SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #74

September 16, 2011

Should security auditors and assessors be sued for malpractice?

On Oct 11-12, seven federal agencies and a large user organization will
demonstrate innovations that they have each deployed, that scale, that
are surprisingly effective at limiting the damage from targeted attacks
and at improving cloud security. They are also low cost. Any security
auditor or assessor or certifier not checking for their implementation,
should probably be sued for malpractice. That's especially true if the
agency or company systems have been compromised. These innovative
agencies will be recognized and will brief their solutions and answer
questions about what they learned along the way at the National
Cybersecurity Innovation in Washington. Register at
http://www.sans.org/ncic-2011

Alan

---

TOP OF THE NEWS

Windows 8 to Ship With Baked-In AntiVirus
Mebromi Rootkit Targets BIOS
Google Will Allow Users to Opt-Out of Wi-Fi Access Point Registry
FCC's Net Neutrality Rules Will Face Legal Challenges

THE REST OF THE WEEK'S NEWS

US Agencies Must Now Submit Cyber Security Reports Monthly
Shopping Center "Find My Car" Tool
Spitmo Trojan Steals Text Messages Sent From Banks
Some BitTorrent Software Downloads Briefly Infected with Malware
Man Pleads Guilty to Uploading First-Run Films to BitTorrent
Microsoft Issues Fixes for 15 Vulnerabilities
Adobe Releases Security Updates for Reader and Acrobat

---

*********************** Sponsored By Symantec ***************************

Industry Report: Endpoint Protection Performance Benchmarks Check out how Symantec Endpoint Protection performs against competing solutions. PassMark Software conducted objective performance testing on five, publically available enterprise endpoint protection security software products. Get advanced threat prevention and protection against even the most sophisticated attacks that evade traditional security measures.

http://www.sans.org/info/87184

**************************************************************************

TRAINING UPDATE

- -- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
http://www.sans.org/network-security-2011/

- -- The National Security Architecture Workshop, DC, Sept. 29-30,2011 2-day workshop discussing techniques to ensure security is considered in every step of the development life cycle,
http://www.sans.org/baking-security-applications-networks-2011/

- -- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011 3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile Security training
http://www.sans.org/ncic-2011/

- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

- --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

- --SANS San Antonio 2011, San Antonia, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus London, Baltimore, Singapore, Seoul and Rome all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

Windows 8 to Ship With Baked-In AntiVirus (September 14 & 15, 2011)

Microsoft plans to release Windows 8 later this year. The newest release of the operating system will reportedly have elements of Microsoft Security Essentials (MSE) protection built in to Windows Defender. MSE is currently available at no cost as a download to help protect users from malware. Windows Defender has already been incorporated into recent versions of Windows, but lacked the muscle offered by Microsoft Security Essentials.
-http://news.cnet.com/8301-1009_3-20106681-83/windows-8-to-offer-built-in-malware
-protection/?tag=mncol;title
-http://www.scmagazineus.com/microsoft-windows-8-will-ship-with-built-in-anti-vir
us/article/212025/
[Editor's Note (Honan): It seems Microsoft is in a no-win situation. They have been criticized in the past for poor security in their products, yet when they take proactive steps to better build security into those products they face anti-trust issues. While Microsoft still has a lot of work to do regarding security, it is a pity other vendors don't follow Microsoft's lead in putting security more at the core of their products. ]

Mebromi Rootkit Targets BIOS (September 14, 2011)

Researchers have detected a rootkit that targets the BIOS, Master Boot Record (MBR), the kernel, and files of PCs. It has been at least four years since malware that focuses on BIOS has been found. Trojan.Mebromi adds malicious instructions to the BIOS that cause machines to become re-infected when they are booted even after the master boot records has been cleared of infection. Mebromi is unlikely to become widespread as it affects just one type of BIOS. However, it raises the question of how to create a utility to clean BIOS and poses no risk of damage.
-http://www.scmagazineus.com/researchers-uncover-first-active-bios-rootkit-attack
/article/212035/
-http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/
[Editor's Note (Schultz): This is bad news. Today's generation of anti-virus software has no way of detecting and eradicating a BIOS-targeting rootkit. Fortunately, however, this rootkit targets only one particular BIOS implementation, at least so far. ]

