Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: The SANS Institute (NewsBitessans.org)
Date: Fri Oct 29 2010 - 11:58:39 CDT
-----BEGIN PGP SIGNED MESSAGE-----
SANS NewsBites October 29, 2010 Vol. 12, Num. 86
TOP OF THE NEWS
FTC Closes Google Street View Investigation, Prompting Call for
LimeWire Squeezed Out
Judge Says Amazon Does Not Have to Surrender Customer Records
THE REST OF THE WEEK'S NEWS
Adobe Will Issue Fix for New Flash Zero-Day in Two Weeks
Skimming Attacks Net US $500,000 a Month
Koobface Variant Uses Java to Spread to Mac OS X
Dutch Police take Down Bredolab Botnet; Alleged Mastermind Arrested
Mozilla Updates Firefox to Fix Flaw Exploited on Nobel Peace Prize Web Site
Apple Will Patch iPhone Password Vulnerability Next Month
RIAA vs. Jammie Thomas-Rasset, Round Three
************************ Sponsored By SANS *****************************
The SANS WhatWorks Incident Detection and Log Management Summit, chaired
by Mike Poor, is being held in Washington DC on December 8 and 9 and
offers two full days of content in a single track, consisting of expert
keynotes, professional briefings and dynamic panels. It will concentrate
on network-centric and host-centric methods to detect intruders that
work in the real world.
New "Combating Malware in the Enterprise" course at SANS (SEC569).
How do you fight off malware when you have thousands of hosts?
Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010
6 courses. Bonus evening presentations include Weaponizing LISP:
Advancing the Art of Network Security and Examining the Global
Underground of Malicious Actors
-- SANS San Francisco 2010, November 5-12, 2010
7 courses. Bonus evening presentations include Weaponizing LISP:
Advancing the Art of Network Security
-- SANS London 2010, November 27-December 6, 2010
14 courses. Bonus evening presentations include Latest Advances in
Computer Forensics and Continuous Vulnerability Testing and
Remediation: The 20 Critical Security Controls Perspective
-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010
24 courses. Bonus evening presentations include Browser Based
Defenses; Continuous Vulnerability Testing and Remediation: the 20
Critical Security Controls Perspective; and Cyberwar or Business as
Usual? The State of US Federal CyberSecurity Efforts
-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011
12 courses. Bonus evening presentations and special events include
Happy Little Clouds: Governing, Assessing and Auditing Cloud
Environments and Future Trends in Network Security
-- Looking for training in your own community?
Save on On-Demand training (30 full courses) - See samples at
Plus San Antonio, Geneva, Tokyo, Sydney, Manama and Muscat all in the
next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
TOP OF THE NEWS
--FTC Closes Google Street View Investigation, Prompting Call for
(October 27 & 28, 2010)
The US Federal Trade Commission (FTC) has closed its investigation into
Google's inadvertent collection of personal data from unprotected
wireless networks while gathering images for Street View with nothing
more than a warning to Google. In a letter Google, FTC Bureau of
Consumer Protection director David Vladek indicated that no penalties
were levied because Google was implementing new privacy measures.
Consumer advocacy groups have called the FTC's decision "premature and
wrong," and have called for a Congressional hearing into the agency's
lack of action. Investigations and government inquiries at the state
level and in other countries around the world are proceeding.
--LimeWire Squeezed Out
(October 26 & 27, 2010)
A US federal court judge in New York has issued an injunction
effectively shutting down LimeWire. The order from US District Judge
Kimba Wood directs LimeWire to immediately cease distributing and
supporting its filesharing software. LimeWire must also report to the
court within two weeks about the steps it has taken to disable the
software and inform its users, employees and stakeholders of the order.
A May ruling from Judge Wood found LimeWire and its chief executive Mark
Gorton liable for inducing and enabling copyright infringement.
--Judge Says Amazon Does Not Have to Surrender Customer Records
(October 25 & 27, 2010)
A US federal judge has ruled that Amazon does not have to disclose
customer records to the North Carolina's Department of Revenue (DOR).
The DOR had demanded the records of purchases made by Amazon's North
Carolina customers so it could collect appropriate sales tax. In her
ruling, US District Judge Marsha Pechman wrote that the DOR's request
for information "runs afoul of the First Amendment." Amazon has
provided the North Carolina DOR with anonymized lists of which items
were sent to which ZIP codes, but the DOR was seeking the names and
addresses associated with individual order.
THE REST OF THE WEEK'S NEWS
--Adobe Will Issue Fix for New Flash Zero-Day in Two Weeks
(October 28, 2010)
Adobe says it will issue a fix in two weeks for a critical flaw in Flash
Player that is being actively exploited. In a security advisory, Adobe
acknowledged that the flaw affects Reader and Acrobat, both of which are
being targeted by the attacks; as yet, there do not appear to be active
attacks against Flash Player itself. The flaw affects all versions of
Flash for Windows, Mac OS X, Linux and Android; it affects the
"Authplay" component of Reader and Acrobat. Adobe will issue a fix for
Flash by November 9 and fixes for Reader and Acrobat the following week.
