Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: The SANS Institute (NewsBitessans.org)
Date: Fri Jul 02 2010 - 14:04:06 CDT
-----BEGIN PGP SIGNED MESSAGE-----
Senator Reid and the Chairmen of Six Senate Committees Jointly Tell The
President To Get Moving on Cyber Security
In a letter delivered to the White House yesterday, Senators Reid,
Lieberman (Homeland Security), Rockefeller (Commerce), Leahy
(Judiciary), Levin (Armed Services), Kerry (Foreign Relations), and
Feinstein (Intelligence) told the President that each day the threat of
cyber attack increases, and that there is an "urgent need for action."
The trigger for the letter was the White House's refusal to even engage
on the major issues. This is the highest profile recognition that the
White House talks the talk about cyber security, but doesn't walk the
walk. If the White House were a sports team, it would be as if the
owner hired the top all stars in the field but then let the economists
and lawyers take over the game and keep all the stars on the bench.
The Senate letter is posted at
SANS NewsBites July 2, 2010 Vol. 12, Num. 52
TOP OF THE NEWS
Anti-Piracy Practices Tied to Funding for Colleges and Universities
Russian Spy Ring Communicated Through Steganography
Apple Faces Privacy Questions from US Legislators and German Justice Minister
THE REST OF THE WEEK'S NEWS
Romanian Authorities Arrest 50 for Alleged Use of Cell Phone Spyware
Federal Agents Shut Down Nine Sites in Anti-Piracy Operation
Microsoft Sees Significant Uptick in Number of Machines Infected via
Help Center Flaw
Facebook Privacy About-Face
Chrome Will (Eventually) Block Unsecure Plug-ins
Adobe Releases Reader and Acrobat Updates
Attorneys Allegedly Accessed WellPoint Patient Data While Pursuing
Class Action Lawsuit
Australia Introduces Internet Industry Code of Practice
************************ Sponsored By BDNA ******************************
REGISTER NOW for the upcoming webcast: Sequencing the IT Genome:
Agent-less IT Asset Visibility for an Enhanced Security Strategy
Wednesday, July 7, 2010 at 1:00 PM EDT
Sponsored By: BDNA http://www.bdna.com/
This live web presentation and Q&A with Walker White, CTO of BDNA will
provide an overview on how IT Genomics is the most effective method to
manage your IT infrastructure and how BDNA provides the tools and
content to ensure you can effectively sequence it and thereby manage
- -- SANS Rocky Mountain 2010, Denver, July 12-17, 2010
8 courses. Bonus evening presentations include Hiding in Plain Sight:
Forensic Techniques to Counter the Advanced Persistent Threat
- -- SANS Boston 2010, August 2-8, 2010
11 courses. Special Events include Rapid Response Security Strategy Competition
- -- SANS Virginia Beach 2010, August 29-September 3, 2010
9 courses. Bonus evening presentations include Future Trends in
- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010
40 courses. Bonus evening presentations include The Return of Command
Line Kung Fu and Cyberwar or Business as Usual? The State of US
Federal CyberSecurity Initiatives
- -- SOS: SANS October Singapore, October 4-11, 2010
- -- Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
Plus Washington DC, Singapore, Canberra and Portland all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
TOP OF THE NEWS
--Anti-Piracy Practices Tied to Funding for Colleges and Universities
(July 1, 2010)
As of July 1, 2010, US colleges and universities that receive Title IV
federal aid are required to have anti-piracy procedures in place.
Institutions of higher education have been plagued by their students'
use of the institutions' generous bandwidth to download music and other
digital media through file-sharing networks. The Higher Education
Opportunity Act (HEOA) of 2008 requires that schools abide by a set of
anti-piracy guidelines. The schools must provide students with
information about copyright law and school policies regarding the
violation thereof; the schools must employ technology-based deterrents
to illegal filesharing over campus networks; and the schools must
provide alternatives to illegal filesharing.