Google Will Allow Users to Opt-Out of Wi-Fi Access Point Registry (September 14, 2011)

Google says it plans to allow Wi-Fi access point owners to opt-out of the company's data collection program. Google uses the Wi-Fi hotspots to pinpoint mobile phone users' locations. The same vehicles that drive around neighborhoods gathering images for Google Street View have been collecting wireless access point information as well. The decision to allow users to opt out of participation was prompted by requests from European data protection authorities.
-http://news.cnet.com/8301-1009_3-20106029-83/google-to-let-users-opt-out-of-loca
tion-data-collection/?tag=mncol;title
-http://www.zdnet.com/blog/networking/youll-soon-able-to-opt-out-of-google-wi-fi-
snooping/1461
-http://www.theregister.co.uk/2011/09/15/google_allows_people_to_opt_out_of_the_l
ocation_data_that_they_harvest_from_residential_wifi_networks/
[Editor's Note (Pescatore): Of what Google lists as its 10 core principles, number 1 is "Focus on the user and all else will follow" and number 6 is "You can make money without doing evil." Wouldn't it be nice if those two principles translated to Google taking a "We won't snoop on you unless you *opt in*" approach? ]

FCC's Net Neutrality Rules Will Face Legal Challenges (September 12 & 13, 2011)

The Office of Management and Budget (OMB) has signed off on the US Federal Communications Commission's (FCC's) net neutrality rules, opening the door for the controversial rules to be challenged by legislators and through the courts. The rules would prevent Internet service providers (ISPs) from blocking or throttling or favoring traffic on their networks. The rules apply only to wired networks; the only restriction the FCC imposes on wireless networks is that they cannot block voice and video telephony services. The challenges focus on the question of the FCC's authority to make such rules. Telecommunications companies do not believe the FCC has that authority. The rules will be published in the Federal Register within the next three weeks, and then the challenges will begin. Rules are not enforceable until 60 days after their publication in the Federal Register.
-http://www.washingtonpost.com/blogs/post-tech/post/fccs-net-neutrality-rules-to-
trigger-legal-hill-challenge/2011/09/13/gIQALFzlPK_blog.html
-http://news.cnet.com/8301-30686_3-20105136-266/net-neutrality-rules-move-closer-
to-implementation/

---

*************************** SPONSORED LINKS ******************************

1) Protecting Federal Systems and Advanced Persistent Threats, featuring security expert and speaker, G. Mark Hardy, September 28, 1 PM EST. http://www.sans.org/info/87189

2) SANS Analyst Webcast September 29, 1 PM EST: Integrating Security into Development Cycles, No Pain Required, featuring Senior SANS Analyst Dave Shackleford and IBM Rational's Karl Snyder. http://www.sans.org/info/87194

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

US Agencies Must Now Submit Cyber Security Reports Monthly (September 15, 2011)

Starting next month, US government agencies will be required to move from annual to monthly cyber security reports to maintain compliance with new Federal Information Security Management Act (FISMA) rules. The new mandates for FISMA compliance include sending monthly feeds to the CyberScope compliance tool, which aims to reduce the expense associated with FISMA compliance and provide more current and pertinent information.
-http://www.informationweek.com/news/government/security/231601481

Shopping Center "Find My Car" Tool (September 15, 2011)

A shopping center in Sydney, Australia has removed a "Find My Car" feature from its iPhone app after learning that the information was accessible in unencrypted form over the Internet. Cameras at the Westfield Shopping Centre photographed cars' license plates and indexed the vehicles' locations. The feature of the application was designed to help people who had forgotten where they parked their cars. A blogger found that the information logged by the shopping center systems was available on the Internet and that people could use the application as a tool to track other's whereabouts. The feature is not functional at the moment, and will remain unavailable until the privacy issue is addressed.
-http://www.theaustralian.com.au/australian-it/westfield-iphone-app-in-privacy-fi
asco/story-e6frgakx-1226137939073
-http://www.theregister.co.uk/2011/09/14/find_my_car_fail/

Spitmo Trojan Steals Text Messages Sent From Banks (September 13, 14 & 15, 2011)

