3 Days left to Save $400 on SANS DFIR Summit

SANS NewsBites - Volume: XIII, Issue: 68


Surprisingly effective and innovative new security enhancements for
organizations running VMWare are being unveiled at the National
Cybersecurity Innovation Conference in DC in October.
See the Cloud and Mobile Security agenda at
http://www.sans.org/ncic-2011/
Alan

*************************************************************************
SANS NewsBites                     August 26, 2011                    Volume: XIII, Issue: 68
*************************************************************************
TOP OF THE NEWS

  US Department of Homeland Security Launches Internet Security Awareness Campaign
  New Computer Worm Spreading via RDP
  Online Crime Gang Steals US $13 Million in One Day
  ComScore Sued Over Extensive Privacy Violations

THE REST OF THE WEEK'S NEWS

  Email Used in Phishing Attack Against RSA Published
  Nokia Developer Forum Website Offline Following Security Breach
  Fraudulent Google Web Certificate Discovered
  Missing USB Key Results in Suspension for British Detective
  Facebook Bug Bounty Program Pays Out US $40K
  Effective National CERTs and ISPs Reduce Malware Infection Rates
  Student Sentenced to 30 Days and Fined US $15,000


************************ Sponsored By MANDIANT **************************

Register for MIRcon, Oct. 11-12, Alexandria, VA, MANDIANT?s conference for the information security industry. Now in its second year, MIRcon promises to build on a successful inaugural debut with relevant topics that have made headlines within the last year.

Learn more at http://www.sans.org/info/85809

**************************************************************************

TRAINING UPDATE

- -- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
http://www.sans.org/network-security-2011/

- -- The National Security Architecture Workshop, DC, Sept. 29-30,2011 2-day workshop discussing techniques to ensure security is considered in every step of the development life cycle,
http://www.sans.org/baking-security-applications-networks-2011/

- -- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011 3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile Security training
http://www.sans.org/ncic-2011/

- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

- --SANS San Antonio 2011, San Antonia, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Delhi, London, Baltimore and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ****************************************************************************


TOP OF THE NEWS

US Department of Homeland Security Launches Internet Security Awareness Campaign. (August 26)
The US Department of Homeland Security has partnered with the Boys & Girls Clubs of America in a national campaign to raise awareness on Internet security. The Stop.Think.Connect campaign will provide the Boys & Girls Club of America with tools and materials to raise Internet security awareness among the young. Commenting on the campaign President Barack Obama said "Cybersecurity is not an end unto itself; it is instead an obligation that our governments and societies must take on willingly, to ensure that innovation continues to flourish, drive markets, and improve lives."
-http://www.msnbc.msn.com/id/44289394/ns/us_news/t/dhs-partners-boys-girls-clubs-
america-cybersecurity/

[Editor's Note (Paller): To support the national security awareness campaign, more than a dozen states and many leading universities have banded together in a cooperative buying program to provide their hundreds of thousands of users with state of the art security awareness training, using their combined economic power to bring the cost down by more than 90%. Email jfitzgerald@sans.org if you have security awareness responsibility at a university or state or local government agency that should be allowed to be included in the cooperative program. ]


New Computer Worm Spreading via RDP (August 28)
A new computer worm dubbed Morto is infecting Windows computer systems via the Remote Desktop Protocol (RDP) and exploiting weak system passwords. To be vulnerable the target system needs to have the RDP service enabled and the Windows administrator account configured to use a weak password such as "123", "letmein" or "password". Once infected the computer becomes part of a botnet. The SANS Internet Storm Center has noticed a large spike in the amount of RDP scan traffic. Microsoft has released details about the worm with a severity level rated as severe, its highest alert level.
-http://www.theregister.co.uk/2011/08/28/morto_worm_spreading/
-http://www.scmagazineus.com/morto-worm-spreading-via-remote-desktop-connections/
article/210803/

-http://www.networkworld.com/news/2011/082911-new-windows-worm-spreads-by-250194.
html

-http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Wor
m%3aWin32%2fMorto.A



