Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #7

January 25, 2011


National High School Cyber Competition Update
Two more states have made it possible for all high school students in
their states to compete in Cyber Foundations for free: Texas and
Minnesota have been added to California, Delaware, Rhode Island, and
Maryland. If you want the talented kids in your state to have a chance
to compete and gain recognition (and scholarships), connect with Renee
Mclaughlin at renee.mclaughlin@cisecurity.org. To explore the program
and help your kids get started today: http://www.sans.org/cyber-foundations

Alan

TOP OF THE NEWS

Google and Mozilla Announce "Do Not Track" Browser Features
Legislative Hearing Will Examine Reviving Data Retention Bill
Media Rights Holders Would Bear 75 Percent of Anti-Piracy Costs

THE REST OF THE WEEK'S NEWS

Apple Hires David Rice As New Security Lead
Cisco 2010 Annual Security Report Notes Cybercrime Moving Toward Mobile Devices
Carberp Trojan Updating Itself
Lush Retires Compromised Website
Administrative Access to Government and Education Sites For Sale in Underground Forum
Trapster Data Exposed
Yahoo! Will Move Main Website to IPv6 by Year's End
RIM Warns of Blackberry PDF Distiller Flaw


*********** Sponsored By Raytheon Trusted Computer Solutions ***********
OS hardening doesn't need to take hours or even days to complete. Instead of locking down your systems manually, try Security Blanket, the 'one click' hardening tool for Linux and Solaris. Whether you follow prescribed hardening guidelines similar to DISA STIGs or PCI, or use a custom configuration, Security Blanket has it covered. Free trial available!
http://www.sans.org/info/69294
*************************************************************************
TRAINING UPDATE
-- North American SCADA Security 2011, Lake Buena Vista, FL, February 23-March 2 With special DHS/INL and NERC workshops plus hands-on immersion training.
http://www.sans.org/north-american-scada-2011/

-- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module
http://www.sans.org/phoenix-2011/

-- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

-- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Atlanta, Bangalore, Singapore, Wellington and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
****************************************************************************

TOP OF THE NEWS

Google and Mozilla Announce "Do Not Track" Browser Features (January 24, 2011)

Google has announced a new feature for its Chrome browser that lets users opt out of tracking cookies from several online ad networks. Just two months ago, the US Federal Trade Commission called for a do not track mechanism like the "Do Not call" list, that would let users choose whether their personal data are collected. Mozilla recently said it is looking into adding a similar feature to Firefox.
-http://www.informationweek.com/news/software/infrastructure/showArticle.jhtml?ar
ticleID=229100128&subSection=Security

-http://www.computerworld.com/s/article/9206061/Google_jumps_into_Do_Not_Track_de
bate_with_Chrome_add_on?taxonomyId=84

-http://www.theregister.co.uk/2011/01/24/google_ad_opt_out_chrome_extension/
[Editor's Note (Pescatore): The wording of this seems carefully limited to the "Do Not Track" extension, and will result in you seeing standard ads, not personalized ads. It doesn't actually say there is any change in you being tracked, just that you won't see personalized ads. To me the tracking is the problem, seeing personalized ads is just the symptom. ]

Legislative Hearing Will Examine Reviving Data Retention Bill (January 24, 2011)

A US congressional panel will hold a hearing this week to discuss requiring Internet service providers (ISPs) to retain records of users' activity. An aide for panel chairman Senator F. James Sensenbrenner (R-Wisconsin) said "the purpose of this hearing is to examine the need for retention of certain data by
[ISPs ]
to facilitate law enforcement investigations of Internet child pornography and other Internet crimes." One possibility is reviving a dormant data retention proposal that would require ISPs to retain IP data for two years. Interestingly, the renewed focus on data retention coincides with the FTC's recent call for "Do Not Track" mechanisms (see story above.)
-http://news.cnet.com/8301-31921_3-20029393-281.html?tag=topStories1

Media Rights Holders Would Bear 75 Percent of Anti-Piracy Costs (January 21, 2011)

Proposed secondary legislation in the UK would assign the costs of sending illegal downloading notifications to Internet users and any associated prosecution and appeal costs between media rights holders and Internet service providers (ISP) in a 75/25 ratio. The procedures are set forth in the Digital Economy Act, which was hastily passed last spring, but the allocation of responsibility for costs incurred was not determined at that time.
-http://www.v3.co.uk/v3/news/2274367/government-piracy-ifpi-vaizey
-http://www.itnews.com.au/News/245824,british-isps-to-share-the-cost-of-piracy.as
px



