SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #89

November 09, 2010

I just saw a demonstration of Ed Skoudis' "Network Penetration Testing and Ethical Hacking" course on an iPad. The iPad is an amazingly effective portable learning tool and no one can teach ethical hacking as well as Ed. For those of you without a big travel budget, taking SANS courses "OnDemand" is a worthy alternative. OnDemand is already getting student ratings equal to the live courses (because of the "Tivo effect"- - being able to go back to something the teacher said a few moments ago) and because of the quizzes that accompany each session to help you ensure you have mastered the material. Right now the iPad is free with Ed's course. For more information click
here: http://www.sans.org/ondemand/discounts.php#current

Alan

---

TOP OF THE NEWS

Security Flaws in Smartphone Banking Apps
Cyber Europe 2010 Security Exercise Tests Cyber Defenses

THE REST OF THE WEEK'S NEWS

Royal Navy Site Breached
Attack for Zero-Day IE Flaw Added to Exploit Kit
European Commission Wants to Overhaul Copyright Laws
Prison Sentence for Attacks on Political Websites
Firefox Extension Warns users When Others are Using FireSheep
Adobe Fixes Flash, Acknowledges New Hole in Reader
More Arrests in ZeuS Cybercrime Crackdown
Proof-of-Concept Exploit Code Released for Android Flaw
Stuxnet Has Multiple Authors and Encrypted P2P Network

---

************************ Sponsored By zScaler ************************** ONLINE FIRESIDE CHAT with Gartner: IPAD + FACEBOOK + BLENDED THREATS = IT NIGHTMARE Are you doing enough to manage your security risk in the Web 2.0 world? Join Peter Firstbrook of GARTNER who will address the growing security concerns and ways to combat them. Nov 16 at 10am PST / 1pm EST http://www.sans.org/info/66628 ************************************************************************* TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- SANS San Francisco 2010, November 7-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/

- -- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

- -- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

- -- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments and Future Trends in Network Security
http://www.sans.org/security-east-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Geneva, Tokyo, Sydney, Manama and Muscat all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *********************************************************

---

TOP OF THE NEWS

Security Flaws in Smartphone Banking Apps (November 5, 2010)

Researchers have found that several banking applications for Android and iPhone contain security flaws that store account information in plaintext. Attackers could potentially steal sensitive data by luring users to maliciously crafted websites designed to find the information. Of the seven applications inspected in the study, just one, from the Vanguard Group, did not store information in plaintext. The institutions were notified of the problems and reportedly have taken steps to fix the flaws.
-http://www.wired.com/threatlevel/2010/11/bank-apps-for-phones/
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=228200291&cid=RSSfeed_IWK_News
[Editor's Note (Pescatore): The Android phone world seems to be trying to compete with the iPhone by saying "Droid does anything - no restrictive App Store." The reality is that the Apple iPhone could actually compete by making the bar a bit higher for iPhone apps, to make sure that the apps don't do silly things like storing account info or passwords in the clear on the phone. I think users are very comfortable with "only" having 20 Tetris games to choose from if they know that none of the 20 are going to send their information to identity thieves. ]

Cyber Europe 2010 Security Exercise Tests Cyber Defenses (November 4 & 5, 2010)

Twenty-two EU member states plus Iceland, Norway and Switzerland participated in the Cyber Europe 2010 cyber security exercise last week. The event underscored the need for improved communication and better procedures for protecting elements of critical infrastructure from cyber attacks. Exercise participants included Computer Emergency Response Teams ministries and national regulatory authorities. Mission control was located in Athens, Greece.
-http://www.theregister.co.uk/2010/11/05/euro_cyber_security_exercise/
-http://www.bbc.co.uk/news/technology-11696249
[Editor's Note (Schultz): To the best of my knowledge, never before has an exercise of this nature involved such a large range of countries and entities. ]

---

************************* Sponsored Link *************************
1) Webinar: Learn about the new PCI-compliant cloud reference architecture from VMware, HyTrust, Cisco, Savvis & Coalfire. http://www.sans.org/info/66633 **********************************************************************

---

THE REST OF THE WEEK'S NEWS

Royal Navy Site Breached (November 8, 2010)

A Romanian hacker used an SQL injection attack to break into the UK Royal Navy's website. He published information he found there, including site administrators' usernames and passwords. The Royal Navy site has been made temporarily unavailable while an investigation is underway, but a Royal Navy spokesperson said there was "no malicious damage." Visitors to the site are greeted with a message informing them that the site "is currently undergoing essential maintenance."
-http://www.bbc.co.uk/news/technology-11711478
-http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID
=228200418&cid=RSSfeed_IWK_All
-http://www.telegraph.co.uk/technology/news/8117144/Royal-Navy-website-infiltrate
d-by-computer-hacker.html
-http://www.theregister.co.uk/2010/11/08/royal_navy_website_hack/

Attack for Zero-Day IE Flaw Added to Exploit Kit (November 8, 2010)

The Eleonore Exploit Kit has been updated to include an attack for an unpatched flaw in Internet Explorer. Microsoft issued a warning about the flaw last week, but a fix for the vulnerability does not appear to in todays' Microsoft's monthly security update The IE exploit is likely to prompt Microsoft to issue an out-of-band fix for the vulnerability. The flaw, which lies in Cascading Style Sheets (CSS) token handling, was already being exploited through drive-by attacks when it was reported last week. IE users are being urged to enable data execution prevention (DEP), a feature that is enabled by default in IE 8.
-http://www.theregister.co.uk/2010/11/08/ie_vuln_exploit_toolkit/
-http://www.computerworld.com/s/article/9195380/Danger_to_IE_users_climbs_as_hack
er_kit_adds_exploit?source=CTWNLE_nlt_dailyam_2010-11-08

