SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #20

March 11, 2011

TOP OF THE NEWS

Legislative Subcommittee Approves Bill Nullifying Net Neutrality Rules
Researchers Present Study of Vulnerabilities in Cars' Computer Systems

THE REST OF THE WEEK'S NEWS

Infected Android Market Security Tool Spotted on Third-Party Sites
Google Faces Second Privacy Lawsuit Over Gmail Content Scanning
Botnet Watch Site Hit with DDoS Attack
Apple Issues Mammoth Safari Update
New Jersey Comptroller Finds Data on Machines Marked for Auction
IPv6 Shift Will Impede Spam Filtering
Microsoft's March Patch Tuesday Fixes Four Flaws
Engineer Arrested for Allegedly Exporting Military info to China
US Naval Academy Adds Cyber Security Requirement to Curriculum

---

*****************************************************************
TRAINING UPDATE
- -- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- SANS 2011, Orlando, FL, March 26-April 4, 2011 40 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

- -- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
https://www.sans.org/cyber-security-innovations-2011/

- -- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

- -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

- -- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
http://www.sans.org/cyber-security-innovations-2011/

- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Wellington, Barcelona, Amsterdam, Brisbane and London all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

********************* Sponsored by Entrust Technologies *******************
Entrust Discovery Quickly find, inventory and manage digital certificates across your organization. Entrust Discovery helps find, inventory and manage digital certificates across diverse systems and environments. By identifying and evaluating deployed digital certificates, Entrust Discovery helps organizations avoid compliance ramifications, costly outages or even losses from data breach. Learn More http://www.sans.org/info/72614
****************************************************************************

---

TOP OF THE NEWS

Legislative Subcommittee Approves Bill Nullifying Net Neutrality Rules (March 9 & 10, 2011)

The House Energy and Commerce Committee Subcommittee on Communications and Technology has voted to nullify the Federal Communications Commission's (FCC) net neutrality rules. The action was taken through the subcommittee's approval of a bill that uses the Congressional Review Act. It now goes before the full committee.
-http://voices.washingtonpost.com/posttech/2011/03/house_panel_votes_to_invalidat
.html
-http://www.nextgov.com/nextgov/ng_20110310_3084.php?oref=topnews

Researchers Present Study of Vulnerabilities in Cars' Computer Systems (March 9 & 10, 2011)

Researchers at the University of California, San Diego and the University of Washington have published a paper in which they say they have found ways to break into newer-model cars' computer systems through Bluetooth and cellular network systems and through the diagnostic tools used by auto mechanics. The same researchers presented a study last year describing how they were able to shut off a car's engine, lock the doors, turn off the brakes and falsify odometer readings. That attack required plugging a laptop into the car's diagnostic system. The new paper focuses on remotely accessing a car's computer system. The researchers, Stefan Savage and Yoshi Kohno, acknowledge that the attacks are challenging, but Savage noted that "When people first started connecting their PCs to the Internet, there wasn't any threat and then over time it manifests. The automotive industry ... has the benefit of the experience we went through."
-http://www.usatoday.com/tech/news/2011-03-09-car-hackers_N.htm
-http://www.computerworld.com/s/article/9214167/With_hacking_music_can_take_contr
ol_of_your_car?taxonomyId=17&pageNumber=2
[Editor's Note (Honan): In the above piece Stefan Savage is quoted as saying "When people first started connecting their PCs to the Internet, there wasn't any threat and then over time it manifests. The automotive industry ... has the benefit of the experience we went through." Unfortunately if the SmartPhone platform is anything to go by then Mr. Savage's quote is an example of optimism trying to triumph over reality. ]

---

*************************** Sponsored Links: *****************************
1) Learn practical ways to protect information: SEC566 Twenty Critical Security Controls, SANS Northern Virginia 2011 http://www.sans.org/info/69743
2) REGISTER NOW FOR: Web 2.0 Security: Same Old But Different WHEN: Thursday, March 24, 2011 at 1:00 PM EDT (1700 UTC/GMT) FEATURING: Johannes Ullrich & Eric Crutchlow https://www.sans.org/webcasts/web-20-security-94323 Sponsored By: SONICWALL http://www.sonicwall.com/
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Infected Android Market Security Tool Spotted on Third-Party Sites (March 10, 2011)

Researchers have found a malicious version of the Android Market Security Tool circulating on the Internet. Google released the tool to remove malware-infected apps from Android devices. The infected apps were versions of legitimate apps with malicious code added. The fake clean-up tool has been found on third party app markets; it appears to be aimed at Chinese users.
-http://www.h-online.com/security/news/item/Google-s-security-tool-infected-with-
trojan-1205886.html
-http://www.informationweek.com/news/mobility/security/showArticle.jhtml?articleI
D=229300739
-http://www.computerworld.com/s/article/9214023/Symantec_finds_fake_Google_Androi
d_update?taxonomyId=17

Google Faces Second Privacy Lawsuit Over Gmail Content Scanning (March 10, 2011)

Google is being sued for the second time over its practice of scanning Gmail message content to serve users ads relevant to the messages' topics. The first lawsuit brought by a Texas man in November 2010, has been sealed. The new suit, on behalf of Kelly Michaels, focuses on Google's Terms of Service agreement. The complaint claims that Google asks users to agree to its Terms of Service, but doesn't ensure that the users understand what it is they are agreeing to. The Google Terms of Service agreement includes 92 paragraphs. The Google Program Policy and Privacy Policy are also separate entities; the Privacy Policy includes 55 external links.
-http://www.informationweek.com/news/security/privacy/showArticle.jhtml?articleID
=229300677&subSection=Security
[Editor's Note (Pescatore): About 45 years ago, the US required a simple warning be put on cigarette packs: "Caution: Cigarette Smoking May be Hazardous to Your Health" I'd like to see all the free mail and social network Terms of Service agreements be required to have a similar warning "Caution: Use of Advertising Supported Internet Services May be Hazardous to Your Personal Information." ]

