From: The SANS Institute (NewsBitessans.org)
Date: Fri Jul 02 2010 - 14:04:06 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Senator Reid and the Chairmen of Six Senate Committees Jointly Tell The
President To Get Moving on Cyber Security

In a letter delivered to the White House yesterday, Senators Reid,
Lieberman (Homeland Security), Rockefeller (Commerce), Leahy
(Judiciary), Levin (Armed Services), Kerry (Foreign Relations), and
Feinstein (Intelligence) told the President that each day the threat of
cyber attack increases, and that there is an "urgent need for action."
The trigger for the letter was the White House's refusal to even engage
on the major issues. This is the highest profile recognition that the
White House talks the talk about cyber security, but doesn't walk the
walk. If the White House were a sports team, it would be as if the
owner hired the top all stars in the field but then let the economists
and lawyers take over the game and keep all the stars on the bench.

The Senate letter is posted at
www.sans.org/resources/Senate_Letter_to_Obama

                                    Alan

*************************************************************************
SANS NewsBites July 2, 2010 Vol. 12, Num. 52
*************************************************************************

TOP OF THE NEWS
  Anti-Piracy Practices Tied to Funding for Colleges and Universities
  Russian Spy Ring Communicated Through Steganography
  Apple Faces Privacy Questions from US Legislators and German Justice Minister

THE REST OF THE WEEK'S NEWS
  Romanian Authorities Arrest 50 for Alleged Use of Cell Phone Spyware
  Federal Agents Shut Down Nine Sites in Anti-Piracy Operation
  Microsoft Sees Significant Uptick in Number of Machines Infected via
    Help Center Flaw
  Facebook Privacy About-Face
  Chrome Will (Eventually) Block Unsecure Plug-ins
  Adobe Releases Reader and Acrobat Updates
  Attorneys Allegedly Accessed WellPoint Patient Data While Pursuing
    Class Action Lawsuit
  Australia Introduces Internet Industry Code of Practice

************************ Sponsored By BDNA ******************************

REGISTER NOW for the upcoming webcast: Sequencing the IT Genome:
Agent-less IT Asset Visibility for an Enhanced Security Strategy
Wednesday, July 7, 2010 at 1:00 PM EDT
http://www.sans.org/info/61198
Sponsored By: BDNA http://www.bdna.com/

This live web presentation and Q&A with Walker White, CTO of BDNA will
provide an overview on how IT Genomics is the most effective method to
manage your IT infrastructure and how BDNA provides the tools and
content to ensure you can effectively sequence it and thereby manage
*************************************************************************
TRAINING UPDATE
- -- SANS Rocky Mountain 2010, Denver, July 12-17, 2010
8 courses. Bonus evening presentations include Hiding in Plain Sight:
Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/
- -- SANS Boston 2010, August 2-8, 2010
11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/
- -- SANS Virginia Beach 2010, August 29-September 3, 2010
9 courses. Bonus evening presentations include Future Trends in
Network Security
http://www.sans.org/virginia-beach-2010/
- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010
40 courses. Bonus evening presentations include The Return of Command
Line Kung Fu and Cyberwar or Business as Usual? The State of US
Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/
- -- SOS: SANS October Singapore, October 4-11, 2010
7 courses
http://www.sans.org/singapore-sos-2010/
- -- Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Washington DC, Singapore, Canberra and Portland all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Anti-Piracy Practices Tied to Funding for Colleges and Universities
(July 1, 2010)
As of July 1, 2010, US colleges and universities that receive Title IV
federal aid are required to have anti-piracy procedures in place.
Institutions of higher education have been plagued by their students'
use of the institutions' generous bandwidth to download music and other
digital media through file-sharing networks. The Higher Education
Opportunity Act (HEOA) of 2008 requires that schools abide by a set of
anti-piracy guidelines. The schools must provide students with
information about copyright law and school policies regarding the
violation thereof; the schools must employ technology-based deterrents
to illegal filesharing over campus networks; and the schools must
provide alternatives to illegal filesharing.
http://news.cnet.com/8301-31001_3-20009386-261.html?tag=newsEditorsPicksArea.0
[Editor's Note (Schultz): What an ingenious way to make a significant
dent in the piracy problem that plagues U.S. universities!]

