SANS NewsBites - Volume: XIII, Issue: 51

*************************************************************************
SANS NewsBites                     June 28, 2011                    Volume: XIII, Issue: 51
*************************************************************************
TOP OF THE NEWS

  DHS Moves To Boost Security of Software
  Supreme Court to Consider Issue of Warrantless GPS Tracking
  Film Industry Seeks to Block Site That Hosts Pirated Movies
  Class Action Lawsuit Filed Against Sony

THE REST OF THE WEEK'S NEWS

  FCC Net Neutrality Rules Heading to OMB
  CitiBank Account Thieves Steal US $2.7 Million
  ChronoPay Co-Founder Arrested Over Alleged DDoS Attack
  LulzSec Says Its Closing Up Shop
  Group Claims List Identifies Some LulzSec Members
  Righthaven Claims Legal Standing to Sue After Modifying Agreement with Publisher
  Apple Updates Mac OS X; Will Release Lion 10.7 Next Month
  Travelodge Customer Data Breach
  Oregon Police Have Surveillance Video of Suspects in Michaels Skimming Case
  Vermont Law Barring Use of Prescription Data for Marketing Found Unconstitutional


****************** SPONSORED BY ArcSight, an HP Company ***************

Logs, Liberty and the Pursuit of Happiness. ArcSight Logger is the first Universal Log Management solution that unifies searching, reporting, alerting and analysis across any type of enterprise log data. Logger is unique in its ability to collect, analyze and store massive amounts of data. Get your FREE ArcSight Logger - download it today! http://www.sans.org/info/80754

*************************************************************************

TRAINING UPDATE

- --SANSFIRE 2011, Washington, DC, July 15-24, 2011 42 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

- --SANS Boston 2011, Boston, MA, August 8-15, 2011 13 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

- --SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

- --SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

- --SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 46 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of information Security and Investigations
http://www.sans.org/network-security-2011/

- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

- --Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Canberra, Melbourne, Tokyo and London all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************


TOP OF THE NEWS

DHS Moves To Boost Security of Software (June 27, 2011)
The Homeland Security Department unveiled a new system of guidance on Monday intended to help make the software behind Web sites, power grids and other services less susceptible to hacking. The system includes an updated list of the top 25 programming errors that enable today's most serious hacks. The list, topped by SQL-injection vulnerabilities, is an attempt to address the "root-cause issues" behind cyberattacks, one official said. The announcement also includes a way to rate programming errors for importance in differing environments from embedded systems to web applications. The overall initiative is designed to help software programmers eliminate the most dangerous types of mistakes and enable organizations to demand and buy more secure products. Colleges and trade schools need to take far more responsibility for ensuring their graduates who write programs can do so securely.
-http://www.nytimes.com/2011/06/28/technology/28secure.html
-http://www.forbes.com/feeds/ap/2011/06/27/technology-us-protecting-websites_8538
005.html


-http://www.washingtontimes.com/news/2011/jun/28/cybersecurity-experts-warn-commo
n-software-error/

-http://www.technologyreview.com/web/37901/

[Editor's Note (Paller): More than 180 news organizations from the New York Times to the Financial Times, and from SC Magazine to InformationWeek to NextGov, and even AP and Reuters covered this important, industry-changing move by the US Department of Homeland Security. It's one of several examples where DHS is demonstrating strong technical innovation in cybersecurity making it increasingly more qualified to be the organization that should be called upon to protect the US government and critical infrastructure networks and systems from cyber attacks. ]


Supreme Court to Consider Issue of Warrantless GPS Tracking (June 27, 2011)
The US Supreme Court will review the constitutionality of surreptitiously placing GPS devices on suspects' vehicles without a warrant. The Justice Department maintains that "a person has no reasonable expectation of privacy in his movements from one place to another," and is seeking to overturn a lower court decision that reversed the conviction and subsequent life sentence in prison for a cocaine dealer whose movements were tracked in this way. That case was decided in the US Court of Appeals for the District of Columbia Circuit; three other circuit courts of appeal have ruled that using a GPS device to track a vehicle does not require a warrant. The court will not make a decision before its next term begins in October.
-http://www.wired.com/threatlevel/2011/06/warrantless-gps-monitoring-scotus/


Film Industry Seeks to Block Site That Hosts Pirated Movies (June 27, 2011)
The Motion Picture Association is seeking an injunction that would force BT to sever access to a website that hosts pirated films. The MPA wants BT to use the same technology that it uses to block child pornography sites to block the Newzbin site. BT was chosen as the target of the injunction because it is the largest Internet service provider (ISP) in the UK and because it provides a site blocking system called Cleanfeed to other ISPs. The MPA is the international counterpart to the Motion Picture Association of America (MPAA).
-http://www.bbc.co.uk/news/technology-13927335


