6 days to save $250 for SANS Seattle 2014
6 Days Left to Save $400 on SANS Network Security 2014

SANS NewsBites - Volume: XIII, Issue: 42


Big week for cyber incidents and news: Pentagon cyber warfare strategy,
Lockheed, Cong. Weiner, and PBS hacks.
Alan

PS. Tomorrow is the final day to save $400 on SANSFIRE registration.
http://www.sans.org/sansfire-2011

*************************************************************************
SANS NewsBites                     May 31, 2011                    Volume: XIII, Issue: 42
*************************************************************************
TOP OF THE NEWS

  Attack on Lockheed Martin Network Linked to RSA SecurID Breach
  Pentagon to Release Cyber Warfare Strategy
  PBS Web Site Hacked As Retribution for Story
  Congressman Weiner's Twitter Account Used to Send Sexual Image

THE REST OF THE WEEK'S NEWS

  Digital "Ants" Could Help Protect SCADA Systems
  Skype Partner Software Installed on Users' Machines Without Consent
  Increase in Reported Data Breaches Likely Due to Code of Practice
  French Police Shut Filesharing Website
  Sony Will Testify at House Committee Privacy Hearing
  Google Pulls Apps from Chrome Web Store Over Privacy Issues
  ChronoPay Linked to Mac Scareware
  Microsoft Safety Scanner Finds Evidence of Attack or Infection on Five Percent of PCs
  Two Convicted in Scheme to Sell Counterfeit Cisco Equipment


***************************************************************************

TRAINING UPDATE

-- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 8 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

-- SANSFIRE 2011, Washington, DC, July 15-24, 2011 41 courses. Bonus evening presentations include Ninja Developers: Penetration Testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

-- SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

-- SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

-- SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 5 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

-- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 43 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of information Security and Investigations
http://www.sans.org/network-security-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus London, Austin, Canberra and Ottawa all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

******************* SPONSORED BY ArcSight, an HP Company ******************

Logs of the World - UNITE! Power to IT Ops! ArcSight Logger is now available for FREE. Download it today and experience true, enterprise-class log management functionality. ArcSight Logger is the first Universal Log Management solution that unifies searching, reporting, alerting and analysis across any type of enterprise log data. Download yours for FREE today. http://www.sans.org/info/79089

****************************************************************************


TOP OF THE NEWS

Attack on Lockheed Martin Network Linked to RSA SecurID Breach (May 27 & 29, 2011)
Lockheed Martin has acknowledged that it was the target of a "significant and tenacious" cyber attack earlier this month. The US defense company's security team detected the threat "almost immediately" and took action. Lockheed Martin released a statement saying that "our systems remain secure; no customer, program or employee personal data has been compromised." The company suspended remote access to email and corporate applications after detecting the attack. The breach involved the use of RSA SecurID tokens to gain access to accounts, suggesting that the incident is linked to the security breach at RSA in March, in which cyber intruders broke into an RSA network and stole information related to SecurID. RSA has not said what information the intruders took. The Pentagon and the Department of Homeland Security (DHS) are helping Lockheed with the investigation into the incident.
-http://www.bloomberg.com/news/2011-05-29/lockheed-offered-help-after-cyber-incid
ent-u-s-government-says.html

-http://www.bbc.co.uk/news/world-us-canada-13587785
-http://www.computerworld.com/s/article/9217126/Lockheed_Martin_acknowledges_sign
ificant_cyberattack?taxonomyId=17

-http://news.cnet.com/8301-1009_3-20067190-83.html?tag=mncol;title
-http://www.h-online.com/security/news/item/Hackers-break-into-Lockheed-Martin-12
51978.html

-http://www.theregister.co.uk/2011/05/27/lockheed_securid_hack_flap/
[Editor's Comment (Northcutt): I know RSA said they were announcing "a fundamental yet strategic change in how organizations can better prioritize activities and identify threats in the wake of escalating advanced persistent threats (APTs).", but I bet they did not realize their technology was going to be part of the problem. Does anyone know of any use cases using only the RSA dongle, or are they all two factor authentication password + dongle?
-http://www.rsa.com/go/press/RSATheSecurityDivisionofEMCNewsRelease_21611.html]



Pentagon to Release Cyber Warfare Strategy (May 31, 2011)
The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force. One idea gaining momentum at the Pentagon is the notion of "equivalence." If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a "use of force" consideration, which could merit retaliation. The Pentagon will release a plan that can serve as a warning and deterrent to would-be attackers.
-http://online.wsj.com/article/SB10001424052702304563104576355623135782718.html