 --Russian Spy Ring Communicated Through Steganography
(June 29 & 30 & July 1, 2010)
In the course of an investigation that led to the arrest of 11 Russian
intelligence operatives, more than 100 text files were retrieved from
steganographic images. The messages were discovered after law
enforcement officials found a 27-character password for the
Steganography program on a slip of paper during a search. The alleged
spies also used ad hoc Wi-Fi networks and custom software. The 11
individuals lived in the US for years and adopted detailed cover
stories.
http://www.theregister.co.uk/2010/06/29/spy_ring_tech/
http://www.computerworld.com/s/article/9178762/Russian_spy_ring_needed_some_serious_IT_help?taxonomyId=17
http://news.cnet.com/8301-13578_3-20009101-38.html?part=rss&subj=news&tag=2547-1_3-0-20
http://www.washingtonpost.com/wp-dyn/content/article/2010/06/30/AR2010063003108.html
http://www.darkreading.com/insiderthreat/security/encryption/showArticle.jhtml?articleID=225701866
http://gcn.com/articles/2010/07/01/russian-spies-used-steganography-to-transmit-messages.aspx?admgarea=TC_SECURITY
http://documents.nytimes.com/criminal-complaints-from-the-justice-department?ref=europe#document/p36
[Editor's Note (Ranum): As I've commented before on the various "China
cyberspy" articles, real spies don't act like amateurs doing
smash-and-grab over the internet. Agents in place, who have time to get
into positions of trust or at foci of information, are also going to be
vastly more effective (or damaging, depending on your point of view).
(Honan): It seems that even spies need some security awareness training
in how to select and remember complex passwords without having to write
them down. ]

 --Apple Faces Privacy Questions from US Legislators and German Justice Minister
(June 28, 2010)
US legislators are questioning Apple about recent changes to its privacy
policy. On Monday, June 21, the Los Angeles Times reported that a
paragraph had been added to Apple's privacy policy that appears to allow
Apple and unnamed "partners and licensees" to collect and store
real-time geographic location data of users' Apple devices. Apple has
been gathering location data since 2008, but just recently moved
notification of the activity from End User License Agreements (EULAs)
on individual products to its general privacy policy. Customers must
agree to the terms before being permitted to download applications or
other media from the Apple iTunes store. In a letter to Apple,
Representatives Edward J. Markey (D-Mass.) and Joe Barton (R-Texas) said
that "given the limited ability of Apple users to opt out of the revised
policy and still be able to take advantage of their Apple products, we
are concerned about the impact the collection of such data could have
on the privacy of Apple's customers." The legislators have given Apple
until July 12 to respond to the letter. Germany's justice minister has
indicated that she is concerned about Apple's data collection practices
for new iPhone owners. Sabine Leutheusser-Schnarrenberger has asked
Apple to tell German data protection officials what kind of data it
collects, how long it is stored and why it is being collected and
stored.
http://www.darkreading.com/security/privacy/showArticle.jhtml?articleID=225701616
http://www.nytimes.com/2010/06/29/technology/29apple.html?src=busln
http://latimesblogs.latimes.com/technology/2010/06/apple-location-privacy-iphone-ipad.html

THE REST OF THE WEEK'S NEWS
 --Romanian Authorities Arrest 50 for Alleged Use of Cell Phone Spyware
(July 1, 2010)
Romanian law enforcement authorities have arrested 50 people for
allegedly using off-the-shelf software to monitor other people's cell
phone communications. A man who is suspected of selling the spyware has
also been arrested. Dan Nicolae Oproiu allegedly sold the software over
the Internet for as much as US $580.
http://www.theregister.co.uk/2010/07/01/romanian_spyware_arrests/

