SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #92

November 19, 2010

TOP OF THE NEWS

Senate Promises Rapid Action on Stuxnet Implications; Assante Calls For Separation of Business Systems From Control Systems
China Telecom Denies Internet Traffic Hijacking Allegations
US Air Force Warns that Social Networking Sites Can Reveal Location Data
FBI Director Speaks with Tech Companies About Expanding CALEA's Domain

THE REST OF THE WEEK'S NEWS

Malaysian Man Indicted for Hacking into Federal Reserve Bank
Apple Issues Updates to Fix Safari Flaws
Report: Thieves Skirt Anti-Skimming Measures
Alureon Rootkit Finds its Way into 64-bit Windows
Adobe Fixes Zero-Day Flaw in Reader and Acrobat
Man Arrested, Charged with Stealing Trade Secrets from Former Employer

---

******************* Sponsored By Palo Alto Networks *********************
REGISTER NOW! Please join us for the SANS Analyst Webcast: Taming the Social Networking Beast on December 7, 1PM EST sponsored by Palo Alto Networks. In this webcast, learn the risks social networking brings to enterprises and how to enable social networking while protecting against risks. Featuring SANS Fellow Eric Cole, PhD. Register for this webcast to receive an advance copy of a special SANS accompanying whitepaper on the same topic. Go to: http://www.sans.org/info/66988 *************************************************************************
TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics; and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

- -- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

- -- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security
http://www.sans.org/security-east-2011/

- -- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Sydney, Tokyo and San Francisco all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ****************************************************************************

---

TOP OF THE NEWS

Senate Promises Rapid Action on Stuxnet Implications; Assante Calls For Separation of Business Systems From Control Systems (November 17 & 18, 2010)

Experts testifying before the Senate Homeland Security and Governmental Affairs Committee (HSGAC) have called the Stuxnet worm a "game changer." While the malware appears to target very specific systems, it could be modified to cause problems worldwide. The heightened threat makes it crucial that lawmakers pass legislation to protect critical infrastructure from such attacks. The best definition of what the legislation needed to do came form Mike Assante who recently served as chief security officer at NERC and now is the head of the prestigious National Board of Information Security Examiners. Assante's recommendation was that utilities separate business systems from control systems - so that attacks cannot jump from Internet-connected business systems to the sensitive control systems. HSGAC Chairman Lieberman promised that action on power company security would be a top priority in the new Congress that begins in January.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/11/17/AR2010111702516.
html
-http://www.nextgov.com/nextgov/ng_20101117_5600.php?oref=topnews
-http://www.ctv.ca/CTVNews/TopStories/20101118/stuxnet-computer-virus-warning-101
118/
-http://www.cnn.com/2010/TECH/web/11/17/stuxnet.virus/index.html
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=228300167&cid=RSSfeed_IWK_All
[Editor's Note (Northcutt): Michael Assante's testimony is correct, we really do need to run control systems on a separate network not connected to the Internet. Heck, I thought that had been the plan all along.
(Paller): At the February US Summit on SCADA Security, one of the many useful sessions will show how to separate control systems from business systems without damaging operational effectiveness.
-http://www.sans.org/north-american-scada-2011/]

China Telecom Denies Internet Traffic Hijacking Allegations (November 17, 2010)

