SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XII - Issue #88
November 05, 2010
TOP OF THE NEWS
UK ICO Now Says Google Violated Data Protection ActUS CERT Warns of Search Engine That Simplifies Finding SCADA Systems
THE REST OF THE WEEK'S NEWS
Google Releases Chrome UpdateMicrosoft to Fix 11 Vulnerabilities on November 9
FTC Names Edward Felten Agency's Chief Technologist
US Cyber Command at Full Operational Capability
Jury Delivers US $1.5 Million Verdict Against Thomas-Rasset
Myanmar Suffers Huge DDoS Attack
Microsoft Warns of Zero-Day Flaw in Internet Explorer
Prosecutors Seeking Closed Courtroom During High-Speed Trading Software Testimony
Google Announces Bug Bounty Program for Flaws in Google Products
************************ Sponsored By SANS *********************** The SANS WhatWorks Incident Detection and Log Management Summit, chaired by Mike Poor, is being held in Washington DC on December 8 and 9 and offers two full days of content in a single track, consisting of expert keynotes, professional briefings and dynamic panels. It will concentrate on network-centric and host-centric methods to detect intruders that work in the real world. http://www.sans.org/info/66533 ******************************************************************* TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid
-- SANS San Francisco 2010, November 7-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/
-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/
-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/
-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments and Future Trends in Network Security
http://www.sans.org/security-east-2011/
-- Looking for training in your own community?
http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus San Antonio, Geneva, Tokyo, Sydney, Manama and Muscat all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *********************************************************
TOP OF THE NEWS
UK ICO Now Says Google Violated Data Protection Act (November 3, 2010)
Following an investigation into Google Street View, the UK Information Commissioner's Office (ICO) has found that Google violated the Data Protection Act. As a result, the company will be subject to an audit and will be required to sign an undertaking promising that it will take steps to make sure that data will be better protected. The ICO declined to impose a fine. Google must also delete the data it collected while gathering images for Street View in the UK. Several weeks ago, the ICO issued a statement that the information Google had collected contained no personal information, but decided to reopen the investigation after other privacy organizations began to take more stringent action against Google.-http://www.theregister.co.uk/2010/11/03/ico_google_streetview/
-http://www.scmagazineuk.com/ico-finds-google-in-breach-of-the-data-protection-ac
t-over-street-view-but-has-no-intention-to-issue-a-fine/article/190072/
-http://www.computerworld.com/s/article/9194619/UK_Google_Wi_Fi_collection_violat
ed_data_protection_laws?taxonomyId=144
US CERT Warns of Search Engine That Simplifies Finding SCADA Systems (November 2, 2010)
The US Computer Emergency Readiness Team (US CERT) has warned that a search engine called SHODAN that indexes servers and other devices could be used to help attackers identify industrial control systems that are vulnerable to cyber attacks. The advisory recommends that admins put all control systems behind firewalls; remove, disable or rename default system accounts; and put lockout policies in place to protect systems from brute force password attacks.-http://www.h-online.com/security/news/item/Attackers-set-sights-on-online-indust
rial-control-systems-1129859.html
-http://www.theregister.co.uk/2010/11/02/scada_search_engine_warning/
-http://www.us-cert.gov/control_systems/pdf/ICS-Alert-10-301-01.pdf
[Editor's Note (Honan): This should serve as a wakeup call to all operators of SCADA systems and other critical network infrastructure. If SHODAN can find your device then guess what? It IS connected to the Internet and you need to secure it.]