 --Federal Agents Shut Down Nine Sites in Anti-Piracy Operation
(June 30 & July 1, 2010)
US government officials have seized domain names of nine websites that
were allegedly being used to share free pirated copies of first-run
movies. The investigation involved 100 agents in 11 US states and the
Netherlands. Officials have also seized assets from 15 bank accounts.
Because they seized the domain names, the sites could reappear elsewhere
on the Internet. The website operators could face prison.
http://news.bbc.co.uk/2/hi/entertainment_and_arts/10475801.stm
http://mediadecoder.blogs.nytimes.com/2010/06/30/in-anti-theft-effort-officials-seize-9-domain-names/?ref=technology
http://www.latimes.com/business/la-fi-ct-piracy-20100701,0,2871905.story

 --Microsoft Sees Significant Uptick in Number of Machines Infected via
    Help Center Flaw
(June 30 & July 1, 2010)
Microsoft has detected a spike in the number of machines infected
through a flaw in the Windows Help and Support Center on computers
running Windows XP and Server 2003. The flaw was disclosed on June 10.
In the days following the disclosure, attacks exploiting the
vulnerability were targeted and limited, but Microsoft now says it has
detected more than 10,000 distinct computers that have become infected
through the flaw. Microsoft has suggested several actions users can
take to protect their computers until a fix is released.
http://www.scmagazineus.com/microsoft-warns-of-soaring-windows-help-center-exploits/article/173739/
http://www.computerworld.com/s/article/9178768/Microsoft_10_000_PCs_hit_with_new_Windows_XP_zero_day_attack?taxonomyId=17
http://www.theregister.co.uk/2010/06/30/windows_exploit_spike/
http://news.bbc.co.uk/2/hi/technology/10473495.stm

 --Facebook Privacy About-Face
(June 30, 2010)
Facebook has implemented a more transparent policy for how its users
share personal information with third-party applications and websites.
Now when users install a new application or login to a website through
Facebook for the first time, they will see a permissions box letting
them know what information the application or site wants permission to
access. Applications and websites will automatically be permitted to
access public portions of Facebook users' accounts, but will have to
obtain express permission to access information on private sections of
the profiles.
http://www.computerworld.com/s/article/9178757/Facebook_adds_new_controls_for_third_party_apps?taxonomyId=17
http://www.theregister.co.uk/2010/06/30/facebook_privacy/
http://blog.facebook.com/blog.php?post=403443752130
[Editor's Note (Ranum): Am I the only person left on earth who finds the
idea of a "private section of a public profile" to be incredibly stupid?
Hint: If you don't want your information to be discovered, used, sold
and re-sold - don't publish it on a website.]

 --Chrome Will (Eventually) Block Unsecure Plug-ins
(June 29 & 30, 2010)
Google has announced that its Chrome browser will soon block some
outdated plug-ins. The goal is to prevent unsecure versions of the
plug-ins from running. The browser will also help users find updated
versions of the plug-ins. Google did not provide a specific timeline
for implementation of the new feature beyond saying it will be a
"medium-term" project. Google also plans to have Chrome warn users when
the browser runs seldom-used plug-ins. Chrome already lets users
disable individual plug-ins or run only plug-ins that they have added
to a permitted list. Firefox plans to add automatic plug-in updating
later this year
http://www.theregister.co.uk/2010/06/30/google_chrome_plug_in_blocker/
http://news.cnet.com/8301-27080_3-20009231-245.html?tag=mncol;title

