SANS NewsBites - Volume: XIII, Issue: 35

*************************************************************************
SANS NewsBites                     May 03, 2011                    Volume: XIII, Issue: 35
*************************************************************************

TOP OF THE NEWS

  Sony Shuts Down Online Gaming Site
  Apple Filed Patent Application for Tracking Technology
  LimeWire Trial Set to Start This Week
  Malware Targets Macs

THE REST OF THE WEEK'S NEWS

  Employees Have Internet Access at Oak Ridge National Labs Again
  Some Claim to be Selling PSN Customers' Credit Card Data
  Papers Warns of Dangers of Alarmist Cyberthreat Rhetoric
  Amazon Provides Details About Cloud Outage
  Mozilla Releases Update for Firefox 4
  Seattle School District Officials Suspect Students in Online Grade Changes


*****************************************************************

TRAINING UPDATE

-- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

-- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker and State of the Hack: Stuxnet. 8 courses.
http://www.sans.org/cyber-guardian-2011/

-- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

-- SANSFIRE 2011, Washington, DC, July 15-24, 2011 40 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

-- SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

-- SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses.
http://www.sans.org/virginia-beach-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Barcelona, Amsterdam, Brisbane, London and Austin all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

********************** SPONSORED BY Athena Security ********************

Running your network without configuration analytics is like wandering a maze aimlessly. Where are the optimal places to make changes? How can you be sure the correct changes were made? What are the possible side effects?

Athena arms you with tools to simplify network visualization and management. Get a FREE trial of Athena PathFinder and start making changes with absolute clarity.

http://www.sans.org/info/76813

****************************************************************************

TOP OF THE NEWS

Sony Shuts Down Online Gaming Site (May 2, 2011)

Late Sunday night, Sony shut down Sony Online Entertainment, its online PC games site, fueling speculation that the attack that prompted the PSN outage gained a deeper grasp in company systems than has been acknowledged. Sony did not provide much information about their reasons beyond having "discovered an issue that warrants enough concern ... to take the service down effective immediately."
-http://www.theregister.co.uk/2011/05/02/sony_online_entertainment_closed/
-http://latimesblogs.latimes.com/technology/2011/05/sony-online-games-attack-hack
er.html
-http://www.pcmag.com/article2/0,2817,2384771,00.asp
-http://www.bbc.co.uk/news/technology-13260041

Apple Filed Patent Application for Tracking Technology (April 27 & 29, 2011)

In 2009, Apple filed a patent application for technology to track users through smartphones. Apple has recently been the focus of attention because it was found that iPhones were tracking and storing user location data. Apple had said that it was not tracking users and that a bug was to blame for the retained data. The September 2009 patent application refers to "Location Histories for Location Aware Devices."
-http://www.securecomputing.net.au/News/255860,apple-snooping-plot-thickens--ipho
ne-tracker-was-patented.aspx
-http://blogs.forbes.com/kashmirhill/2011/04/27/apple-filed-a-patent-application-
in-2009-for-what-its-now-calling-a-bug/

LimeWire Trial Set to Start This Week (April 28, 2011)

The copyright infringement lawsuit brought against LimeWire by the Recording Industry Association of America (RIAA) is scheduled to start on Tuesday, May 3. It's the first such lawsuit against a file-sharing software company since the Supreme Court ruled against Grokster in 2005. A federal jury will decide how much LimeWire should pay for copyright infringement conducted through its service. The record companies say LimeWire owes more than US $1 billion in damages. US District Judge Kimba Wood noted that the infringement was "willful," which significantly increases the penalty for each track that was shared illegally. Judge Wood ordered LimeWire to stop "file-distribution functionality" in October 2010.
-http://www.wired.com/threatlevel/2011/04/limewire-damages-trial/
[Editor's Comment (Northcutt): We talk about the Grokster case in my class, Security Leadership Essentials, but these LimeWire folks were really cheeky.
-http://www.sans.org/security-training/security-leadership-essentials-managers-kn
owledge-compression-62-mid]

Malware Targets Macs (May 2, 2011)

Malware targeting Mac OS X has been detected, though it is not widespread. Those spreading the malware are exploiting users' interest in late breaking news about Bin Laden's death. MacDefender claims to be security software and tries to trick users into paying up to US $80 for what amounts to useless software. This marks the first time that rogue antivirus software has targeted Mac users. The program generates a stream of messages on users' computers that malware has been detected on their machines, and urges them to download security software. Safari users who have selected the "open 'safe' files after downloading" setting will have the malware installed immediately upon visiting one of the malicious pages. In other cases, for users to become infected, they have to open a ZIP file and manually install the malware. There is a legitimate software developer with the same name as the malware; they are not in any way connected. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=10813
(ISC has reports of $99 (via Paypal) for a price on this in addition to the $80 from other sources.)
-http://www.computerworld.com/s/article/9216335/Fake_security_software_takes_aim_
at_Mac_users?taxonomyId=17
-http://www.pcworld.com/article/226846/fake_macdefender_brings_malware_to_macs.ht
ml
-http://thenextweb.com/apple/2011/05/02/bogus-macdefender-malware-campaign-target
s-mac-users-using-google-images/
[Editor's Comment (Northcutt): As a public safety announcement, please warn your people not to open any mail messages with attachments that claim to have video, pictures etc of Bin Laden, the Navy Seal team, Amazing Grace at Ground Zero, the wife that was a human shield etc. This doesn't only apply to Macs, PCs, iPhones, Androids, just do not do it. I will bet the botnets add a million compromised systems from people clicking on this one. ]



*************************** Sponsored Link: *******************************

Call For Participation: Security Architecture Workshop - 2011 Washington DC. If your organization has found effective ways to bake security into applications (and you are not a vendor) you may win a highly prized free invitation to the Security Architecture Workshop where the most effective techniques for making secure engineering and architecture cost-effective will be shared. Email SAW@sans.org if you have a process that works.

