SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #90

November 13, 2010

There's a great show next Tuesday and Wednesday at the Washington DC Convention Center that will help you get the latest data on how to implement Continuous Monitoring and the 20 Critical Controls. The key players who are shaping the change are speaking. Data at http://events.1105govinfo.com/events/security-conference-exhibition-2010/home.as
px
Alan

---

TOP OF THE NEWS

UK Government Says Copyright Violators Will Not be Disconnected from Internet
Spam Declines in Face of Concerted Anti-Bot Efforts
FCC Investigating Google Over Street View Data Gathering

THE REST OF THE WEEK'S NEWS

Google Pulls Proof-of-Concept Stealth App
Exploit for Zero-Day IE Flaw Found on Amnesty International Website
Sweden Considers Data Retention Legislation
Apple Issues Huge Mac OS X Update
Microsoft Patch Tuesday for November
FBI Investigating Anonymous's DDoS Attacks
Phones in China Infected with Malware
Washington State University Classroom Video Screen Hijacked

---

******************* Sponsored By Palo Alto Networks ********************
Please join us for a SANS Analyst Webcast: Taming the Social Networking Beast on December 7, 1PM EST sponsored by Palo Alto Networks. In this webcast, learn the risks social networking brings to enterprises and how to enable social networking while protecting against risks. Featuring SANS Fellow Eric Cole, PhD. Register for this webcast to receive an advance copy of a special SANS accompanying whitepaper on the same topic. Go to: http://www.sans.org/info/66728 ************************************************************************* TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics; and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security
http://www.sans.org/security-east-2011/

-- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Sydney, Tokyo and San Francisco all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *********************************************************

---

TOP OF THE NEWS

UK Government Says Copyright Violators Will Not be Disconnected from Internet (November 11, 2010)

Computer users in the UK will not be disconnected from the internet if they are suspected of illegal filesharing, according to a statement from the government. The Digital Economy Act, hastily passed earlier this year, appears to allow for such measures. However, the UK government said "The Act ... includes a reserve power to introduce further technical measures if the initial measures
[of discouraging illegal filesharing ]
do not succeed. These technical measures would limit or restrict an infringers' access to the Internet. They do not include disconnection." In a related story, the high Court granted a judicial review of the Digital Economy Act, sought by UK Internet service providers (ISPs) TalkTalk and BT.
-http://www.zdnet.co.uk/blogs/tech-tech-boom-10017860/government-will-not-disconn
ect-suspected-file-sharers-10021026/

Spam Declines in Face of Concerted Anti-Bot Efforts (November 11, 2010)

According to statistics gathered by Symantec's hosted services unit, the volume of spam has fallen 47 percent globally in the last three months; the significant drop is attributed to efforts to take down botnets. Last month, authorities in the Netherlands took down servers that were supporting the Bredolab botnet, and September saw the shutdown of pharmaceutical spam giant spamit.com and dozens of arrests associated with the ZeuS botnet. A report from Kaspersky Lab notes a similar decline in spam and attributes the change to the disabling of the Pushdo botnet.
-http://www.theregister.co.uk/2010/11/11/botnet_takedowns_hit_spam/
[Editor's Note (Honan): Many of these botnets are only temporarily disabled by taking out their command & control servers. Until the infected client PCs are cleaned up there is always the threat that the botnet could be resurrected. ]

FCC Investigating Google Over Street View Data Gathering (November 10 & 11, 2010)

The US Federal Communications Commission (FCC) has launched an investigation into whether Google violated federal eavesdropping laws when it inadvertently harvested data from unencrypted residential wireless networks while gathering images for Street View. Google recently acknowledged that the data collected included passwords, emails and other personal information. Google says it has removed the code responsible for the extra data harvesting and has stopped collecting Wi-Fi information altogether. A Federal Trade Commission (FTC) investigation ended recently with little more than a slap on the wrist for Google; the FTC was satisfied with Google's promises to delete the collected data and improve its privacy training. The announcement of the FCC's investigation was welcomed by the Electronic Privacy Information Center (EPIC), which earlier this year asked the FCC to launch a probe into the issue.
-http://money.cnn.com/2010/11/11/technology/fcc_google/index.htm
-http://www.washingtonpost.com/wp-dyn/content/article/2010/11/10/AR2010111007003.
html
-http://www.nytimes.com/2010/11/11/technology/11google.html?_r=1&ref=technolo
gy
-http://www.computerworld.com/s/article/9196020/FCC_investigating_Google_over_Str
eet_View?taxonomyId=17

---

THE REST OF THE WEEK'S NEWS

Google Pulls Proof-of-Concept Stealth App (November 11, 2010)

Google has removed a proof-of-concept app from the Android Marketplace that was designed to demonstrate how a certain vulnerability could be exploited to allow apps to be installed without warning users. The app appeared to be an expansion for the Angry Birds game, but it also installed three additional apps without letting the user know; the apps had access to the device's phone contacts, location data and SMS functionality. The silent apps that piggybacked on the proof-of-concept app are apparently not designed to behave maliciously.
-http://www.theregister.co.uk/2010/11/10/android_malware_attacks/
-http://news.cnet.com/8301-27080_3-20022545-245.html?tag=mncol;title
[Editor's Note (Schultz): We still do not understand security (or often better said, the lack of security) in applications that run on conventional platforms. It is thus truly frightening to imagine the kinds of exploits and vulnerabilities that are present in mobile device applications. ]

Exploit for Zero-Day IE Flaw Found on Amnesty International Website (November 11, 2010)