 --Adobe Releases Reader and Acrobat Updates
(June 29 & 30, 2010)
Adobe has pushed out updates for Reader and Acrobat to fix 17
vulnerabilities, including one that is being actively exploited. The
flaw, which lies in authplay.dll, AuthPlayLib.bundle and
libauthplay.so.0.0.0, allows attackers to install malware on users'
computers by tricking them into opening a maliciously crafted document.
The flaw affects Reader and Acrobat for Windows, Mac and Linux. Adobe
patched the same flaw in Flash Player in June. Adobe released the fixes
two weeks ahead of its scheduled quarterly update. Adobe plans to
release its next security updates on October 12, 2010.
http://www.eweek.com/c/a/Security/Adobe-Patches-Critical-Bugs-in-Reader-Acrobat-303582/
http://www.theregister.co.uk/2010/06/29/adobe_emergency_patch/
http://www.computerworld.com/s/article/9178740/Adobe_patches_PDF_bugs_hackers_already_exploiting?taxonomyId=17
http://www.adobe.com/support/security/bulletins/apsb10-15.html
*Stephen Northcutt shares reader feedback on alternatives to Adobe
Reader at the end of NewsBites.
[Editor's Note (Schultz): Adobe deserves considerable credit for taking
so much initiative to fix serious vulnerabilities in its products in so
timely a manner.]

 --Attorneys Allegedly Accessed WellPoint Patient Data While Pursuing
    Class Action Lawsuit
(June 29 & 30, 2010)
WellPoint has acknowledged that a botched security update resulted in a
customer being able to view her own and other enrollees' personal
information. The health insurer also alleged that an unspecified number
of records were accessed by attorneys working on a class action lawsuit
against the company. The compromised data include medical histories and
payment information. WellPoint became aware of the problem in March
when it was subpoenaed in a lawsuit about the breach. Within hours, the
company fixed the problem. An internal investigation turned up evidence
that information was accessed without authorization. WellPoint has
requested "that the attorneys return all information improperly obtained
from the individual application system."
http://www.thetechherald.com/article.php/201026/5807/WellPoint-Data-breach-caused-by-attorneys-and-faulty-security-update
http://www.reuters.com/article/idUSN2916223420100629
http://www.californiahealthline.org/articles/2010/6/30/wellpoint-breach-could-have-exposed-enrollees-medical-financial-data.aspx
http://www.latimes.com/business/la-fi-wellpoint-20100629,0,7282434.story

 --Australia Introduces Internet Industry Code of Practice
(June 28 & 29, 2010)
Australia's proposed Internet Industry Code of Practice would help
mitigate the threat posed by computers that have been compromised and
have become part of a botnet. The code was written by the Australian
Internet Industry Association, Australia's broadband, Communications and
the Digital Economy Department and the Attorney General's Department.
The voluntary code provides a framework to help ISPs inform, educate and
protect their users.
http://fcw.com/articles/2010/06/29/web-aussie-isp-code.aspx

*NewsBites reader feedback on Adobe Reader alternatives*
In our last edition, we reported Adobe Reader was being actively
compromised and Stephen Northcutt asked if people have recommendations.
The only suggestion for Internet Explorer was Brava Reader. Several
people pointed out that Google Chrome either has, or is very close to
having its own self contained reader. gPDF is a really nifty idea; it
is a Firefox plug-in to intercept the call to open a .pdf and use the
Google viewer instead. That way, the .pdf is not executing on your
system. However, we could not make it work on either a 32 bit Vista
system or a 64 bit Windows 7. A number of readers suggested FoxIT; they
are a great reader, but they also install a toolbar and ebay icon.
However, you can request a version without ads by email. Another
suggestion was Evince. It was a huge download and it wants a lot of
system access to install; according to Kaspersky Anti-Virus it wants
system shutdown and debug privilege. And as far as xpdf, let's just say
the Windows operating system was clearly an afterthought. The closest
to a corporate solution seems to be FoxIT, I will keep trying a few
things and thank you for sharing your wisdom.
http://www.bravaviewer.com/reader.htm
http://blog.arpitnext.com/gpdf
http://www.foxitsoftware.com/pdf/reader/
http://projects.gnome.org/evince/
http://www.foolabs.com/xpdf/home.html
http://blog.kowalczyk.info/software/sumatrapdf/index.html

**********************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of
the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkwuNeYACgkQ+LUG5KFpTkbO0wCfTVABRcFJ7+Pr8wlgkwFHqsoy
cpsAnAsyvmgrcEc+eBuRput1feL8WcHW
=hvq6
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]