-Day in Two Weeks (October 28, 2010)

Adobe says it will issue a fix in two weeks for a critical flaw in Flash Player that is being actively exploited. In a security advisory, Adobe acknowledged that the flaw affects Reader and Acrobat, both of which are being targeted by the attacks; as yet, there do not appear to be active attacks against Flash Player itself. The flaw affects all versions of Flash for Windows, Mac OS X, Linux and Android; it affects the "Authplay" component of Reader and Acrobat. Adobe will issue a fix for Flash by November 9 and fixes for Reader and Acrobat the following week. Adobe has been trying to issue scheduled quarterly fixes for Reader and Acrobat, but a recent spate of disclosed vulnerabilities has prompted the company to issue several out-of-band fixes. The next scheduled Reader update is February 8, 2011.
-http://www.computerworld.com/s/article/9193678/Hackers_exploit_newest_Flash_zero
_day_bug?taxonomyId=85

Skimming Attacks Net US $500,000 a Month (October 27 & 28, 2010)

Analysts at Gartner Research are warning that card fraudsters are engaging in a type of skimming that is netting some groups US $500,000 a month. Rather than manufacturing phony cards on a one-to-one basis from the skimmed information, these groups are manufacturing multiple cards for each account, then having money mules make nearly simultaneous withdrawals in separate cities. The withdrawal amounts are kept low to evade fraud detection systems. The attacks have been used to steal as much as US $100,000 in just 10 minutes. Gartner analyst Avivah Litan says that the only way to mitigate these attacks is to identify the point of compromise, then block the cards that were used at that site and issue new ones. She also suggests the use of stronger authentication measures, such as the chip and PIN technology that is used in Europe.
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=228000267&cid=RSSfeed_IWK_All
-http://www.theregister.co.uk/2010/10/27/credit_card_flash_attacks/
-http://www.computerworld.com/s/article/9193378/Fraudsters_find_holes_in_debit_ca
rd_fraud_detection?taxonomyId=144

Koobface Variant Uses Java to Spread to Mac OS X (October 28, 2010)

Researchers are warning that a variant of the Koobface worm now spreading targets Mac OS X in addition to Windows computers. The variant, nicknamed "Boonana," is spreading through messages posted to social media like Facebook, Twitter and MySpace. If users click on the link accompanying the message, they will be prompted to run a Java applet. Apple recently announced that it will stop supporting Java and may even drop it completely from future versions of OS X.
-http://www.computerworld.com/s/article/9193720/Koobface_worm_targets_Mac_users_o
n_Facebook_Twitter?taxonomyId=17
-http://krebsonsecurity.com/2010/10/koobface-worm-targets-java-on-mac-os-x/
-http://www.h-online.com/security/news/item/Koobface-variant-as-a-trojan-for-Mac-
OS-X-1126899.htmls
-http://www.scmagazineus.com/koobface-exploit-for-macs-circulating-in-the-wild/ar
ticle/181862/
[Editor's Note (Cole): Browser style attacks will continue. One effective defense is to run your browser in a separate virtual machine. Now if a user clicks on a link, it will infect the guest only. When the browser closes the malware goes away. ]

Dutch Police take Down Bredolab Botnet; Alleged Mastermind Arrested in Armenia (October 26, 27 & 28, 2010)