The Spitmo Trojan horse program is designed to infect Google Android phones. It is capable of intercepting text messages, including those that banks send to prevent fraudulent transactions. It affects users whose machines are already infected with SpyEye by encouraging them to download an Android application that claims to provide security from the very sort of action it conducts.
-http://www.darkreading.com/security/news/231601450/first-spyeye-attack-on-androi
d-spotted-in-the-wild.html
-http://www.h-online.com/security/news/item/Another-online-banking-trojan-for-And
roid-1343872.html
-http://www.computerworld.com/s/article/9219963/SpyEye_hacking_kit_adds_Android_i
nfection_to_bag_of_tricks
-http://www.theregister.co.uk/2011/09/14/spyeye_targets_android_phones/

Some BitTorrent Software Downloads Briefly Infected with Malware (September 13 & 14, 2011)

Attackers managed to tamper with downloads on the uTorrent website. As a result, users attempting to download software from the site found their computers infected with malware. The malware was being served for about two hours on Wednesday, September 14. The malware is a phony antivirus tool called Security Shield, which tells users that their computers are infected with malware and asks for payment before fixing the alleged problem. Initial reports said the BitTorrent site was affected as well, but this was found to be untrue.
-http://www.bbc.co.uk/news/technology-14912616
-http://www.theregister.co.uk/2011/09/13/bittorrent_malware_hack/
-http://news.cnet.com/8301-1009_3-20105783-83/utorrent-possibly-bittorrent-web-si
tes-hacked/?tag=mncol;title
-http://www.eweekeurope.co.uk/news/bittorrent-downloaders-given-a-malware-scare-3
9687

Man Pleads Guilty to Uploading First-Run Films to BitTorrent (September 13 & 15, 2011)

Wes DeSoto has pleaded guilty to criminal copyright-infringement for leaking copies of first-run movies to BitTorrent. Because he is a member of the Screen Actors Guild (SAG), DeSoto had access to screening copies of the five films, which included Black Swan, The Kings Speech and 127 Hours. DeSoto was pinpointed as the source of the leaked films through the SAG watermark on the copies of the movies and by the IP address associated with the username that had uploaded the films. The maximum penalty allowed by law in this case is three years in prison and a fine of US $250,000 or more, but the government is seeking three years of probation and restitution.
-http://www.wired.com/threatlevel/2011/09/pirate-bay-screener-seeding/
-http://www.huffingtonpost.com/2011/09/15/wes-desoto-screen-actors-_n_964549.html

Microsoft Issues Fixes for 15 Vulnerabilities (September 13, 14 & 15, 2011)

On Tuesday, September 13, Microsoft issued five security bulletins to address a total of 15 flaws that could be exploited to allow remote code execution or privilege elevation. Two of the vulnerabilities affect Windows, seven affect Office, and six affect SharePoint. None of the flaws was rated critical. The update also revokes additional digital certificates to protect users after the DigiNotar breach.
-http://www.scmagazine.com.au/News/272044,microsoft-patches-five-holes-nukes-six-
certificates.aspx
-http://www.computerworld.com/s/article/9219976/Microsoft_patches_15_bugs_nukes_m
ore_SSL_certificates?taxonomyId=145
-http://www.h-online.com/security/news/item/Microsoft-closes-holes-in-Windows-and
-Office-1342336.html
-http://www.v3.co.uk/v3-uk/news/2109184/microsoft-revokes-diginotar-certs-patch-t
uesday
-http://technet.microsoft.com/en-us/security/bulletin/ms11-sep

Adobe Releases Security Updates for Reader and Acrobat (September 14, 2011)

Adobe has updated Reader and Acrobat to address a total of 14 security flaws. The updates also removed several DigiNotar certificates from the Adobe Approved Trust List. Adobe recommends that users running Reader X and Acrobat X update to version 10.1.1. Adobe has released updates for users running versions 9.x and 8.x of both products.
-http://www.h-online.com/security/news/item/Adobe-closes-14-holes-in-Reader-and-A
crobat-1342490.html
-http://www.crn.com/news/security/231601428/adobe-critical-security-update-remove
s-fraudulent-diginotar-certificates.htm;jsessionid=nrzsU-rQqdrGnd-ltUPhBA**.ecap
pj03
-http://www.adobe.com/support/security/bulletins/apsb11-24.html

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/subscriptions