Online Crime Gang Steals US $13 Million in One Day (August 26)
A security breach at a Florida based debit card processing company, Fidelity National Information Services Inc. (FIS), resulted in criminals using cloned prepaid debit cards to withdraw US $13 million from ATMs around the world over a 24 hour period. The criminals had previously gained access to Fidelity National Information Services Inc.'s prepaid debit card database and cloned 22 cards which were sent to conspirators in different countries. At the close of business on Saturday May 5, the criminals coordinated to withdraw the money over the next 24 hours from ATMs in countries such as Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom. When the prepaid balance on each debit card reached its limit, the criminals remotely updated the balance on each card. It is not clear who was behind the attack, but journalist Brian Krebs, who investigated the breach in detail, said the attack has the characteristics of Russian or Easter European based criminal gangs
-http://www.msnbc.msn.com/id/44291945/ns/technology_and_science-security/
-http://www.ksl.com/index.php?nid=895&sid=17006686
-http://krebsonsecurity.com/2011/08/coordinated-atm-heist-nets-thieves-13m/


ComScore Sued Over Extensive Privacy Violations (August 24)
A class action lawsuit filed in a federal court in Chicago alleges that the Internet tracking and analytics firm comScore has been using highly aggressive tactics to surreptitiously collect large amounts of personal data on individuals. The lawsuit cites the Stored Communications Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act and Illinois Consumer Fraud and Deceptive Practices Act. The plaintiffs to the lawsuit claim comScore collects information such as Social Security numbers, credit card numbers, passwords and other data from individuals' computers. It also alleges that comScore's software, when installed, will modify the computer's security settings, open backdoors, redirect Internet traffic and scan documents and emails for information. On one of their websites comScore states their software "monitors all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts". The software from comScore is usually installed when the user downloads free software products such as screen savers or music sharing software. A spokesman for comScore called the lawsuit meritless.
-http://www.theregister.co.uk/2011/08/24/comscore_privacy_lawsuit/
-http://www.computerworld.com/s/article/9219444/Lawsuit_accuses_comScore_of_exten
sive_privacy_violations

-http://www.eweek.com/c/a/Security/comScore-Accused-of-Aggressive-Surreptitious-O
nline-Data-Collection-in-Lawsuit-759357/

[Editor's Note (Schultz): The amount of personally-identifiable information that is typically collected in the course of users browsing Web sites is appalling. Citizens of EU countries should in particular be outraged, but instead there is a kind of collective ignorance that keeps Internet users, whether from EU countries or elsewhere, from waking up to reality. ]



*************************** SPONSORED LINKS ******************************

1) Trade in your current NAC solution for ForeScout CounterACT Virtual Appliance today! Limited time promotional offer. http://www.sans.org/info/85814

2) Do not miss Tomorrow's SANS Ask the Expert Webcast: Leveraging SSL to Battle Emerging Security Threats. Sign up at: http://www.sans.org/info/85819

3) Be entered in a drawing to WIN a $100 American Express gift card. Please take five minutes to help us improve the type and quality of Vendor Programs at SANS Conferences http://www.sans.org/info/85824

****************************************************************************


THE REST OF THE WEEK'S NEWS

Email Used in Phishing Attack Against RSA Published (August 26)
Researchers at Finnish anti-virus firm F-Secure believe they have discovered a copy of the email used in the phishing attack against RSA earlier this year. According to F-Secure's research the email was sent to four employees within RSA's parent company EMC on March 3. The email contains an Excel spreadsheet called "2011 Recruitment Plan.xls" with the body of the email simply reading "I forward this file to you for review. Please open and view it." Once the spreadsheet was opened it executed a malicious Adobe Flash object which in turn installed the Poison Ivy backdoor. The exploit used a then unknown vulnerability in Flash which Adobe has since patched.
-http://www.theregister.co.uk/2011/08/26/rsa_attack_email_found/
-http://www.computerworld.com/s/article/9219519/Was_this_the_e_mail_that_took_dow
n_RSA_

-http://www.v3.co.uk/v3-uk/news/2104821/-secure-reveals-email-malicious-excel-att
achment-breach-rsa-security



Nokia Developer Forum Website Offline Following Security Breach (August 29)
Finnish cell phone manufacturer Nokia has taken its developer forum website offline following a security breach. The breach allowed the attacker to gain access to the personal information of forum members, including their email addresses and dates of birth. Nokia said the attacker gained access to the data using an SQL injection attack against a vulnerability in the bulletin board software used for the forum. The website remains offline while Nokia investigate the breach.
-http://www.theregister.co.uk/2011/08/29/nokia_website_hacked/
-http://www.bbc.co.uk/news/technology-14706810
-http://www.infosecurity-us.com/view/20396/nokia-shuts-down-developer-site-after-
members-data-was-compromised/