*************************** Sponsored Links: *****************************


1) Employees, partners and system vendors may all be administering your systems. If those systems house sensitive data, multiple compliance issues arise around access, roles and encryption. In this webcast, senior SANS Analyst Dave Shackleford discusses compliance challenges posed by remote administration and what to do about them. http://www.sans.org/info/69299

2) Come hear application security experts discuss the latest threats, defenses, and cutting edge thinking in software security at SANS AppSec 2011 http://www.sans.org/info/69304 March 7 - 14, 2011 in San Francisco, California. Register by 2/2 and save $250.

3) Security of industrial control systems is the #2 national security issue in cyber security! Learn to prevent attacks at the North American SCADA conference http://www.sans.org/info/69309 in Lake Buena Vista, Florida, February 23 - March 2, 2011. Register by February 23 and save $200.
****************************************************************************

THE REST OF THE WEEK'S NEWS

Apple Hires ex-NSA Expert David Rice As New Security Lead

Apple seems to be restructuring the way it approaches software development, creating a culture that's focused from the outset on designing secure software. To do that they hired David Rice, one of SANS highly-rated instructors with a Cyber Warfare degree from the Naval Post Graduate School and a solid set of accomplishments as an NSA vulnerability analyst focusing on the .NET and Windows worlds.
-http://www.networkworld.com/news/2011/012411-apple-geekonomics-expert.html?hpg1=
bn

[Editor's Note (Paller): David Rice's hiring is the most visible example of transformation taking place in the CISO ranks. The non-technical, compliance-oriented CISOs are retiring or being asked to stand down or move to audit roles, and operational leaders are being brought in to lead the change from paper security to baking security into design and then continuously monitor and improving it. Another recent example is at the Veterans Administration where Jerry Davis was brought in to lead cyber security. The national model for a technically skilled leader in the CISO role has, for many years, been John Stewart at Cisco who embodies the same deep technical skills and great teaching skills as David Rice. ]

Cisco 2010 Annual Security Report Notes Cybercrime Moving Toward Mobile Devices (January 21, 2011)

According to Cisco's 2010 Annual Security Report, cyber criminals appear to be shifting their focus from Windows machines to mobile devices. Users are falling prey to social engineering scams through social networking, email and even phone calls. In addition, 2010 marks the first year "in the history of the Internet" in which the volume of spam dropped, due in large part to botnet takedowns and increased ISP email restrictions.
-http://www.scmagazineus.com/cybercrime-migrating-to-mobile-and-apple-cisco-repor
t/article/194734/

-http://www.v3.co.uk/v3/news/2274334/cisco-spam-drop-affiliates-90
-http://www.networkworld.com/community/blog/cisco-report-notes-new-cybercrime-tar
gets

The Cisco report is available for download at
-http://www.cisco.com/en/US/prod/collateral/vpndevc/security_annual_report_2010.p
df

[Editor's Note (Honan): A very interesting read, especially its overview on the Money Mule operations and how criminals "cash-out" their gains from cybercrime.
(Schultz): We are only three or four years away from what will be a massive abandonment of conventional desktop and laptop computing systems in favor of mobile devices, which keep growing in their capabilities and functionality at an amazing rate. ]

Carberp Trojan Updating Itself (January 20 & 24, 2011)

The Carberp Trojan horse program that steals information and leaves a back door open on infected systems was first detected in the fall of 2010 and now appears to be upgrading its capabilities. Carberp is designed to steal banking data. It masquerades as a legitimate Windows file and deletes antivirus software from infected machines. The upgrades allow Carberp to run on all versions of Windows without administrator privileges. Carberp communicates with command and control servers through encrypted HTTP traffic.
-http://www.computerworld.com/s/article/9206025/Carberp_banking_malware_upgrades_
itself?taxonomyId=17

-http://www.h-online.com/security/news/item/Online-banking-trojan-developing-fast
-1172452.html

Lush Retires Compromised Website (January 21 & 22, 2011)