Botnet Watch Site Hit with DDoS Attack (March 10, 2011)

A Swiss website devoted to identifying malicious domains and command-and-control servers used by botnets has become the target of distributed denial-of-service (DDoS) attacks. The attacks are fueled by the SpyEye and ZeuS toolkits. The attackers have deployed new plugins for SpyEye that allow three attack mechanisms: SYN Flood, UDP Flood and Slowloris Flood. Abuse.ch compiles blacklists of known ZeuS and SpyEye IP command-and-control domains and IP addresses.
-http://www.eweek.com/c/a/Security/SpyEye-BotMasters-Hit-AntiBotnet-Site-with-Den
ial-of-Service-Attack-867962/

Apple Issues Mammoth Safari Update (March 9 & 10, 2011)

Apple issued a huge update for its Safari web browser on Wednesday, March 9. The update fixes a total of 62 security issues in Safari 5 for Mac and Windows, and brings the most current version to 5.0.4. Fifty-six of the flaws could be exploited to allow arbitrary code execution. On the same day, Apple issued an update for its iOS, bringing the most recent version of its mobile operating system to 4.3, which addresses most of the same flaws fixed in the Safari update. The last time Apple issued an update for Safari was November 2010.
-http://www.scmagazineus.com/apple-issues-security-updates-for-safari-ios/article
/198067/
-http://www.computerworld.com/s/article/9213939/Apple_patches_62_bugs_in_massive_
Safari_update?taxonomyId=17

New Jersey Comptroller Finds Data on Machines Marked for Auction (March 9, 2011)

An audit conducted by the Office of the New Jersey State Comptroller found that nearly 80 percent of retired state government computers headed for auction still contained sensitive personal data. The computers examined were being held at a state surplus property warehouse. New Jersey guidelines require that data be removed from hard drives before computers are sent to the warehouse. The audit was prompted by a number of arrests of warehouse employees. New Jersey state comptroller Matthew A. Boxer says that he believes it is likely that other machines containing data have already been sold because no outside agency had investigated the procedures before his office looked into the matter at the warehouse.
-http://www.nytimes.com/2011/03/10/nyregion/10computers.html?ref=technology
-http://www.govtech.com/policy-management/New-Jersey-Audit-Uncovers-Confidential-
Data-on-Auction-Bound-Computers.html

IPv6 Shift Will Impede Spam Filtering (March 8, 2011)

Service providers say that the migration to IPv6 will make it harder to filter spam. Blacklists of known IP addresses associated with spam have been one of the bases for service providers' filtering techniques. With the significantly increased pool of Internet addresses, service providers will have to find other techniques.
-http://www.theregister.co.uk/2011/03/08/ipv6_spam_filtering_headache/
[Editor's Note (Pescatore): Yes, hopefully that larger address space will drive the industry to develop new innovative techniques. ]

Microsoft's March Patch Tuesday Fixes Four Flaws (March 8, 2011)

On Tuesday, March 8, Microsoft issued three security bulletins with fixes for four flaws in Windows and Office. One of the bulletins was rated critical and addresses two vulnerabilities, one in Direct Show and in Windows Media Player and Windows Media Center. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=10510
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=229300594
-http://www.computerworld.com/s/article/9213805/Microsoft_patches_critical_Window
s_drive_by_bug?taxonomyId=85
-http://news.cnet.com/8301-27080_3-20040672-245.html?tag=mncol;title
-http://www.scmagazineus.com/microsoft-closes-four-vulnerabilities-including-dll-
issues/article/197930/
-http://www.microsoft.com/technet/security/Bulletin/MS11-mar.mspx

Engineer Arrested for Allegedly Exporting Military Info to China (March 8, 2011)

An engineer who once worked for a US military contractor has been arrested and faces charges for allegedly exporting military information to China. Sixing "Steve" Liu, who worked for L-3 Communications, was stopped by US Customs and Border Protection officers in late November 2010 because the agents found reason to believe that he wasn't being truthful when he claimed the purpose of his trip was to visit family. After obtaining a warrant to search Liu's laptop, they discovered hundreds of company documents, some of which dealt with systems that fall under US arms export control laws.
-http://www.computerworld.com/s/article/9213818/Defense_contractor_charged_with_s
tealing_secrets_on_laptop?taxonomyId=144

US Naval Academy Adds Cyber Security Requirement to Curriculum (March 8. 2011)

Cyber security classes have been added to the core curriculum required of US Naval Academy students. The addition of the requirement was prompted by the creation of the Navy's US Fleet Cyber Command, which has the task of defending the Navy's IT systems from attacks. The new requirement also points to the emergence of cyber warfare as an area of expertise for students. The new requirements will affect incoming freshmen, who must take a class on recognizing cyber risks and threats. A second class, required in students' junior year, concentrates of the technical aspects of network defense. Two additional cyber security electives have been added to the curriculum as well.
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=229300570
[Editor's Note (Schultz): Good for the Navy! Any officer in the armed forces should have at least a basic understanding of information warfare and cybersecurity threats.
(Pescatore): Good to hear, but I hope they give them a realistic view of risk management. Just the way a Navy would never succeed if it never took risks, or waited until the seas were absolutely safe before moving out, cyber security is not about requiring all risks to be eliminated before taking advantage of technology. ]

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/