Class Action Lawsuit Filed Against Sony (June 24, 2011)
Sony is facing a class action lawsuit over the attack earlier this year on its PlayStation Network (PSN) and Qriocity. The lawsuit alleges that Sony took steps to protect proprietary information but did not take adequate precautions to protect customer data. "Confidential witnesses cooperating in
[the ]
investigation" have reportedly said that Sony did not install a permanent firewall on PSN despite having suffered smaller attacks on the network prior to the one that made headlines. The suit also alleges that Sony fired security workers several days before the attacks began.
-http://www.scmagazineus.com/sony-faces-new-lawsuit-following-psn-hack/article/20
6106/




*************************** SPONSORED LINKS ******************************

1) Be one of the first to download the Symantec Endpoint Protection 12 Beta. http://www.sans.org/info/80759

2) Learn how to secure your network during the IPv6 transition at the Security Impact of IPv6 Summit July 15th in Washington DC and take advantage of the post-Summit IPv6 Essentials course July 16th. http://www.sans.org/info/80764/

3) REGISTER NOW for the upcoming Analyst Webcast: Protecting Access and Data: A Review of DigitalPersona Pro Version 5.1 NEW DATE - Thursday, July 14, 2011 Start Time: 1:00 PM EDT (1700 UTC/GMT) Featuring: Jim Hietala & Fabio Santini http://www.sans.org/info/80769

****************************************************************************


THE REST OF THE WEEK'S NEWS

FCC Net Neutrality Rules Heading to OMB (June 27, 2011)
The Federal Communications Commission's (FCC) net neutrality rules are expected to be sent to the Office of Management and Budget (OMB) for review this week. The rules' submission means they have taken a step toward becoming official, but also toward being challenged in court. Some carriers have already attempted to file lawsuits challenging the rules but they were thrown out because the rules had not yet been published in the Federal Register. The timing of the FCC's submission means it will likely be September or later before the rules are published in the Federal Register.
-http://www.washingtonpost.com/blogs/post-tech/post/fccs-net-neutrality-rules-abo
ut-to-be-official-and-invite-lawsuits/2011/06/27/AGMnlonH_blog.html



CitiBank Account Thieves Steal US $2.7 Million (June 24 & 27, 2011)
An attack on Citibank servers that resulted in the theft of customer data has resulted in losses of US $2.7 million. Citibank will cover the losses incurred as a result of the attack; customers will not be liable. The funds were taken from about 3,400 accounts, although more than 360,000 accounts were compromised. Citibank has, thus far, issued new cards to 217,000 customers.
-http://www.h-online.com/security/news/item/Citibank-customers-lost-2-7-million-i
n-recent-attack-1268302.html

-http://www.computerworld.com/s/article/9217932/Citigroup_hackers_made_2.7_millio
n?taxonomyId=17



ChronoPay Co-Founder Arrested Over Alleged DDoS Attack (June 27, 2011)
Authorities in Russia have arrested Pavel Vrublevsky for allegedly hiring someone to launch distributed denial-of-service (DDoS) attacks against a rival company. Vrublevsky is a co-founder of ChronoPay, a Russian payment processing firm; he is also believed to be a part owner of a rogue online pharmacy. The court has denied bail for Vrublevsky. The DDoS attack in question occurred last summer when ChronoPay and a rival company, Assist, were competing for an online payment handling contract with Aeroflot.
-http://krebsonsecurity.com/2011/06/chronopay-co-founder-arrested/
-http://www.theregister.co.uk/2011/06/27/chronopay_arrests/
-http://news.techworld.com/security/3288102/russian-ceo-arrested-for-alleged-ddos
-attack-on-rival/



LulzSec Says Its Closing Up Shop (June 25 & 26, 2011)
LulzSec, the group that has claimed responsibility for cyber attacks on a number of highly visible sites over the last several weeks, has announced that it is disbanding. The group made the announcement through its Twitter account. The group counts among its targets such prominent organizations as Sony, Nintendo, PBS and the US Senate. There are suspicions that the disbanding could be a response to the arrest of a 19-year-old UK man in connection with an attack on the Britain's Serious Organized Crime Agency's website. The man, Ryan Cleary, is now free on bail.
-http://www.bbc.co.uk/news/uk-13918458
-http://www.h-online.com/security/news/item/Last-LOL-for-LulzSec-as-hackers-disba
nd-group-1268090.html

