SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #14

February 18, 2011

In case you missed his speech yesterday, General Alexander (head of NSA
and the US Cyber Command) told 4,000 people that the US Cyber Command
will test a program of sharing classified attack signatures with private
industry if those organizations can protect the sensitive data. That
sharing will enable private organizations to set up early warning and
filtering systems that are as up to date as the systems that protect DoD
networks. Very cool.

Alan

---

TOP OF THE NEWS

US Legislators Plan to Re-Introduce Bill to Allow Seizure of Websites
Spain Approves Anti-Piracy Legislations

THE REST OF THE WEEK'S NEWS

Canadian Government Networks Attacked
Feds Domain Raid Accidentally Targets Popular FreeDNS Subdomain
Oracle Releases Java Update
BBC Streaming Sites Injected with Malicious Code
Sony Threatens to Ban Jailbroken PS3 Console Users from PlayStation Network
Man Netted US $8 Million in Modem Dialing Scheme
Microsoft Investigating Reported Zero-Day Flaw in Windows Server Message Block
2012 Budget Proposal Includes Significant Increase in Cyber Security Spending

CORRECTION

Correction

---

*************************************************************************
TRAINING UPDATE
- -- North American SCADA Security 2011, Lake Buena Vista, FL, February 23-March 2 With special DHS/INL and NERC workshops plus hands-on immersion training.
http://www.sans.org/north-american-scada-2011/

- -- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module
http://www.sans.org/phoenix-2011/

- -- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

- -- SANS 2011, Orlando, FL, March 26-April 4, 2011 40 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

- -- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
http://www.sans.org/cyber-security-innovations-2011/

- -- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

- -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Singapore, Wellington, Barcelona, Amsterdam and Brisbane all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

************************ Sponsored by SANS ***********
Sponsored by SANS Technology Institute Courses at SANS Northern Virginia Immerse yourself at SANS Northern Virginia 2011 with challenging courses that apply to the SANS Technology Institute (STI) master's degree program upon admittance; or choose the STI Cohort 2013 option available in the Washington DC region and complete your master's degree in two years. Register at http://www.sans.org/info/69698 before March 1st and receive 50% off of your STI application fee.
****************************************************************************

---

TOP OF THE NEWS

US Legislators Plan to Re-Introduce Bill to Allow Seizure of Websites (February 16, 2011)

US lawmakers plan to introduce legislation that would expand the authority of government agencies to shut down web sites that traffic in piracy or counterfeit merchandise. Legislation with the same goal was introduced last year, but the Senate did not take action on the Combating Online Infringements and Counterfeits Act, which would have granted the US Department of Justice (DoJ) the authority to shut down websites that were committing copyright infringement. Some suggested changes to COICA include a cap on the number of domain seizures DoJ could request before paying ISPs for the cost of compliance and using domain name seizures only when other, less restrictive measures are untenable.
-http://www.computerworld.com/s/article/9209864/Senators_explore_Web_site_seizure
_options?taxonomyId=144
[Editor's Note (Schultz): The suggested changes would make this bill more palatable. As written, its provisions simply give DoJ too much power without much recourse on the part of individuals who are suspected of wrongdoing. ]

Spain Approves Anti-Piracy Legislations (February 16, 2011)

Spain's parliament has approved a law that would allow authorities to shut down websites involved in illegal download of pirated entertainment content. An earlier version of the bill was defeated. The new bill established a panel to hear complaints against the sites suspected of engaging in content piracy. A judge will make the final decision in all cases.
-http://abcnews.go.com/Technology/wireStory?id=12930240

---

*************************** Sponsored Link: ******************************

1) February 23 Special Webcast: How to Avoid Being Compromised? Featuring Dr. Eric Cole, Part 1 http://www.sans.org/info/70078
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Canadian Government Networks Attacked (February 17, 2011)

A cyber attack left at least two Canadian government agencies temporarily disconnected from the Internet. The government has not made any statement beyond acknowledging an "attempt to access" government computer networks. The systems at Canada's Finance Department and Treasury Board were both taken offline as soon as the attack was discovered in early January; they have been slowly returning connectivity since then. The attack has been traced to IP addresses in China, but the Chinese government has denied responsibility.
-http://news.cnet.com/8301-1009_3-20032813-83.html
-http://www.cbc.ca/politics/story/2011/02/16/pol-weston-hacking.html
-http://www.theglobeandmail.com/news/politics/cyber-attack-hits-ottawa-probe-focu
ses-on-ip-addresses-from-china/article1910769/
-http://www.computerworld.com/s/article/9209998/China_denies_role_in_reported_gov
ernment_of_Canada_hack?taxonomyId=17

Feds Domain Raid Accidentally Targets Popular FreeDNS Subdomain (February 17, 2011)

A US government agency operation aimed at taking down web sites that traffic in child pornography accidentally included mooo.com, a popular shared domain, in a group of targeted domains. People who tried to visit the affected websites were instead redirected to a web page with a notice from the US Department of Homeland Security's Immigration and Customs Enforcement (ICE) and the Department of Justice (DoJ) warning them that possession of child pornography could result in a lengthy prison sentence. The sites were taken down on February 11. The suspension of mooo.com was lifted by the evening of Sunday, February 13, but FreeDNS, which runs mooo.com, said it may take up to three days to fully restore websites.
-http://www.pcworld.com/article/220024/feds_accidentally_seize_84000_innocent_dom
ains_link_them_with_child_porn.html
-http://www.zdnet.com/blog/security/dhs-incorrectly-associates-84000-web-sites-wi
th-child-pornography/8200
-http://www.securecomputing.net.au/News/248422,us-wrongly-suspends-84000-websites
.aspx