************************** Sponsored Link **************************
1) In case you missed it...WhatWorks Webcast: WhatWorks in Vulnerability Management: Seeking Out Big Bugs in the State of Minnesota: http://www.sans.org/info/66538 Sponsored By: nCircle http://www.ncircle.com/ **********************************************************************
THE REST OF THE WEEK'S NEWS
Google Releases Chrome Update (November 4, 20100
Google has pushed out an updated version of its Chrome browser to address a dozen security flaws. Eleven of the 12 vulnerabilities were reported by researchers, to whom Google paid a total of US$8,674. Chrome version 7.0.517.44 also includes an updated version of Adobe Flash Player to fix a vulnerability that is being actively exploited. Google and Adobe reached an agreement earlier this year that allows Google to bundle Flash Player with Chrome and update the plug-in through the Chrome updater.-http://www.computerworld.com/s/article/9194947/Google_quashes_12_Chrome_bugs_giv
es_users_early_Flash_fix?taxonomyId=17
Microsoft to Fix 11 Vulnerabilities on November 9 (November 4, 2010)
Microsoft will issue three security bulletins on Tuesday, November 9. One of the bulletins is rated critical; the other two are rated important. The critical bulletin addresses vulnerabilities in Microsoft Office; the other two bulletins address flaws in Office and in Microsoft Forefront Unified Access Gateway. The bulletins will address a total of 11 vulnerabilities.-http://www.computerworld.com/s/article/9194980/Microsoft_slates_first_critical_f
ix_for_Office_2010_next_week?taxonomyId=17
-http://news.cnet.com/8301-27080_3-20021824-245.html
-http://www.microsoft.com/technet/security/Bulletin/MS10-nov.mspx
FTC Names Edward Felten Agency's Chief Technologist (November 4, 2010)
Princeton University professor of computer sciences and public affairs Edward Felten has been appointed chief technologist for the US Federal Trade Commission (FTC). FTC Chairman Jon Leibowitz said that Felton will bring "unparalleled expertise on high-technology markets and computer security,[as well as ]
invaluable input into the recommendations
[the FTC ]
will be making soon for online privacy." Felten will take a leave of absence during the position's year-long duration.
-http://voices.washingtonpost.com/posttech/2010/11/ftc_names_internet_security_an
.html
-http://www.princeton.edu/main/news/archive/S28/88/79S34/
[Editor's Note (Pescatore): The Federal Trade Commission continues to quietly enforce existing regulations around privacy exposures, without needing new legislation or the mythical "industry cooperation." Glad to see they are adding a CTO with a very strong software security background. ]
US Cyber Command at Full Operational Capability (November 4, 2010)
The US Cyber Command has "achieved full operational capability (FOC)," according to the Department of Defense (DoD). The Cyber Command is based in Ft. Meade, Maryland. It will focus on protecting DoD networks from cyber attacks and will manage cyber warfare activity. For the Cyber Command to become fully operational, the DoD needed to establish a joint operations center and merge personnel and jobs from the Joint Task Force for Global Network Operations and the Joint Functional Component Command for Network Warfare.-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=228200182&cid=RSSfeed_IWK_All
-http://www.defense.gov/releases/release.aspx?releaseid=14030
-http://www.theregister.co.uk/2010/11/04/cyber_command_go/
[Editor's Note (Lee): This sounds oddly like management restructuring. Has anything actually changed in how they are defending networks? If an electrical grid is the victim of a nation state SCADA attack, can the US Cyber Command help respond? We need to unshackle this command to help defend and respond to incidents across the nation, not just DoD networks. ]
Jury Delivers US $1.5 Million Verdict Against Thomas-Rasset (November 4, 2010)
On Wednesday, November 3, a jury in Minnesota delivered a US $1.5 million verdict against Jammie Thomas-Rasset for illegally downloading 24 songs through Kazaa. The verdict is the third delivered in the filesharing case. The first trial in 2007 resulted in a US $220,000 judgment against Thomas-Rasset. The judge later declared a mistrial because he believed he had given the jury incorrect instructions. In June 2009, another jury delivered a US $1.92 million verdict against Thomas-Rasset; the judge reduced the amount to $54,000, saying that the judgment "must bear some relation to actual damages." In January, Thomas-Rasset rejected an offer from the Recording Industry Association of America (RIAA) to settle the case for US $25,000.-http://www.informationweek.com/news/software/server_virtualization/showArticle.j
html?articleID=228200244
-http://www.wired.com/threatlevel/2010/11/monster-file-sharing-verdict/
Myanmar Suffers Huge DDoS Attack (November 3 & 4, 2010)
A sustained distributed denial-of-service (DDoS) attack has virtually cut off Myanmar from the Internet. The attack has targeted the Asian country's largest Internet service provider (ISP). The traffic spikes were measured as high as 14.58Gbit/s, significantly higher than the attacks that targeted Georgia and Estonia in 2007. A motive for the attack has not been established.-http://www.v3.co.uk/v3/news/2272706/denial-service-attacks-target
-http://www.theregister.co.uk/2010/11/03/myanmar_ddos_attacks/
-http://www.thetechherald.com/article.php/201044/6381/DDoS-Myanmar-attacks-larger
-than-those-against-Estonia-and-Georgia
-http://asert.arbornetworks.com/2010/11/attac-severs-myanmar-internet/
-http://www.eweekeurope.co.uk/news/myanmar-taken-off-net-by-cyber-attack-11113
[Editor's Note (Pescatore): If the largest ISP in Myanmar cannot handle DDoS attacks, make sure you are not depending on any cloud services hosted in Myanmar, and make sure the SLAs from your cloud or software as a service provider do *not* have DDoS loopholes. Cloud-based services need to be able to mitigate DDoS attacks the same way that they have to have back up power to handle power outages.