Dutch police have conducted a takedown operation aimed at disabling the Bredolab botnet. One hundred forty-three servers affiliated with Bredolab have been disconnected. The Bredolab Trojan is believed to have infected 30 million PCs around the world. A man believed to be the mastermind behind Bredolab has been arrested in Armenia. Dutch police have also alerted more than 100,000 computer users whose machines are infected with Bredolab botnet malware. Some are questioning whether the police breached Dutch law by accessing those users' computers. Some users may ignore the warning, mistaking it for one of the phony, malicious alerts against which they have been warned. Users were being notified when they log on to their computers; they will also be given instructions from cleaning the malware from their computers.
-http://www.computerworld.com/s/article/9193618/Bredolab_infected_PCs_downloading
_fake_antivirus_software?taxonomyId=82
-http://www.bbc.co.uk/news/technology-11635317
-http://www.scmagazineus.com/botnet-sending-bredolab-trojan-dismantled-one-arrest
ed/article/181767/
-http://www.zdnet.co.uk/news/security-threats/2010/10/26/dutch-police-take-down-b
redolab-botnet-40090649/
-http://www.theregister.co.uk/2010/10/26/bredolab_botnet_takedown/
[Editor's Comment (Northcutt): Wow. 30 million infected. We have warned 100,000 users, only 29,900,000 left to go. (Schultz): Whether we like it or not (and I don't), the severity of botnet-related risks has become so great that more governments and law enforcement agencies are likely to do the same thing that the Dutch did.
(Honan): Botnets are fast becoming the criminals weapon of choice. Indeed, ENISA (the European Network and Information Security Agency) in a position paper "Botnets the Silent Threat" stated that; "Botnets represent a steadily increasing problem threatening governments, industries, companies and individual users with devastating consequences that must be avoided. Urgent preventive measures must be given the highest priority if this criminal activity is to be defeated. Otherwise the effect on the basic worldwide network infrastructures could be disastrous." Given that this paper was published in 2007 it appears that the above statement is proving to be particularly prophetic. The paper is available for download at
-http://www.enisa.europa.eu/act/res/other-areas/botnets/botnets-2013-the-silent-t
hreat]

Mozilla Updates Firefox to Fix Flaw Exploited on Nobel Peace Prize Web Site (October 27 & 28, 2010)

Mozilla has issued an update for Firefox to address a zero-day vulnerability less than two days after learning of the problem. Mozilla released Firefox versions 3.6.12 and 3.5.15 to address a flaw that was being actively exploited by malware surreptitiously placed on the Nobel Peace Prize web site. The vulnerability affected Windows, Mac OS X and Linux versions of the browser. Firefox 4, which is in beta release, appears to be unaffected. Computers of Firefox users who visited the site before the update was released may have been surreptitiously infected with a Trojan horse program.
-http://www.computerworld.com/s/article/9193518/Mozilla_patches_Firefox_zero_day_
bug_in_48_hours?taxonomyId=208
-http://krebsonsecurity.com/2010/10/nobel-peace-prize-site-serves-firefox-0day/
-http://www.h-online.com/security/news/item/Attackers-exploit-zero-day-vulnerabil
ity-in-Firefox-1126178.html
-http://www.h-online.com/security/news/item/Mozilla-issues-Firefox-Thunderbird-se
curity-updates-1126710.html
-http://www.scmagazineus.com/firefox-zero-day-being-exploited-in-the-wild/article
/181821/
-http://www.theregister.co.uk/2010/10/28/firefox_zeroday_patched/

Apple Will Patch iPhone Password Vulnerability Next Month (October 26 & 27, 2010)

Apple says it will fix an iPhone vulnerability next month. The flaw can be exploited to make calls without entering the device's password. If an iPhone is lost or stolen, whoever finds it can use it to make calls and access the phone's address book, voicemail and call history. The attack allows access only to the Phone app.
-http://www.scmagazineuk.com/password-flaw-in-apple-iphone-set-to-be-fixed-next-m
onth/article/181796/
-http://www.theregister.co.uk/2010/10/26/iphone_password_bypass/
-http://www.pcworld.com/businesscenter/article/208836/new_bug_lets_you_unlock_iph
one_for_calls.html
-http://www.wired.com/threatlevel/2010/10/iphone-snoop/

RIAA vs. Jammie Thomas-Rasset, Round Three (October 26, 2010)

Round three of the legal battle between Minnesota mother of four Jammie Thomas-Rasset and the Recording Industry Association of America (RIAA) is scheduled to begin on November 2. This third trial in the copyright violation case will focus solely on the damages Thomas-Rasset will pay for sharing 24 music files.
-http://www.computerworld.com/s/article/9192999/Third_trial_to_begin_in_1.92M_mus
ic_piracy_case?taxonomyId=144
-http://arstechnica.com/tech-policy/news/2010/10/judge-third-trial-against-p2p-us
er-jammie-thomas-will-go-ahead.ars
-http://www.myce.com/news/3rd-trial-against-persistent-p2p-defendant-set-for-nov-
2nd-35726/

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/