China Telecom has issued a statement denying involvement with an alleged hijacking of Internet traffic through Chinese servers on April 8, 2010. The allegation was made in a report from the United States-China Economic and Security Review Commission, delivered to US legislators. According to the report, the incident lasted approximately 18 minutes. The Chinese government has not yet issued a formal statement on the matter. Some of the diverted traffic was supposed to go to US government and military organizations. The report states that "evidence related to this incident does not clearly indicate whether it was perpetrated intentionally," but the incident does raise concerns about China's increasing ability to exert power over the Internet.
-http://www.nytimes.com/2010/11/18/world/asia/18intel.html?ref=technology
-http://www.computerworld.com/s/article/9197019/Update_Report_sounds_alarm_on_Chi
na_s_rerouting_of_U.S._Internet_traffic?taxonomyId=17
-http://www.bbc.co.uk/news/technology-11773146
-http://www.theregister.co.uk/2010/11/17/bgp_hijacking_report/
Coverage of the issue starts on page 243 of the report:
-http://www.uscc.gov/annual_report/2010/annual_report_full_10.pdf
[Editor's Note (Schultz): Either in a show of power or in retribution for some sanction against it, China will, some time in the not too distant future, launch such a barrage of denial service attacks that the Internet will functionally be down for a period of time.
(Honan): This issue has more to do with the insecurity of BGP routing than a specific ability of any nation-state or other organization to "hijack" traffic. BGP routing errors have in the past impacted on Internet traffic. For example in 2008 nearly all of YouTube's traffic was accidentally diverted to Pakistan. Once your network traffic leaves your network it is no longer under your control. If you are worried about the security of that traffic then make sure you have it encrypted properly. ]

US Air Force Warns that Social Networking Sites Can Reveal Location Data (November 17 & 18, 2010)

The US Air Force Troops has posted a warning on its website that social networking sites, including Facebook, can disclose data about users' locations. Most sites allow users to disable geo-location features. "Careless use of these services by airmen could have devastating operations security and privacy implications." The US Army plans to issue a similar warning to personnel next week.
-http://www.informationweek.com/news/government/mobile/showArticle.jhtml?articleI
D=228300144&cid=RSSfeed_IWK_All
-http://www.bbc.co.uk/news/world-us-canada-11782352
-http://techinsider.nextgov.com/2010/11/note_to_airmen_dont_facebook_your_locatio
n_in_war_zone.php

FBI Director Speaks with Tech Companies About Expanding CALEA's Domain (November 16, 2010)

FBI director Robert Mueller was in Silicon Valley earlier this week to meet with technology company executives about a proposal that would expand 1994's Communications Assistance for Law Enforcement Act (CALEA) to cover encrypted communications traveling over the companies' networks. Presently, CALEA requires that telephone and broadband providers incorporate technology that will allow them to comply with federal wiretap orders. The FBI wants to expand the law's reach to Internet companies because so much communication occurs over those networks. Among the companies Mueller and FBI General Counsel Valerie Caproni planned to speak with were Google and Facebook.
-http://www.theregister.co.uk/2010/11/17/google_facebook_wiretapping/
-http://www.nytimes.com/2010/11/17/technology/17wiretap.html?_r=1&partner=rss
&emc=rss

---

THE REST OF THE WEEK'S NEWS

Malaysian Man Indicted for Hacking into Federal Reserve Bank (November 18, 2010)

A federal grand jury has indicted Lin Mun Poo for allegedly breaking into computers at the US Federal Reserve Bank of Cleveland. The alleged attack occurred in June 2010 and affected at least 10 computers. A Federal Reserve Bank spokesperson said that the computer system affected was "not in any way connected to
[the bank's ]
live production system." Poo was also indicted on charges of possessing the numbers of 400,000 payment cards and of breaking into a defense contractor's computer system. Poo, who is Malaysian, was arrested on October 21, hours after flying into New York's John F. Kennedy Airport.
-http://www.pcworld.com/businesscenter/article/211104/malaysian_charged_with_hack
ing_federal_reserve_others.html
-http://www.businessweek.com/news/2010-11-18/federal-reserve-hacking-suspect-indi
cted-u-s-says.html
-http://www.npr.org/blogs/money/2010/11/18/131421805/somebody-hacked-the-fed
-http://www.myfoxhouston.com/dpps/news/malaysian-charged-in-credit-card-hacking-d
pgonc-20101118-gc_10689516

Apple Issues Updates to Fix Safari Flaws (November 18, 2010)