[Editor's Note (Schultz): What an ingenious way to make a significant
dent in the piracy problem that plagues U.S. universities!]
--Russian Spy Ring Communicated Through Steganography
(June 29 & 30 & July 1, 2010)
In the course of an investigation that led to the arrest of 11 Russian
intelligence operatives, more than 100 text files were retrieved from
steganographic images. The messages were discovered after law
enforcement officials found a 27-character password for the
Steganography program on a slip of paper during a search. The alleged
spies also used ad hoc Wi-Fi networks and custom software. The 11
individuals lived in the US for years and adopted detailed cover
[Editor's Note (Ranum): As I've commented before on the various "China
cyberspy" articles, real spies don't act like amateurs doing
smash-and-grab over the internet. Agents in place, who have time to get
into positions of trust or at foci of information, are also going to be
vastly more effective (or damaging, depending on your point of view).
(Honan): It seems that even spies need some security awareness training
in how to select and remember complex passwords without having to write
them down. ]
--Apple Faces Privacy Questions from US Legislators and German Justice Minister
(June 28, 2010)
US legislators are questioning Apple about recent changes to its privacy
policy. On Monday, June 21, the Los Angeles Times reported that a
Apple and unnamed "partners and licensees" to collect and store
real-time geographic location data of users' Apple devices. Apple has
been gathering location data since 2008, but just recently moved
notification of the activity from End User License Agreements (EULAs)
agree to the terms before being permitted to download applications or
other media from the Apple iTunes store. In a letter to Apple,
Representatives Edward J. Markey (D-Mass.) and Joe Barton (R-Texas) said
that "given the limited ability of Apple users to opt out of the revised
policy and still be able to take advantage of their Apple products, we
are concerned about the impact the collection of such data could have
on the privacy of Apple's customers." The legislators have given Apple
until July 12 to respond to the letter. Germany's justice minister has
indicated that she is concerned about Apple's data collection practices
for new iPhone owners. Sabine Leutheusser-Schnarrenberger has asked
Apple to tell German data protection officials what kind of data it
collects, how long it is stored and why it is being collected and
THE REST OF THE WEEK'S NEWS
--Romanian Authorities Arrest 50 for Alleged Use of Cell Phone Spyware
(July 1, 2010)
Romanian law enforcement authorities have arrested 50 people for
allegedly using off-the-shelf software to monitor other people's cell
phone communications. A man who is suspected of selling the spyware has
also been arrested. Dan Nicolae Oproiu allegedly sold the software over
the Internet for as much as US $580.
--Federal Agents Shut Down Nine Sites in Anti-Piracy Operation
(June 30 & July 1, 2010)
US government officials have seized domain names of nine websites that
were allegedly being used to share free pirated copies of first-run
movies. The investigation involved 100 agents in 11 US states and the
Netherlands. Officials have also seized assets from 15 bank accounts.
Because they seized the domain names, the sites could reappear elsewhere
on the Internet. The website operators could face prison.
--Microsoft Sees Significant Uptick in Number of Machines Infected via
Help Center Flaw
(June 30 & July 1, 2010)
Microsoft has detected a spike in the number of machines infected
through a flaw in the Windows Help and Support Center on computers
running Windows XP and Server 2003. The flaw was disclosed on June 10.
In the days following the disclosure, attacks exploiting the
vulnerability were targeted and limited, but Microsoft now says it has
detected more than 10,000 distinct computers that have become infected
through the flaw. Microsoft has suggested several actions users can
take to protect their computers until a fix is released.
--Facebook Privacy About-Face
(June 30, 2010)
Facebook has implemented a more transparent policy for how its users
share personal information with third-party applications and websites.
Now when users install a new application or login to a website through
Facebook for the first time, they will see a permissions box letting
them know what information the application or site wants permission to
access. Applications and websites will automatically be permitted to
access public portions of Facebook users' accounts, but will have to
obtain express permission to access information on private sections of
[Editor's Note (Ranum): Am I the only person left on earth who finds the
idea of a "private section of a public profile" to be incredibly stupid?