-http://www.h-online.com/security/news/item/Hacker-steals-user-data-from-Nokia-de
veloper-forum-1332867.html



Fraudulent Google Web Certificate Discovered (August 29)
Researchers have discovered a counterfeit web certificate for *.Google.com has been available on the Internet for a number of weeks. The forged certificate was issued on July 10 by DigiNotar, a certificate authority based in the Netherlands and could provide attackers with the encryption keys needed to impersonate Google services that use SSL such as Gmail. The forgery was first detected by a user in Iran leading to concerns that the forged certificate is being used to intercept emails of dissidents. Google and Mozilla have issued updates to the Chrome and Firefox browsers to block all certificates issued by DigiNotar.
-http://www.theregister.co.uk/2011/08/29/fraudulent_google_ssl_certificate/
-http://www.computerworld.com/s/article/9219569/Hackers_acquire_Google_certificat
e_could_hijack_Gmail_accounts

[Editor's Note (Schultz): Certificates have for a long time been promoted as a way to strengthen authentication. Recent events such as theft of certificates from certificate providers whose servers have been compromised and the discovery of forged certificates are rapidly eroding confidence in certificate-based authentication, however.

Missing USB Key Results in Suspension for British Detective (August 28)
A detective constable working with the serious crime team for the Greater Manchester police force in the United Kingdom has been suspended pending an investigation after a USB key containing sensitive information was stolen from his home. The information contained on the USB stick includes the details of people who confidentially provided the Greater Manchester police with information on those involved in criminal activity such as drug dealing. The information on the USB stick was not encrypted, contrary to policy, and should not have been in the detective's home. The police have been in touch with those impacted by the breach.
-http://www.dailymail.co.uk/news/article-2030949/Detective-suspended-thieves-stea
l-vital-police-data-home.html



Facebook Bug Bounty Program Pays Out US $40K (August 29)
Since its inception earlier this month the Facebook bug bounty program has already paid out more than US $40,000 to people who identified security vulnerabilities in the company's social networking site. In a blog post Facebook's Chief Security Officer, Joe Sullivan, said the company has "paid more than US $40,000 to security experts around the world. One person has received more than US $7,000 for 6 different issues flagged." He added that one person got US $5,000 for "one really good report". The bug bounty program only applies to the main Facebook website and not to the Facebook platform which hosts third party apps.
-http://www.networkworld.com/news/2011/082911-in-just-three-weeks-facebook-250212
.html

-http://www.pcmag.com/article2/0,2817,2392041,00.asp
[Editor's Note (Schultz): Before these statistics can be meaningfully evaluated, definitions of nebulous terms such as "good" and "responsible" need to be offered. ]


Effective National CERTs and ISPs Reduce Malware Infection Rates (August 28)
Analysis by Microsoft on the data gathered from its Malicious Software Removal Tool indicates that countries with good national Computer Emergency Response Teams (CERTs) and responsible ISPs show a much lower level of malware infection rates than countries with a more lax environment. By examining data from the last quarter of 2010 and looking at the number of computers cleaned per mile (CCM), or computers cleaned per 1,000, Austria recorded a value of 3.3 CCM, while Finland showed 2.3, Germany 5.3 and Japan 2.3. This compares quite favorably against the global average of 8.3. In a blog post on the topic Microsoft's Tim Raines said "Governments, the IT industry, and Internet access providers should ensure the health of consumer devices before granting them unfettered access to the Internet".
-http://www.pcworld.com/article/239010/nations_with_low_malware_rates_have_better
_isps.html

-http://blogs.technet.com/b/security/archive/2011/08/24/finale-lessons-from-some-
of-the-least-malware-infected-countries-in-the-world-part-6.aspx



Student Sentenced to 30 Days and Fined US $15,000 (August 26)
Omar Khan, a 21 year old high school graduate, was sentenced to 30 days in jail and fined US $15,000 for repeatedly breaking into the computer systems of Tesoro High School in Orange County. The computer intrusions occurred in 2008 when Khan was a student at the school and broke into the systems to change his school grades and steal test papers. Khan was also ordered to serve 500 hours of community service and remain on probation for three years.
-http://articles.ocregister.com/2011-08-26/news/29936687_1_plea-agreement-plea-de
al-service-projects



************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/