European Commission Wants to Overhaul Copyright Laws (November 5 & 8, 2010)

The European Commission is calling for an overhaul of copyright law. The Commission believes laws now on the books are "fragmented and ill-adapted to the real essence of art." The Commission plans to examine "multi-territorial and pan-European licensing."
-http://www.v3.co.uk/v3/news/2272842/ec-piracy-copyright

Prison Sentence for Attacks on Political Websites (November 8, 2010)

Mitchell L. Frost has started serving his 30-month prison sentence for launching distributed denial-of-service (DDoS) attacks against the websites of politicians and pundits. Frost admitted that he launched the attacks between 2006 and March 2007. He also admitted to launching an attack on a network at the University of Akron (Ohio) in March 2007 and to stealing personal information, including credit card numbers, from compromised computers. Frost was ordered to pay a total of US $50,000 in restitution.
-http://www.theregister.co.uk/2010/11/08/us_hacktivist_jailed/

Firefox Extension Warns users When Others are Using FireSheep (November 8, 2010)

Researchers have released an extension for Firefox that detects when computers on a local area network are using FireSheep, a tool that steals unencrypted cookies from websites. Called BlackSheep, the extension alerts users by displaying a message telling them that someone is using FireSheep and providing the LAN IP address of the FireSheep user. FireSheep was created and released to draw attention to the lack of encryption for session cookies on many popular websites.
-http://www.theregister.co.uk/2010/11/08/firesheep_detection_tool/
[Editor's Note (Northcutt): Interesting, dueling plug-ins. For the moment this is quite limited as you can install FireSheep and BlackSheep on the same computer only if you use different Firefox profiles. The duel would be over unencrypted LANs:
-http://www.zscaler.com/blacksheep.html]

Adobe Fixes Flash, Acknowledges New Hole in Reader (November 5, 2010)

Adobe has released an update for Flash Player to address 18 vulnerabilities. One of the flaws is already being actively exploited in targeted attacks. Users are urged to update to Flash version 10.1.102.64. Updates are available for Windows, Mac OS X and Linux versions of flash; a fix for Android versions of Flash will be available this week. Adobe has also acknowledged a flaw in Reader that could be exploited to launch DOD attacks against vulnerable systems. The flaw was disclosed, along with proof-of-concept code, on an Internet mailing list. The code causes vulnerable systems to crash. The flaw lies in a JavaScript function called Doc.printSeps and affects Reader versions from 9.2 and 8.1 and newer for Windows, Unix and Mac Os X.
-http://krebsonsecurity.com/2010/11/flash-update-plugs-18-security-holes/
-http://www.scmagazineus.com/adobe-investigating-dos-issue-in-reader/article/1902
76/
-http://www.h-online.com/security/news/item/Adobe-hole-closed-hole-open-1131232.h
tml
[Editor's Note (Pescatore): Don't forget about patching those Macs. Microsoft has patches out this week for vulnerabilities in Office for Mac, as well. ]

More Arrests in ZeuS Cybercrime Crackdown (November 4, 5 & 8, 2010)

US authorities have arrested two men in Wisconsin in connection with laundering money stolen with the help of ZeuS malware. Dorin Codreanu and Lilian Adam, who are from Moldova, were charged in New York on September 30. The two are in the US on J1 student visas and are being sent to New York to face charges. In addition, six more people have been arrested in Moldova.
-http://krebsonsecurity.com/2010/11/authorities-nab-more-zeus-related-money-mules
/
-http://www.theregister.co.uk/2010/11/05/zeus_fugitives_cuffed/
-http://www.eweek.com/c/a/Security/Zeus-Trojan-Money-Mule-Suspects-Arrested-37165
2/s
-http://host.madison.com/wsj/news/local/crime_and_courts/article_7f1ddf58-e870-11
df-bf94-001cc4c03286.html
-http://www.theregister.co.uk/2010/11/08/zeus_moldova_bank_worker_arrests/

Proof-of-Concept Exploit Code Released for Android Flaw (November 4, 6 & 7, 2010)

Proof-of-concept exploit code that can be used to launch attacks on Android-based smartphones has been released on the Internet. The target of the attack is the browser in phones running Android 2.1 and earlier. The flaw does not affect Android 2.2 or later versions. Just over a third of Android phones are running versions 2.2 and later. The Android operating system walls off different components, so the attack cannot be used to gain root access to vulnerable devices, but could be used to read what the browser reads. The researcher who released the code said his motivation was to draw attention to Android's inadequate patching practices.
-http://www.computerworld.com/s/article/9195058/Researcher_releases_Web_based_And
roid_attack
-http://www.theregister.co.uk/2010/11/06/android_attack_code/
-http://www.h-online.com/security/news/item/Back-door-exploit-for-Android-phones-
1131858.html

Stuxnet Has Multiple Authors and Encrypted P2P Network (November 4, 2010)

Analysis of the Stuxnet worm has found evidence that at least 30 people worked on the sophisticated malware that is designed to penetrate supervisory control and data acquisition (SCADA) systems at utility and manufacturing facilities. The peer-to-peer network that is built into Stuxnet appears to be encrypted to FIPS 140-2 standards.
-http://www.theatlantic.com/technology/archive/2010/11/the-stuxnet-worm-more-than
-30-people-built-it/66156/
[Editor's Note (Schultz): Stuxnet is in all likelihood the most sophisticated Worm code to surface so far. What is even more troubling, however, is that malware authors can now develop even more sophisticated malware using the Stuxnet code as a base. ]

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/