PBS Web Site Hacked As Retribution for Story (May 31, 2011)
PBS said hackers broke into the network's website and posted a phony story falsely claiming deceased rapper Tupac Shakur was alive and well and living in New Zealand. The group LulzSec may have attacked PBS because of a Wikileaks story.
-http://www.redorbit.com/news/technology/2055774/pbs_website_hacked/
-http://www.huffingtonpost.com/2011/05/30/pbs-hacked-tupac-alive_n_868673.html


Congressman Weiner's Twitter Account Used to Send Sexual Image (May 31, 2011)
Brooklyn and Queens Democratic Congressman Anthony Weiner could only try to find humor in the situation he found himself in Friday night when his Twitter account was hacked and a lewd photo posted under his account. The photo showed a man's crotch in gray briefs, and was directed to a single Twitter user -- 21-year-old Gennette Cordova, a Seattle college student, but Weiner's 45,000 followers were able to see it in their Twitter feeds. Conservative groups claim the hack was made up and the picture was real. Weiner has hired an attorney.
-http://www.nbcnewyork.com/news/local/Lewd-Photo-Sent-Over-Rep-Weiners-Hacked-Twi
tter-Account-122799269.html

-http://www.reuters.com/article/2011/05/31/us-weiner-twitter-idUSTRE74U4OD2011053
1




*************************** SPONSORED LINKS ******************************

1) Be one of the first to download the Symantec Endpoint Protection 12 Beta. Click Here: http://www.sans.org/info/79094

2) Learn how to secure your network during the IPv6 transition at the Security Impact of IPv6 Summit July 15th in Washington DC and take advantage of the post-Summit IPv6 Essentials course July 16th. http://www.sans.org/info/79099

3) Hear industry experts discuss techniques to fight crimes at the Forensics and Incident Response Summit in Austin, Texas - June 7-8th. Make sure to also attend any of the 4 post-Summit courses June 9-14th. http://www.sans.org/info/79104

****************************************************************************


THE REST OF THE WEEK'S NEWS

Digital "Ants" Could Help Protect SCADA Systems (May 29 & 30, 2011)
Cyber security research based on the behavior of ants may hold implications for protecting Supervisory Control and Data Acquisition (SCADA) systems from attacks. Researchers at Wake Forest University partnering with Pacific Northwest National Laboratory have been studying how ants protect their colonies when a perceived threat intrudes. Dubbed "swarming intelligence," it is being used as a model to train digital "ants" to recognize and thwart attacks in the power grid.
-http://articles.economictimes.indiatimes.com/2011-05-29/news/29597080_1_computer
-systems-power-grid-digital

-http://www.tgdaily.com/security-features/56255-digital-ants-check-networks-for-v
iruses



Skype Partner Software Installed on Users' Machines Without Consent (May 30, 2011)
Skype partner EasyBits used the company's auto update feature to install the EasyBits Go games center on users' computers even when they chose to stop the installation. The program has proven difficult to uninstall because it installs separate program folders. Skype has disabled the update, calling the unwanted installation an error. EasyBits has now provided an uninstaller to facilitate the removal of the unwanted software.
-http://www.h-online.com/security/news/item/Skype-installs-third-party-software-a
gainst-users-wishes-1252543.html

-http://www.zdnet.com/blog/hardware/days-after-being-bought-by-microsoft-skype-st
arts-installing-crapware-on-windows-systems-without-consent/13015



Increase in Reported Data Breaches Likely Due to Code of Practice (May 30, 2011)
The number of data breaches reported to Ireland's Data Protection Commissioner (DPC) rose 350 percent in 2010. In 2009, the DPC received reports of 119 breaches, while in 2010, 410 breaches were reported. In a report, the DPC attributed the increase to "the more exacting demands placed on organizations by the code of practice rather than an increase in the absolute number of data breaches." Data breaches from compromised websites have increased, while data breaches from lost or stolen laptops have declined.
-http://www.siliconrepublic.com/strategy/item/21995-data-protection/
[Editor's Comment (Northcutt): Here is a link to the DPC and the Code of practice for further reading:
-http://www.dataprotection.ie/docs/Breach_Notification_Guidance/901.htm
-http://www.dataprotection.ie/docs/7/7/10_-_Data_Security_Breach_Code_of_Practice
/1082.htm
]


French Police Shut Filesharing Website (May 29, 2011)
Law enforcement authorities in France have shut down a website known for making pirated movies, music and software available for download and have arrested three people in connection with the operation. Liberty Land had an estimated 800,000 members. The site's operators each face up to five years in prison and fines of 500,000 Euros (US $714,000).
-http://www.bangkokpost.com/tech/computer/239483/french-police-close-down-piracy-
website