The Lush cosmetics company has shut down its Lush.co.uk website after learning that malicious intrusions have been going on since last fall. Customers who have placed orders since October 4, 2010 are urged to check their payment card accounts to make sure the information has not been used fraudulently. To protect customers, Lush will open a new website that will take payments through PayPal for the immediate future. Customers can also purchase merchandise in brick-and-mortar shops or over the phone. Many Lush customers have reported fraudulent transactions on their payment card accounts.
-http://www.scmagazineuk.com/lush-forced-to-close-website-after-four-month-compro
mise/article/194698/

-http://www.bbc.co.uk/news/technology-12254282
-http://www.theregister.co.uk/2011/01/21/lush_cosmetics_hack_attack/
-http://www.v3.co.uk/v3/news/2274362/lush-hack-card-stolen-site
[Editor's Comment (Northcutt): To be clear, this only impacts their UK web site. Their US web site and both English and French Canadian web sites are still up and running. FWIW, several of the women in conference planning at SANS love their (somewhat pricey) products.
-http://www.lushusa.com/shop
or
-http://www.lush.co.uk/]

Administrative Access to Government and Education Sites For Sale in Underground Forum (January 21 & 24, 2011)

An attacker is selling administrative access to certain US and European military websites and education systems online for between US $55 and US $500. The same group or individual is offering stolen personal data for US $20 for 1,000 records. The hacker is likely to have gained access to the sites offered for sale through SQL injection attacks.
-http://www.eweek.com/c/a/Security/Government-Military-Sites-for-Sale-in-Hacker-F
orum-184599/

-http://www.v3.co.uk/v3/news/2274366/imperva-hacking-military-market
-http://www.theregister.co.uk/2011/01/24/hacked_domain_sale/
-http://www.computerworld.com/s/article/9205905/Got_500_You_can_buy_a_hacked_U.S.
_military_website?taxonomyId=17

Trapster Data Exposed (January 20 & 21, 2011)

Online speed trap warning service Trapster has notified users that their personal information may have been compromised. The breach is believed to affect only those iPhone, Android and BlackBerry users who registered with Trapster after downloading the application. Trapster has an estimated 10 million users, but not all have registered. The compromised information includes email addresses and passwords.
-http://www.computerworld.com/s/article/9205660/Trapster_hack_may_have_exposed_mi
llions_of_iPhone_Android_passwords?taxonomyId=82

-http://www.wired.com/threatlevel/2011/01/speedy-drivers-can-hide-from-cops-but-n
ot-hackers/

-http://www.scmagazineuk.com/passwords-of-up-to-ten-million-smartphone-users-may-
be-exposed-after-app-developers-hacked/article/194690/

-http://www.theregister.co.uk/2011/01/21/trapster_website_hack/
[Editor's Note (Schultz): Most mobile application developers do not consider security much if at all when they code, and very little information about the security of mobile applications exists. Given the growing popularity and use of these applications, yet another area plagued with serious security vulnerabilities but without suitable control measures is rapidly overtaking us. ]

Yahoo! Will Move Main Website to IPv6 by Year's End (January 19, 2011)

Yahoo! plans to migrate its main website to IPv6 by the end of the year. There are concerns that the move could prevent some users from accessing the site because of "IPv6 brokenness," - misconfigured or misbehaving network equipment or bad firewall settings. The problems are estimated to affect about 0.05 percent of Internet users, which translates to approximately 1 million users. World IPv6 Day, scheduled for June 8, 2011 will help identify problems that need to be addressed. The shift from IPv4 to IPv6 is necessary because address space in IPv4 is expected to run out by the end of the year.
-http://www.networkworld.com/news/2011/011911-yahoo-ipv6.html

RIM Warns of Blackberry PDF Distiller Flaw (January 19, 2011)

A security alert from Research in Motion (RIM) warns of a flaw in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server. The flaw could be exploited to case buffer overflow errors which could, in turn, allow arbitrary code execution or in the PDF rendering process terminating before it completes. For an attack to be successful, users would need to be tricked into opening a specially crafted PDF file on a BlackBerry smartphone associated with a user account on Blackberry Enterprise Server. RIM has provided fixes for the problem.
-http://gcn.com/articles/2011/01/19/vulnerability-in-blackberry-attachment-servic
e.aspx

-http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&extern
alId=KB25382

-http://www.zdnet.com/blog/security/blackberry-haunted-by-critical-pdf-distiller-
flaw/7915?tag=content;search-results-rivers



************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/