Adobe has been trying to issue scheduled quarterly fixes for Reader and
Acrobat, but a recent spate of disclosed vulnerabilities has prompted
the company to issue several out-of-band fixes. The next scheduled
Reader update is February 8, 2011.
--Skimming Attacks Net US $500,000 a Month
(October 27 & 28, 2010)
Analysts at Gartner Research are warning that card fraudsters are
engaging in a type of skimming that is netting some groups US $500,000
a month. Rather than manufacturing phony cards on a one-to-one basis
from the skimmed information, these groups are manufacturing multiple
cards for each account, then having money mules make nearly simultaneous
withdrawals in separate cities. The withdrawal amounts are kept low to
evade fraud detection systems. The attacks have been used to steal as
much as US $100,000 in just 10 minutes. Gartner analyst Avivah Litan
says that the only way to mitigate these attacks is to identify the
point of compromise, then block the cards that were used at that site
and issue new ones. She also suggests the use of stronger
authentication measures, such as the chip and PIN technology that is
used in Europe.
--Koobface Variant Uses Java to Spread to Mac OS X
(October 28, 2010)
Researchers are warning that a variant of the Koobface worm now
spreading targets Mac OS X in addition to Windows computers. The
variant, nicknamed "Boonana," is spreading through messages posted to
social media like Facebook, Twitter and MySpace. If users click on the
link accompanying the message, they will be prompted to run a Java
applet. Apple recently announced that it will stop supporting Java and
may even drop it completely from future versions of OS X.
[Editor's Note (Cole): Browser style attacks will continue. One
effective defense is to run your browser in a separate virtual machine.
Now if a user clicks on a link, it will infect the guest only. When the
browser closes the malware goes away.]
--Dutch Police take Down Bredolab Botnet; Alleged Mastermind Arrested
(October 26, 27 & 28, 2010)
Dutch police have conducted a takedown operation aimed at disabling the
Bredolab botnet. One hundred forty-three servers affiliated with
Bredolab have been disconnected. The Bredolab Trojan is believed to
have infected 30 million PCs around the world. A man believed to be the
mastermind behind Bredolab has been arrested in Armenia. Dutch police
have also alerted more than 100,000 computer users whose machines are
infected with Bredolab botnet malware. Some are questioning whether the
police breached Dutch law by accessing those users' computers. Some
users may ignore the warning, mistaking it for one of the phony,
malicious alerts against which they have been warned. Users were being
notified when they log on to their computers; they will also be given
instructions from cleaning the malware from their computers.
[Editor's Comment (Northcutt): Wow. 30 million infected. We have warned
100,000 users, only 29,900,000 left to go.
(Schultz): Whether we like it or not (and I don't), the severity of
botnet-related risks has become so great that more governments and law
enforcement agencies are likely to do the same thing that the Dutch did.
(Honan): Botnets are fast becoming the criminals weapon of choice.
Indeed, ENISA (the European Network and Information Security Agency) in
a position paper "Botnets the Silent Threat" stated that; "Botnets
represent a steadily increasing problem threatening governments,
industries, companies and individual users with devastating consequences
that must be avoided. Urgent preventive measures must be given the
highest priority if this criminal activity is to be defeated. Otherwise
the effect on the basic worldwide network infrastructures could be
disastrous." Given that this paper was published in 2007 it appears
that the above statement is proving to be particularly prophetic. The
paper is available for download at
--Mozilla Updates Firefox to Fix Flaw Exploited on Nobel Peace Prize
(October 27 & 28, 2010)
Mozilla has issued an update for Firefox to address a zero-day
vulnerability less than two days after learning of the problem. Mozilla
released Firefox versions 3.6.12 and 3.5.15 to address a flaw that was
being actively exploited by malware surreptitiously placed on the Nobel
Peace Prize web site. The vulnerability affected Windows, Mac OS X and
Linux versions of the browser. Firefox 4, which is in beta release,
appears to be unaffected. Computers of Firefox users who visited the
site before the update was released may have been surreptitiously
infected with a Trojan horse program.
--Apple Will Patch iPhone Password Vulnerability Next Month
(October 26 & 27, 2010)
Apple says it will fix an iPhone vulnerability next month. The flaw can
be exploited to make calls without entering the device's password. If
an iPhone is lost or stolen, whoever finds it can use it to make calls
and access the phone's address book, voicemail and call history. The
attack allows access only to the Phone app.
--RIAA vs. Jammie Thomas-Rasset, Round Three
(October 26, 2010)
Round three of the legal battle between Minnesota mother of four Jammie
Thomas-Rasset and the Recording Industry Association of America (RIAA)
is scheduled to begin on November 2. This third trial in the copyright
violation case will focus solely on the damages Thomas-Rasset will pay
for sharing 24 music files.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in
independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at
the North American Energy Reliability Commission (NERC).
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
Clint Kreitner is the founding President and CEO of The Center for
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
-----END PGP SIGNATURE-----