Hint: If you don't want your information to be discovered, used, sold
and re-sold - don't publish it on a website.]
--Chrome Will (Eventually) Block Unsecure Plug-ins
(June 29 & 30, 2010)
Google has announced that its Chrome browser will soon block some
outdated plug-ins. The goal is to prevent unsecure versions of the
plug-ins from running. The browser will also help users find updated
versions of the plug-ins. Google did not provide a specific timeline
for implementation of the new feature beyond saying it will be a
"medium-term" project. Google also plans to have Chrome warn users when
the browser runs seldom-used plug-ins. Chrome already lets users
disable individual plug-ins or run only plug-ins that they have added
to a permitted list. Firefox plans to add automatic plug-in updating
later this year
--Adobe Releases Reader and Acrobat Updates
(June 29 & 30, 2010)
Adobe has pushed out updates for Reader and Acrobat to fix 17
vulnerabilities, including one that is being actively exploited. The
flaw, which lies in authplay.dll, AuthPlayLib.bundle and
libauthplay.so.0.0.0, allows attackers to install malware on users'
computers by tricking them into opening a maliciously crafted document.
The flaw affects Reader and Acrobat for Windows, Mac and Linux. Adobe
patched the same flaw in Flash Player in June. Adobe released the fixes
two weeks ahead of its scheduled quarterly update. Adobe plans to
release its next security updates on October 12, 2010.
*Stephen Northcutt shares reader feedback on alternatives to Adobe
Reader at the end of NewsBites.
[Editor's Note (Schultz): Adobe deserves considerable credit for taking
so much initiative to fix serious vulnerabilities in its products in so
timely a manner.]
--Attorneys Allegedly Accessed WellPoint Patient Data While Pursuing
Class Action Lawsuit
(June 29 & 30, 2010)
WellPoint has acknowledged that a botched security update resulted in a
customer being able to view her own and other enrollees' personal
information. The health insurer also alleged that an unspecified number
of records were accessed by attorneys working on a class action lawsuit
against the company. The compromised data include medical histories and
payment information. WellPoint became aware of the problem in March
when it was subpoenaed in a lawsuit about the breach. Within hours, the
company fixed the problem. An internal investigation turned up evidence
that information was accessed without authorization. WellPoint has
requested "that the attorneys return all information improperly obtained
from the individual application system."
--Australia Introduces Internet Industry Code of Practice
(June 28 & 29, 2010)
Australia's proposed Internet Industry Code of Practice would help
mitigate the threat posed by computers that have been compromised and
have become part of a botnet. The code was written by the Australian
Internet Industry Association, Australia's broadband, Communications and
the Digital Economy Department and the Attorney General's Department.
The voluntary code provides a framework to help ISPs inform, educate and
protect their users.
*NewsBites reader feedback on Adobe Reader alternatives*
In our last edition, we reported Adobe Reader was being actively
compromised and Stephen Northcutt asked if people have recommendations.
The only suggestion for Internet Explorer was Brava Reader. Several
people pointed out that Google Chrome either has, or is very close to
having its own self contained reader. gPDF is a really nifty idea; it
is a Firefox plug-in to intercept the call to open a .pdf and use the
Google viewer instead. That way, the .pdf is not executing on your
system. However, we could not make it work on either a 32 bit Vista
system or a 64 bit Windows 7. A number of readers suggested FoxIT; they
are a great reader, but they also install a toolbar and ebay icon.
However, you can request a version without ads by email. Another
suggestion was Evince. It was a huge download and it wants a lot of
system access to install; according to Kaspersky Anti-Virus it wants
system shutdown and debug privilege. And as far as xpdf, let's just say
the Windows operating system was clearly an afterthought. The closest
to a corporate solution seems to be FoxIT, I will keep trying a few
things and thank you for sharing your wisdom.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of
the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
Clint Kreitner is the founding President and CEO of The Center for
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
-----END PGP SIGNATURE-----