Amnesty International's Hong Kong website has been laced with malware that tries to infect the computers of visitors to the site. One of the attacks exploits a zero-day flaw in Internet Explorer (IE) that was disclosed last week. An exploit for the IE flaw was recently added to a commercially available malware package, increasing the likelihood that it will be exploited more and more frequently. Microsoft did not address the flaw in the batch of patches released earlier this week, but is working on a fix for the issue. The company has not said whether the patch will be released out-of-band or with December's batch of fixes. Until a fix is available, users can protect their computers by enabling Data Execution Prevention (DEP) for IE; DEP is enabled by default in IE 8. The Amnesty International site also was infected with malware that exploits vulnerabilities in QuickTime, Flash and Shockwave.
-http://www.h-online.com/security/news/item/Internet-Explorer-hole-attacks-are-li
kely-to-increase-1134881.html
-http://www.theregister.co.uk/2010/11/11/amnesty_international_hosts_ie_exploit/
[Editor's Note (Northcutt): I wouldn't mind seeing new sentencing guidelines that raise the penalties for people who exploit critical do-gooder websites, Amnesty, Compassion Intl, UNICEF, United Way and such. Tack on an extra five years. ]

Sweden Considers Data Retention Legislation (November 11, 2010)

Internet service providers (ISPs) in Sweden may be required to store people's email and cell phone text messages for six months, according to a bill presented to the Swedish government this week. The proposed legislation would allow the stored information to be disclosed only for the purposes of fighting crime, and authorities will have to pay for the information. The bill will likely go before Swedish Parliament for a vote before the year's end. If passed, it will take effect July 11, 2011. The legislation was introduced to comply with EU Directive 2006/24/EC, which requires EU member countries to establish their own communications data retention laws within certain parameters.
-http://www.stockholmnews.com/more.aspx?NID=6254
-http://www.thelocal.se/30150/20101111/

Apple Issues Huge Mac OS X Update (November 11, 2010)

On Wednesday, November 10, Apple issued updates for Mac OS X 10.6 and 10.5 to address more than 130 vulnerabilities. The last time Apple released updates for OS X was in September. Among the flaws patched are 55 in Adobe Flash Player, which is bundled with OS X. The fix keeps users up to date with Flash patches; in the past, Apple has lagged behind in patching the Media Player. Apple also fixed a number of reliability and stability issues. Users are urged to upgrade to Mac OS X 10.6.5 and 10.5.8 as soon as possible.
-http://www.computerworld.com/s/article/9196118/Apple_smashes_patch_record_with_g
igantic_update?taxonomyId=17
-http://www.h-online.com/security/news/item/Apple-releases-Mac-OS-X-10-6-5-update
-1134732.html
-http://support.apple.com/kb/HT4435
[Editor's Note (Honan): For those of you who are using PGP's Whole Disk Encryption for Macs, be aware that upgrading to Mac OS X 10.6.5 could render your computer useless. PGP have issued a fix at
-https://pgp.custhelp.com/app/answers/detail/a_id/2288]

Microsoft Patch Tuesday for November (November 10, 2010)

Microsoft's monthly security update for November addresses 11 vulnerabilities, including DLL hijacking flaws that could be exploited to execute arbitrary code on vulnerable machines. Just one of the patches was rated critical; it affects Microsoft Office 2007 and 2010. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=9910
-http://www.theregister.co.uk/2010/11/10/ms_nov_patch_tuesday/
-http://krebsonsecurity.com/2010/11/microsoft-plugs-office-holes-but-no-ie-fix-ye
t/
-http://www.informationweek.com/news/windows/security/showArticle.jhtml?articleID
=228200659&subSection=Security
-http://www.microsoft.com/technet/security/Bulletin/MS10-nov.mspx

FBI Investigating Anonymous's DDoS Attacks (November 9, 2010)

The FBI is investigating a series of distributed denial-of-service (DDoS) attacks on websites of vocal antipiracy groups, including the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA). The group behind the attacks calls itself Anonymous and says it is perpetrating the attacks to protect "the free flow of information."
-http://news.cnet.com/8301-31001_3-20022264-261.html

Phones in China Infected with Malware (November 10, 2010)

Attackers have infected more than 1 million cell phones in China with malware that sends text messages automatically; the infection is estimated to be costing users a total of 2 million yuan (US $302,000) a day. The malware snuck onto the phones in a phony antivirus application. The malware can send information about the infected devices' SIM cards to the attackers, which they use to send the messages remotely. Some of the messages sent contain links to malicious websites.
-http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID
=228200648&cid=RSSfeed_IWK_All
[Editor's Note(Northcutt): Cell phone OSs, processors and available memory are just too small for countermeasures like DEP. And in the rush to be number one in features neither Apple, Google, nor Nokia is likely to strongly police apps *before* they become available. Before you load an app ask yourself, do I really need it and how long has it been available. ]

Washington State University Classroom Video Screen Hijacked (November 10, 2010)

An as-yet unidentified individual hijacked a computer system at Washington State University, causing classroom video screens in two Pullman, Washington, campus buildings to play a video of someone dressed in a Guy Fawkes costume. The four-minute video consists of a rant about the squirrels on the campus and a scolding about lax information technology security. The video played once an hour all day long. A website identified by the attacker informed university officials that the videos would stop playing at the end of the day and directed them to a batch file on AV servers that could be used to stop the attack. The incident occurred on Friday, November 5, also known as Guy Fawkes Day. (Fawkes is known for his involvement in the Gunpowder Plot, a plan to assassinate King James I of England on November 5, 1605.)
-http://www.wired.com/threatlevel/2010/11/v-for-vendetta-hacker-strikes-at-washin
gton-state-university/
-http://news.cnet.com/8301-27080_3-20022460-245.html?tag=mncol;txt

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/