****************************************************************************

THE REST OF THE WEEK'S NEWS

Employees Have Internet Access at Oak Ridge National Labs Again (May 2, 2011)

Internet connectivity has been restored at the Oak Ridge National Laboratory, more than two weeks after employee access to the Internet was severed to limit damage from a cyber attack. An investigation into the incident that led to the restrictions indicates that malware infiltrated laboratory systems on April 7, 2011 following a targeted phishing attack against lab employees that exploited a vulnerability in Internet Explorer. The lab became aware of the situation on April 11 and monitored systems until the decision was made to sever Internet access on April 15.
-http://www.knoxnews.com/news/2011/may/02/internet-back-oak-ridge-national-labora
tory-after/

Some Claim to be Selling PSN Customers' Credit Card Data (April 28 & 29, 2011)

While Sony says that the credit card information compromised in the PSN attack were encrypted, those apparently involved with the attack claim that they are already selling the information in online carder forums. It is possible that both claims could be true; Sony has not said what sort of encryption was used, and the attackers could conceivably have broken it by now.
-http://www.pcworld.com/businesscenter/article/226737/sony_says_data_is_protected
_attackers_say_its_for_sale.html

Papers Warns of Dangers of Alarmist Cyberthreat Rhetoric (April 29, 2011)

A paper published by researchers at the Mercatus Institute at Virginia's George Mason University says that the US government's "alarmist rhetoric" about cyber threats facing the country's critical infrastructure could result in the enactment of policy based on evidence that may not have a foundation in fact. The researchers, Jerry Brito and Tate Watkins, compared the dangerous possibilities of ill-informed policy to what happened in Iraq - a decision was made to invade the country based on rumors, not hard evidence, that the country's political regime was connected to the September 11 attacks and that it possessed weapons of mass destruction. Decisions based on faulty information could lead to unnecessary regulation of network, and overspending on cyber security.
-http://www.scmagazineus.com/paper-highlights-dangers-of-inflating-cyberthreats/a
rticle/201822/
-http://mercatus.org/sites/default/files/publication/110421-cybersecurity.pdf
[Editor's Comment (Northcutt): At first glance the paper appears to be political and sensational, however it is well researched and more even toned that I first felt. Anyone with government or governance responsibility is encouraged to read it and draw your own conclusions.
(Schultz): I am sure that these researchers are very smart, but they do not appear to be very well-informed. They speculate that the US government might overspend on cyber security. The day that happens will be the day hell freezes over, trust me. ]

Amazon Provides Details About Cloud Outage (April 29, 2011)

Amazon has apologized for the outage experienced in portions of its cloud services platform and has released a statement offering more detail about the cause of the incident. The problem arose because of a configuration error that was made during a network upgrade. The error caused traffic that should have been directed to a primary network to be routed to a lower-capacity network. Amazon also detailed steps it is taking to prevent a recurrence.
-http://www.computerworld.com/s/article/9216303/Amazon_cloud_outage_was_triggered
_by_configuration_error?taxonomyId=17
-http://aws.amazon.com/message/65648/
-http://www.bbc.co.uk/news/business-13242782
[Editor's Note (Pescatore): Back in the day, what we called the cloud was the telecoms cloud. And back in 1990, ATT had a self-inflicted software bug that brought down just about all their 4ESS switches and the majority of US long distance calls for over 24 hours. Anyone who plans on using cloud without planning on workarounds for outages is not doing their due diligence. ]

Mozilla Releases Update for Firefox 4 (April 29 & May 2, 2011)

Mozilla has released security updates for Firefox 4, Firefox 3.5 and Firefox 3. In all, Mozilla fixed 53 flaws in the browsers, 12 of which were rated critical. The flaws addressed in the new version of Firefox 4 include a pair of issues in WebGLES graphics libraries that could be exploited to bypass certain security protections in Windows.
-http://www.theregister.co.uk/2011/04/29/firefox_security_update/
-http://www.computerworld.com/s/article/9216294/Mozilla_patches_Firefox_4_fixes_p
rogramming_bungle
-http://www.eweek.com/c/a/Security/Mozilla-Patches-Critical-Firefox-Security-Flaw
s-536391/

Seattle School District Officials Suspect Students in Online Grade Changes (April 28 & May 1, 2011)

School district officials suspect students at Seattle area high schools of breaking into school computer systems. Systems at three Seattle high schools have been affected. Although some grades in an online grade book system were altered, no final grades were changed. The district has begun monitoring systems for anomalous activity. Teachers received a memo that told them "network login credentials are being stolen and used to inappropriately access district systems." Officials suspect the information was stolen through the use of a keystroke logging device. The district is checking to see if other information was stolen.
-http://www.seattlepi.com/local/article/Students-suspected-of-changing-grades-on-
hacked-1357382.php
-http://seattletimes.nwsource.com/html/editorials/2014914193_edit02grades.html


************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/