SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #93

November 23, 2010

Seven days left to get a 16GB iPad with any of 28 SANS OnDemand courses including Auditing, Penetration Testing, Forensics, Secure Coding, Wireless, CISSP training and more. See: http://www.sans.org/ondemand/discounts.php#current

---

TOP OF THE NEWS

Stuxnet Suspected to be Behind Iranian Nuclear Setback
Bill Would Give DHS Authority to Fine Critical Companies For Inadequate Security
Google to Destroy UK Street View Wi-Fi Data

THE REST OF THE WEEK'S NEWS

Alleged Federal Reserve Bank Hacker Arraigned
Google Fixes Gmail Address Leak
MoD Official Targeted by Malicious eMail
Man Used Malicious eMail to Steal Personal Information and Take Control of Webcams
Kroxxu Botnet on One Million Systems
Microsoft Embraces Kinect Tinkerers
Senator Says He Will Fight Antipiracy Legislation
Adobe Releases Reader X
Guilty Plea in Wiseguys Ticket CAPTCHA Case
Britain's Lord Chief Justice Voices Concerns About Intrusion of Internet Into Jury Trials
LifeLock Sending Refund Checks as Part of Settlement With FTC

---

******************* Sponsored By Palo Alto Networks ********************
REGISTER NOW! Please join us for the SANS Analyst Webcast: Taming the Social Networking Beast on December 7, 1PM EST sponsored by Palo Alto Networks. In this webcast, learn the risks social networking brings to enterprises and how to enable social networking while protecting against risks. Featuring SANS Fellow Eric Cole, PhD. Register for this webcast to receive an advance copy of a special SANS accompanying whitepaper on the same topic. Go to: http://www.sans.org/info/67153 ************************************************************************* TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics; and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security
http://www.sans.org/security-east-2011/

-- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Los Angeles, Atlanta, San Francisco, Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ****************************************************************************

---

TOP OF THE NEWS

Stuxnet Suspected to be Behind Iranian Nuclear Setback (November 22, 2010)

Iran's nuclear program has experienced a setback, but diplomats have no specific information about the problem that forced the powering down of enrichment machines. The Stuxnet worm is suspected to be involved. Hundreds of centrifuges have been taken offline in the last year-and-a-half.
-http://www.msnbc.msn.com/id/40323245/ns/world_news-mideastn_africa/
Editor's Comment (Northcutt): NewsBites reader Mark Walker wrote to point out that there is a risk someone could reverse engineer Stuxnet and use the information to attack other targets. We may think of Stuxnet as an attack, but it could also be a transfer of technology. ]

Bill Would Give DHS Authority to Fine Critical Companies For Inadequate Security (November 19, 2010)

Proposed legislation would give the US Department of Homeland security (DHS) the authority to impose fines of up to US $100,000 a day on organizations that are responsible for elements of the country's critical infrastructure if they have not complied with cyber security directives imposed by DHS. The Homeland Security Cyber and Physical Infrastructure Protection Act would have DHS create a list of companies whose operations are critical to the continuing operation of the country's infrastructure. Those companies will be required to comply with DHS established regulations, which could include submitting their cyber security plans to DHS for approval and having "announced or unannounced audits and inspections." It would also call for DHS Secretary Janet Napolitano to appoint a cyber security chief. The bill has raised concerns among many who say that DHS lacks the expertise to establish cyber security requirements and evaluate their effectiveness.
-http://news.cnet.com/8301-13578_3-20023464-38.html
[Editor's Note (Pescatore): There is a predictable arc to all compliance regimes that almost invariably ends in the cost of feeding the compliance regime exceeding any measurable security gain. At first, that new compliance regime allows us to finally convince management to fund necessary security improvements but the next year the compliance monster gets hungrier - and every year after that. Security *spending* always goes up, the actual level of security rarely does. (Schultz): Having both a DHS cyber security chief and a Presidential cybersecurity advisor would be anything but good. It would at a minimum set the stage for incessant conflict.]