(Northcutt): There is a conspiracy theory claiming this attack might be self-inflicted by the government to keep information access to a minimum. There is some unrest in the country with the elections coming up this weekend. They also are dealing with the aftermath of Cyclone Giri.
-http://www.cnn.com/2010/WORLD/asiapcf/11/04/myanmar.election.preview/index.html
-http://thelede.blogs.nytimes.com/2007/09/28/burmese-government-clamps-down-on-in
ternet/
-http://www.hindustantimes.com/170-000-affected-by-cyclone-in-Myanmar-UN/Article1
-620606.aspx]
Microsoft Warns of Zero-Day Flaw in Internet Explorer (November 3, 2010)
Microsoft has issued an advisory warning of active attacks on a zero-day flaw in Internet Explorer (IE). The vulnerability is being exploited to install malware on users' computers. The flaw affects IE 6, 7 and 8; users who have not already done so are being urged to upgrade to IE 8, which includes Data Execution prevention technology that makes the flaw harder to exploit. IE 9, which is in beta release, is not affected. Microsoft says it is working on a fix for the vulnerability, but it does not appear to warrant an out-of-band fix. Microsoft's next scheduled security update is slated for Tuesday, November 9, but it does not appear to include a fix for this vulnerability.-http://www.h-online.com/security/news/item/Attackers-set-sights-on-online-indust
rial-control-systems-1129859.html
-http://krebsonsecurity.com/2010/11/microsoft-warns-of-attacks-on-zero-day-ie-bug
/
-http://www.computerworld.com/s/article/9194679/Hackers_exploit_unpatched_IE_bug_
with_drive_by_attacks?taxonomyId=85
-http://www.scmagazineuk.com/zero-day-flaw-affects-three-versions-of-internet-exp
lorer-as-microsoft-warns-of-activity-in-the-wild/article/190131/
-http://blogs.technet.com/b/msrc/archive/2010/11/02/microsoft-releases-security-a
dvisory-2458511.aspx
-http://www.microsoft.com/technet/security/advisory/2458511.mspx
Prosecutors Seeking Closed Courtroom During High-Speed Trading Software Testimony (November 1 & 4, 2010)
Federal prosecutors have asked a judge to seal the courtroom in a case that will address high-speed trading software. The prosecutors want the courtroom sealed for testimony involving Goldman Sachs's proprietary trading software in a case involving Sergey Aleynikov, a former employee who allegedly stole some of the code. The trial is scheduled to begin on November 29. A judge in New York has denied the request of prosecutors to close portions of the trial of Samarth Agrawal, a former Societe Generale SA trader who is accused of stealing high-frequency trading code.-http://www.wired.com/threatlevel/2010/11/sergey-aleynikov/
-http://www.bloomberg.com/news/2010-11-04/ex-societe-generale-programmer-s-trial-
will-be-in-open-court-judge-says.html
Google Announces Bug Bounty Program for Flaws in Google Products (November 1, 2010)
Google has announced a "money for bugs" program that will pay researchers up to US $3,133 for finding serious flaws in YouTube, Blogger and other Google-run websites. Until now, Google had a bug bounty program for flaws in its Chrome web browser. The new vulnerability reward program does not apply to client apps like Picasa or Google Desktop. The highest bounties will be paid for privately reported vulnerabilities that allow cross-site scripting (XSS), cross-site request forgery (XSRF) and other flaws that could be exploited to compromise user data. Less serious flaws could fetch up to US $500.-http://krebsonsecurity.com/2010/11/google-extends-security-bug-bounty-to-gmail-y
outube-blogger/
-http://www.theregister.co.uk/2010/11/01/google_web_bug_bounties/
[Editor's Note (Skoudis): These programs do seem to help, and are relatively low cost. Good call, Google. For those puzzling over the odd number of $ 3,133... it is actually $ 3113.7, geekspeak for "Elite". ]
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/