Oracle Releases Java Update (February 16 & 17, 2011)

Oracle has released an updated version of its Java runtime environment to address at least 21 security flaws, 19 of which could be exploited to allow remote installation of software on vulnerable machines. Users are urged to install Java 6 Update 24 as soon as possible; there are updates available for Windows, Linux and Solaris users. However, some observe that Java has "by some accounts ... surpassed Adobe applications as the most exploited software package," and suggest uninstalling it from computers.
-http://krebsonsecurity.com/2011/02/java-6-update-24-plugs-21-securty-holes/
-http://www.theregister.co.uk/2011/02/17/java_security_threat/
-http://www.esecurityplanet.com/patches/article.php/3925146/Oracle-Updates-Java-f
or-21-Vulnerabilities.htm

BBC Streaming Sites Injected with Malicious Code (February 15 & 16, 2011)

The BBC has confirmed that two of its radio streaming websites were infected with a malicious iframe tag designed to infect the computers of visitors to those sites. The problem was dealt with as soon as the BBC learned of the issue.
-http://www.theregister.co.uk/2011/02/15/bbc_driveby_download/
-http://www.h-online.com/security/news/item/BBC-confirms-sites-were-hacked-to-ser
ve-malware-1191131.html
-http://www.scmagazineuk.com/bbc-websites-hit-by-drive-by-download-attack/article
/196496/

Sony Threatens to Ban Jailbroken PS3 Console Users from PlayStation Network (February 16 & 17, 2011)

Sony says it will permanently ban users of jailbroken PlayStation 3 (PS3) gaming consoles from the PlayStation Network. Sony has not said how it plans to enforce the new policy. The announcement comes just weeks after code to jailbreak PS3 consoles was posted to the Internet. The code allows users to play "homebrewed" games on the devices, but with a few changes, could also be used to allow the consoles to play pirated games. The action stems from a legal case against George Hotz, who allegedly posted the code; Hotz is facing charges for violations of the Digital Millennium Copyright Act (DMCA) and other offenses.
-http://www.wired.com/threatlevel/2011/02/sony-threatens-jailbreakers/
-http://www.theregister.co.uk/2011/02/17/sony_playstation_network_ultimatum/

Man Netted US $8 Million in Modem Dialing Scheme (February 16, 2011)

Asu Pala has pleaded guilty to conspiracy to commit computer fraud and other charges in connection with a scheme that infected people's computers with malware that forced their modems to dial premium rate phone numbers. Court documents indicate that Pala hired developers to create the malware, which was tested and deployed by other co-conspirators. The scheme was ongoing between 2003 and 2007 and earned Pala nearly US $8 million. It is believed to have affected at least 250 people from Germany and possibly other European countries. Pala was charged and entered his guilty plea last April, but the case was just recently unsealed. He is scheduled to be sentenced on February 28.
-http://www.theregister.co.uk/2011/02/16/computer_fraud_plea/
-http://www.boston.com/news/local/massachusetts/articles/2011/02/16/sentencing_se
t_for_nh_hacker_who_targeted_germans/

Microsoft Investigating Reported Zero-Day Flaw in Windows Server Message Block (February 15 & 16, 2011)

Microsoft is investigating a report of a zero-day flaw in Windows Server Message Block (SMB) that could possibly be used to hijack vulnerable computers. The individual who disclosed the flaw also posted exploit code. There have been claims that the flaw could be exploited to create denial-of-service conditions on or take complete control of machines. However, according to a Microsoft Security Response Center blog, the flaw does not allow remote code execution on 32-bit systems and they are testing 64-bit systems, on which a successful exploit would require having at least 8GB of contiguous virtual address space mapped.
-http://www.theregister.co.uk/2011/02/16/windows_0day_vulnerability/
-http://www.computerworld.com/s/article/9209619/New_Windows_zero_day_surfaces_as_
researcher_releases_attack_code?taxonomyId=85
-http://blogs.technet.com/b/srd/archive/2011/02/16/notes-on-exploitability-of-the
-recent-windows-browser-protocol-issue.aspx

2012 Budget Proposal Includes Significant Increase in Cyber Security Spending (February 15, 16 & 17, 2011)

The White House's 2012 budget proposal includes an overall increase in cyber security research spending of 35 percent, bringing the total proposed allocations to US $548 million. Requested funding for government IT overall is about the same as the previous year.
-http://www.computerworld.com/s/article/9209461/Obama_seeks_big_boost_in_cybersec
urity_spending?taxonomyId=82
-http://www.nextgov.com/nextgov/ng_20110216_3295.php?oref=topnews
-http://www.washingtonpost.com/wp-dyn/content/article/2011/02/16/AR2011021606872.
html
[Editor's Comment (Northcutt): R&D might be better served by making the business climate for startups in security more favorable.]

---

CORRECTION

Correction:

In our last issue, we provided an incorrect date for Matt Miszewski's resignation from Microsoft; Mr. Miszewski resigned as of December 31, 2010.
-http://www.computerworld.com/s/article/9209119/Microsoft_accuses_former_manager_
of_stealing_600MB_of_confidential_docs?taxonomyId=144

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/