Google to Destroy UK Street View Wi-Fi Data (November 19, 2010)

Google will destroy the data it collected in the UK while gathering information for Street View, according to the Information Commissioner's Office (ICO). Deputy Information Commissioner David Smith said there was no evidence that the data "had fallen into the wrong hands" and that his office would not conduct any further enquiries into the issue.
-http://www.bbc.co.uk/news/technology-11797907
-http://www.msnbc.msn.com/id/40280537/ns/technology_and_science-security/

---

******************** SPONSORED LINK ********************************
1) REGISTER NOW for the upcoming webcast: Beyond AV: Total Endpoint Security For Multi-Regulatory Compliance and Better Security, Sponsored By: BigFix
http://www.sans.org/info/67158 **********************************************************************

---

THE REST OF THE WEEK'S NEWS

Alleged Federal Reserve Bank Hacker Arraigned (November 22, 2010)

Lin Mun Poo, the Malaysian man who allegedly hacked into a Federal Reserve Bank of Cleveland computer system as well as computer systems at a Defense Contractor and "several major international banks," was arraigned in federal court on November 22. Poo entered a plea of not guilty. One law enforcement official called the alleged activity "scary stuff." Poo was arrested in October just after flying into John F. Kennedy International Airport; he had with him a "heavily encrypted" laptop computer that was found to contain "more than 400,000
[payment card ]
and bank account numbers." He is facing charges of access device fraud, aggravated identity theft, unlawful transmission of computer code and commands, and unauthorized computer access involving government information.
-http://www.msnbc.msn.com/id/40306517/ns/us_news-security/
Indictment:
-http://msnbcmedia.msn.com/i/msnbc/Sections/NEWS/poo_indictment.pdf

Google Fixes Gmail Address Leak (November 22, 2010)

Google fixed a flaw over the weekend that allowed spam to be sent to Gmail users who had visited certain websites while logged in to their Gmail accounts. The problem in the Google Apps Script API was fixed soon after Google was alerted to the issue.
-http://www.eweek.com/c/a/Security/Google-Patches-Security-Flaw-Affecting-Gmail-U
sers-162318/
-http://technolog.msnbc.msn.com/_news/2010/11/22/5509761-security-hole-let-hacker
-harvest-gmail-addressess

MoD Official Targeted by Malicious eMail (November 22, 2010)

An email received by a British defense official was found to contain malware designed to leak information from infected system to a foreign intelligence agency. The message came from an individual the official had met at a conference.
-http://www.theregister.co.uk/2010/11/22/mod_spear_phish/

Man Used Malicious eMail to Steal Personal Information and Take Control of Webcams (November 22, 2010)

Matthew Anderson of Keith, Banffshire, Scotland has admitted to an offense under the UK's Computer Misuse Act for his role in an email scheme designed to steal personal data. He sent spam containing malware that allowed him access to users' computers. Anderson gained remote control of users' webcams and spied on them in their homes. Law enforcement agents found other people's photographs and medical reports on Anderson's computer. He is to be sentenced on November 23.
-http://news.stv.tv/scotland/highlands-islands/211018-computer-hacker-controlled-
victims-webcams-from-mothers-front-room/

Kroxxu Botnet on One Million Systems (November 22, 2010)

The Kroxxu Botnet appears to have infected more than 100,000 domains and may be present on as many as one million systems around the world. It is not yet clear if those in control of Kroxxu are using it to make money and if they are, how they are making money. Kroxxu is designed specifically to steal FTP passwords. It spreads only through infected websites.
-http://www.v3.co.uk/v3/news/2273368/kroxxu-avast-botnet-threats
-http://www.securecomputing.net.au/News/239314,kroxxu-botnet-targets-one-million-
users.aspx
-http://www.thenewnewinternet.com/2010/11/22/kroxxu-botnet-infects-100000-domains
-1-million-users/

Microsoft Embraces Kinect Tinkerers (November 21 & 22, 2010)

Microsoft has backtracked on its vague threats to pursue legal action against people who tampered with its newly-released Kinect gaming device. Craig Davidson, senior director for Xbox Live, has now said "Anytime there is engagement and excitement around our technology, we see that as a good thing." Kinect inspires technophiles because of its use of "cameras, sensors and software that let it detect movement, depth, and the shape and position of the human body."
-http://www.nytimes.com/2010/11/22/technology/22hack.html?ref=technology
-http://www.pcworld.com/article/211299/microsoft_flipflops_on_kinect_computer_hac
k.html