Apple has fixed 27 vulnerabilities in its Safari web browser for Mac OS X and Windows. Four of the flaws have already been fixed in Apple's iOS mobile operating system, and three or more have already been fixed in Google's Chrome browser. Users are urged to upgrade to Safari version 5.0.3 or 4.1.3.
-http://reviews.cnet.com/8301-13727_7-20023278-263.html
-http://www.computerworld.com/s/article/9197184/Apple_patches_critical_drive_by_S
afari_bugs?taxonomyId=85
-http://www.v3.co.uk/v3/news/2273310/apple-safari-security-update

Report: Thieves Skirt Anti-Skimming Measures (November 18, 2010)

According to a report from the European ATM Security Team, fraudsters are finding new ways to place skimmers on ATMs in European countries despite efforts to thwart ATM skimmers by installing devices designed for that purpose. There are also reports of new skimming devices that use modified MP3 players to record the information and reports that some thieves have managed to install malware on the ATMs themselves to steal data.
-http://www.computerworld.com/s/article/9197138/European_banks_see_new_ATM_skimmi
ng_attacks?taxonomyId=17

Alureon Rootkit Finds its Way into 64-bit Windows (November 16, 2010)

The Alureon rootkit, also known as TDL, has managed to start infecting 64-bit versions of Windows. Microsoft developed the 64-bit operating system with safeguards to prevent infections like Alureon. Researchers have found that the latest version of the rootkit bypasses protections built in to 64-bit versions of Windows Vista and Windows 7. Alureon was in the news earlier this year when it was discovered that the rootkit's presence on 32-bit systems rendered systems unable to boot after a certain patch from Microsoft was applied.
-http://www.h-online.com/security/news/item/Rootkit-able-to-bypass-kernel-protect
ion-and-driver-signing-in-64-bit-Windows-1137225.html
-http://www.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows/

Adobe Fixes Zero-Day Flaw in Reader and Acrobat (November 16, 2010)

Adobe has issued an out-of-band fix for a vulnerability in Reader and Acrobat that is being actively exploited. The flaw affects versions 9.x of Reader and Acrobat for Windows and Mac OS X; users are urged to upgrade to versions 9.4.1. The flaw does not affect Reader and Acrobat versions 8.x. Attackers have been exploiting the flaw in the "authplay" component of Reader since late last month. At the same time, Adobe issued a fix for a disclosed vulnerability that could be exploited to crash Reader. Adobe will release an update for Linux/Unix versions of Reader and Acrobat later this month.
-http://www.computerworld.com/s/article/9196818/Adobe_patches_under_attack_Reader
_bug?taxonomyId=82
-http://krebsonsecurity.com/2010/11/critical-updates-for-adobe-reader-acrobat/
-http://www.theregister.co.uk/2010/11/17/adobe_pdf_update/
-http://www.adobe.com/support/security/bulletins/apsb10-28.html

Man Arrested, Charged with Stealing Trade Secrets from Former Employer (November 16 & 17, 2010)

A California man has been arrested on charges he stole proprietary code from his employer with the intent of using it to develop a competing company. Zhiqiang (Michael) Zhang had been director of software development at Sirf Technology, which makes Global Positioning chipsets. He was responsible for developing the code that he allegedly stole. He resigned from Sirf in May 2009 after seven years' employment. After his resignation, Zhang allegedly established a company called Anywhere Logic that would provide "services utilizing trade secrets stolen from Sirf."
-http://www.computerworld.com/s/article/9196878/Man_charged_with_stealing_secrets
_from_wireless_company_Sirf?taxonomyId=144
-http://www.mercurynews.com/breaking-news/ci_16632378?nclick_check=1
[Editor's Note (Northcutt): Does anyone know what law he was charged with breaking? All of the stories I could find on the web were exactly the same. I am trying to follow Economic Espionage Act of 1996 cases, if you have info, please drop me a note, stephen@sans.edu]

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Adv isory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/