-http://torrentfreak.com/arrested-file-sharing-admins-face-jail-700000-fines-1005
30/



Sony Will Testify at House Committee Privacy Hearing (May 27, 2011)
Sony has agreed to testify at a privacy hearing of the House Energy and Commerce Committee's Subcommittee on Commerce, Manufacturing and Trade on June 2. The company, which recently suffered a massive data security breach of its PlayStation Network (PSN), also sent a letter to legislators providing additional information about the attacks. Sony Computer Entertainment chairman Kazuo Hirai explained that the company did not testify earlier because the company "was under attack and it was critically important that ... key personnel remained available" to the company. Representatives from Epsilon, which also suffered a serious breach earlier this spring, will testify at the hearing as well.
-http://www.pcmag.com/article2/0,2817,2386051,00.asp
-http://energycommerce.house.gov/Media/file/Letters/112th/052611sonyresponse.pdf
-http://energycommerce.house.gov/hearings/hearingdetail.aspx?NewsID=8653
[Editor's Note (Honan): Mr. Hirai provides good counsel with regards to managing an incident. To ensure core team members focus on handling the incident you should appoint someone to keep senior management and other stakeholders updated on the situation. This allows those stakeholders to make appropriate decisions on how to manage the crisis from a business point of view while the company is under attack "key personnel remained available." ]


Google Pulls Apps from Chrome Web Store Over Privacy Issues (May 26 & 29, 2011)
Google has removed at least two games from its Chrome Web Store after learning that they were able to access all browsing history, website data and bookmarks on users' computers. Google was alerted to the problem by a blogger who dug down into layers of links in the fine print to find a page that read, "This item can read every page that you visit. ... Besides seeing all your pages, this item could use your credentials (cookies) to request data from websites." The broad permissions are the default installation setting for the extension.
-http://www.theregister.co.uk/2011/05/26/google_web_store_privacy_threats/
-http://www.h-online.com/security/news/item/Chrome-Web-Store-has-same-security-pr
oblem-as-Android-Market-1251823.html

-http://blog.mobilephonesecurity.org/2011/05/chrome-app-security-model-is-broken.
html



ChronoPay Linked to Mac Scareware (May 27, 2011)
Russian online payment processor ChronoPay has been linked to scareware targeting Mac users. For the last month, warnings have been circulating about malware that attempts to get Mac users to purchase useless security software by falsely claiming that their computers are infected. The attacks spread through Google Image search results that had been altered. Journalist Brian Krebs examined the registration records for the domains used to pay for the scareware and found that they are linked to ChronoPay. The company has denied any involvement with the rogue anti-virus software.
-http://krebsonsecurity.com/2011/05/chronopay-fueling-mac-scareware-scams/


Microsoft Safety Scanner Finds Evidence of Attack or Infection on Five Percent of PCs (May 27, 2011)
According to information compiled from Microsoft's Safety Scanner, nearly five percent of PCs running Windows are infected with malware. The free malware scanning and scrubbing tool was launched on May 12; since then, it has been downloaded 420,000 times and removed malware or evidence of previous attacks from more than 20,000 machines. Seven of the top ten threats found by the tool were Java-based exploits.
-http://www.computerworld.com/s/article/9217113/New_malware_scanner_finds_5_of_Wi
ndows_PCs_infected?taxonomyId=85

[Editor's note (Schultz): I believe Microsoft's reported infection rate is too low. Users who do not have a clue concerning how to secure their systems almost certainly have high infection rates. These users are not aware of Microsoft's Safety Scanner, let alone of how to download and run this tool, but more sophisticated and security-aware users are. Microsoft's statistics thus in all likelihood apply almost entirely to the latter group. ]


Two Convicted in Scheme to Sell Counterfeit Cisco Equipment (May 27, 2011)
A federal jury has convicted for their roles in a scheme to import and sell phony Cisco networking equipment. Chun-Yu Zhao was found guilty of conspiracy, importation fraud, trafficking in counterfeit goods and other offenses; Donald H. Cone was found guilty of conspiracy. Sentencing is scheduled for August. The conspiracy charge carries a maximum sentence of five years in prison and a US $250,000 fine. Zhao could face far more time in prison and greater fines due to the additional counts.
-http://www.channelregister.co.uk/2011/05/27/cisco_ring_bust/
-http://www.computerworld.com/s/article/9217106/Jury_convicts_two_for_selling_cou
nterfeit_Cisco_gear?taxonomyId=17

-http://washingtonexaminer.com/blogs/capital-land/2011/05/2-convicted-selling-fak
e-computer-equipment



************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/