Senator Says He Will Fight Antipiracy Legislation (November 19, 2010)

US Senator Ron Wyden (D-Oregon) said he will fight proposed legislation that would give the US government the authority to shut down web sites believed to be dedicated to illegal filesharing. Calling the Combating Online Infringement and Counterfeits Act the "wrong medicine" for addressing illegal filesharing, Wyden said the proposed law is too broad. The bill was approved last week by the Senate Judiciary Committee; it allows the Justice Department to file civil actions against domain names believed to be involved with digital piracy.
-http://www.nextgov.com/nextgov/ng_20101119_5885.php?oref=topnews
-http://www.computerworld.com/s/article/9197341/Senator_threatens_to_block_online
_copyright_bill?taxonomyId=17

Adobe Releases Reader X (November 19, 2010)

Adobe has released Reader X, the newest version of its PDF reader software. The Protected Mode of Reader X for Windows isolates system processes in a sandbox. Reader X for Mac Os X and Android do not include the sandbox. Adobe's Director of Security and Privacy Brad Arkin acknowledges that the new feature will not stop every attack but said "It provides a strong additional level of defense against attacks." Other applications already using sandboxing include Google's Chrome browser, and Microsoft Internet Explorer and Office 2010.
-http://www.computerworld.com/s/article/9197230/Adobe_launches_sandboxed_Reader_X
?source=rss_news
-http://www.theregister.co.uk/2010/11/19/adobe_reader_sandbox/
[Editor's Note (Pescatore): Sandboxes are good, they limit damage - like bulkhead doors in a submarine. However, a submarine with great bulkheads still need to make sure they aren't using screen windows. ]

Guilty Plea in Wiseguys Ticket CAPTCHA Case (November 19, 2010)

Three men have pleaded guilty to charges of wire fraud and hacking for using specialized computer programs to defeat systems designed to prevent large blocks of event tickets from being purchased by one group or individual. The men, who operated a company called Wiseguy Tickets, bought up premium seats for desirable events and resold them at a profit. Their scheme allowed them to appear as if they were thousands of individuals as they purchased the tickets. Between 2002 and 2009, the defendants are believed to have made as much as US $25 million in profits. The men admitted to hiring people in Bulgaria to create a specialized network of computers devoted to breaking CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart).
-http://www.wired.com/threatlevel/2010/11/wiseguys-plead-guilty/
-http://www.theregister.co.uk/2010/11/19/wiseguy_ticket_touts_guilty/
-http://www.computerworld.com/s/article/9197278/Wiseguy_scalpers_bought_tickets_w
ith_CAPTCHA_busting_botnet?taxonomyId=17s

Britain's Lord Chief Justice Voices Concerns About Intrusion of Internet Into Jury Trials (November 19, 2010)

Britain's Lord Chief Justice Lord Judge recently published a lecture decrying the misuse of the Internet by jurors, saying that "We cannot accept that the use of the Internet, or rather its misuse, should be acknowledged and treated as an ineradicable fact of life, or that a Nelsonian blind eye should be turned to it or the possibility that it is happening." Lord Judge also said that judges should strongly warn jurors not to use the Internet to research the cases or to share information about the cases about which they are deliberating, and that notices in the jury rooms should remind jurors that such activity could be viewed as contempt of court.
-http://www.bbc.co.uk/news/uk-11796648

LifeLock Sending Refund Checks as Part of Settlement With FTC (November 19, 2010)

LifeLock, a company that offers identity theft protection services, is sending US $10.87 checks to nearly one million customers to comply with a settlement the company reached with the US Federal Trade Commission (FTC). Attorneys general from 35 states and the FTC alleged that LifeLock made false claims about the scope of its protection. The settlement was reached in March. In addition to making the payments to customers, LifeLock must not overstate the risk of identity theft and must not misrepresent its services.
-http://www.computerworld.com/s/article/9197482/After_FTC_settlement_LifeLock_ref
und_checks_going_out?taxonomyId=17
-http://www.consumeraffairs.com/news04/2010/11/nearly-one-million-consumers-getti
ng-refunds-from-lifelock.html

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Adv isory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/