-http://www.computerworld.com/s/article/9217938/LulzSec_calls_it_quits_after_50_d
ays_of_mayhem_?taxonomyId=203

-http://news.cnet.com/8301-13506_3-20074694-17/alleged-hacker-ryan-cleary-out-on-
bail/?tag=mncol;title



Group Claims List Identifies Some LulzSec Members (June 27, 2011)
In the wake of LulzSec's apparent retirement, attacks reportedly conducted by Anonymous have increased, and some LulzSec members are now saying that they are now members of Anonymous. A group calling itself the A-Team has published a list of names and associated information of people it says are members of LulzSec. The data include Facebook URLs and addresses.
-http://technolog.msnbc.msn.com/_news/2011/06/27/6956759-anonymous-seizes-tunisia
n-government-site

-http://latimesblogs.latimes.com/technology/2011/06/hacker-group-claims-to-expose
-identitites-of-lulzsec-members.html

-http://www.computerworld.com/s/article/9217940/Anonymous_claims_LulzSec_members_
steps_up_attacks?taxonomyId=17



Righthaven Claims Legal Standing to Sue After Modifying Agreement with Publisher (June 24, 2011)
Righthaven has told a judge that it now has full copyright ownership over some of the content of the Las Vegas Review Journal, giving it the right to sue alleged copyright violators. Several recent decisions found that Righthaven lacked legal standing to sue for copyright infringement because it did not have ownership of the content in question. Righthaven said its agreement with Stephens Media, of which the Las Vegas Review-Journal is one publication, has been altered so it has legal standing to sue alleged violators.
-http://www.wired.com/threatlevel/2011/06/righthaven-survival-bid/


Apple Updates Mac OS X; Will Release Lion 10.7 Next Month (June 24, 2011)
Apple has released an update for Mac OS X, bringing the most current version of the operating system, known as Snow Leopard, to 10.6.8. The updated version fixes about three dozen vulnerabilities that could be exploited to execute arbitrary code, disclose sensitive information or cause denial-of-service conditions. From this release forward, Apple plans to release Mac OS X 10.7, which is named Lion, in July.
-http://www.scmagazineus.com/apple-updates-snow-leopard-preps-for-lion/article/20
6088/

-http://support.apple.com/kb/HT4723


Travelodge Customer Data Breach (June 24, 2011)
Travelodge UK has acknowledged that its customer database suffered a security breach, but says that the attack did not compromise any financial information. The company is warning customers that their email addresses may have been compromised; some customers have reported receiving spam sent from what appear to be official accounts. Travelodge has informed the Information Commissioner's Office (ICO) of the breach.
-http://www.scmagazineuk.com/travelodge-warns-of-spam-emails-but-downplays-rumour
s-of-hacking-or-customer-data-being-sold/article/206022/

-http://www.theregister.co.uk/2011/06/24/travelodge_hacked/
-http://tech.uk.msn.com/news/articles.aspx?cp-documentid=158357606
-http://www.bbc.co.uk/news/technology-13900831s


Oregon Police Have Surveillance Video of Suspects in Michaels Skimming Case (June 24, 2011)
Police in Beaverton, Oregon are seeking the public's help in identifying four people who were caught on surveillance video using cloned payment cards made with information stolen through skimmers on point-of-sale terminals at Michaels craft stores. The group behind the skimming scheme has affected debit accounts in 20 US states. Michaels is facing four lawsuits as a result of the breach.
-http://www.bankinfosecurity.com/articles.php?art_id=3785


Vermont Law Barring Use of Prescription Data for Marketing Found Unconstitutional (June 23 & 24, 2011)
The US Supreme Court has struck down as unconstitutional a Vermont law that forbids the use of prescription data pharmacies collect to be used for marketing. In a 6-3 decision, the Court ruled that Vermont's law violated the pharmaceutical industry's First Amendment right to market their products. The Vermont law banned the use of the information collected by pharmaceutical companies for marketing purposes, but did allow the information to be used for health care research and educational purposes and could also be accessed by journalists, insurance companies and law enforcement agencies. The ruling is likely to quash the passage of similar laws in other states.
-http://www.informationweek.com/news/healthcare/security-privacy/231000397
-http://articles.boston.com/2011-06-24/news/29699961_1_prescription-privacy-presc
ription-data-prescription-patterns

-http://www.usatoday.com/news/washington/judicial/supremecourtopinions/2011-06-23
-supreme-court-prescription-data-mining_n.htm



************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/