Data Center Risk - Tell us how you manage it and enter to win iPad

SANS NewsBites - Volume: XIV, Issue: 54


The US Court of Appeals raised the stakes in cybersecurity liability for
banks. See the first story in TOP OF THE NEWS.

Today at 10 PM EDT is the deadline for nominations for the most
prestigious awards in cyber security - The National Cybersecurity
Innovation Awards. Presented in 2011 by the White House Cyber
Coordinator, Howard Schmidt, these national and international awards are
the only recognition programs where winners have shown actual
cybersecurity risk improvement and may be models for broad adoption.
Products and techniques identified in these awards have seen rapid
broad-scale adoption. See http://www.sans.org/cyber-innovation-awards

Alan
PS Some of the best nominations so far are for innovative uses of widely
used products like those from Symantec.

*************************************************************************
SANS NewsBites                     July 06, 2012                    Volume: XIV, Issue: 54
*************************************************************************
TOP OF THE NEWS

  Appeals Court Finds Bank's Online Security Measures Inadequate

THE REST OF THE WEEK'S NEWS

  Microsoft to Issue Patch for XML Core Services Vulnerability on July 10
  iOS App Store Serving Corrupted Apps
  Tenenbaum Sentenced to Time Served for Bank Card Fraud
  European Parliament Rejects ACTA
  Six Arrested in Connection with Hong Kong Exchange DDoS Extortion Scheme
  European Court Says Software Licenses May be Resold
  DARPA Develops Disinformation Technology Prototype
  Microsoft Names Two of the John Does in ZeuS Complaint
  DISA Back-Up Systems Maintained Connectivity During Power Outages
  Man Convicted in Online Financial Fraud Case
  Verizon Says FCC's Net Neutrality Rules Violate Constitution
  Jet Engine Company Guilty of Exporting Military Software to China


****************************** SPONSORED BY SANS **************************
SANS Analyst Webcast: Server Security and Compliance: A Review of McAfee's Product Portfolio for Server Security by senior SANS Analyst Jim D. Hietala
http://www.sans.org/info/109729
****************************************************************************
TRAINING UPDATE
- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

- --SANSFIRE 2012, Washington, DC July 6-15, 2012 45 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more.
http://www.sans.org/sansfire-2012/

- --SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 8 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/

- --SANS Boston 2012, Boston, MA August 6-11, 2012 8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

- --SANS Virginia Beach 2012, Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/

- --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 46 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangkok, San Antonio, Melbourne, Arlington, VA, and Prague all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

TOP OF THE NEWS

Appeals Court Finds Bank's Online Security Measures Inadequate (July 4 & 5, 2012)
The First Circuit Court of Appeals in Boston has found that online security measures deployed by Ocean Bank (now known as People's United Bank) were not "commercially reasonable." The case arose from a series of unauthorized Automated Clearinghouse (ACH) transfers totaling US $588,000 from Sanford, Maine-based Patco Construction Company. US $243,000 of the purloined funds was recovered, which left Patco with a loss of US $345,000. The ruling reverses a lower court ruling which found in favor of the bank. Although the ruling does not mean that the bank will be forced to reimburse Patco for its losses, it does indicate a shift toward placing liability for such losses with the banks.
-http://www.computerworld.com/s/article/9228796/Federal_appeals_court_raps_bank_o
ver_shoddy_online_security?taxonomyId=17

-http://www.bankinfosecurity.com/patco-ach-fraud-ruling-reversed-a-4919
-http://docs.ismgcorp.com/files/external/First_Circuit_Order_070312.PDF
[Editor's Note (Murray): This is an important decision. The magistrate for the lower court endorsed a flawed implementation (user ID and Password plus weak challenge-response) of flawed guidance (New guidance is not much of an improvement) from the FFIEC (a weak institution). Fortunately for most of us, the appeals court did not. Banks must use authentication that resists re-play and have strong "back-office" controls to ensure that transactions are reasonable for the customer.
-http://whmurray.blogspot.com/search?q=PATCO]




************************** Sponsored Links: *************************
1) New Analyst Paper in the SANS Reading room! Streamline Risk Management by Automating the SANS 20 Critical Security Controls by senor SANS Analyst James Tarala http://www.sans.org/info/109739
2) Special Webcast: IBM X-Force(R) Declared 2011 the "Year of the Security Breach" July 11, 2012 at 12:30 PM EDT. http://www.sans.org/info/109744
************************************************************************

THE REST OF THE WEEK'S NEWS

Microsoft to Issue Patch for XML Core Services Vulnerability on July 10 (July 5, 2012)
On Tuesday, July 10, Microsoft plans to issue nine security bulletins to address a total of 16 vulnerabilities. Three of the bulletins have maximum severity ratings of critical, while the remaining bulletins are rated important. The updates will address issues in Windows, Internet Explorer (IE), Microsoft Office, Microsoft Developer Tools, and Microsoft Server Software. One of the vulnerabilities addressed is a flaw in XML Core Services (MSXML) that was acknowledged more than three weeks ago, but has not yet been patched. The vulnerability is being actively exploited.
-http://technet.microsoft.com/en-us/security/bulletin/ms12-jul
-http://www.computerworld.com/s/article/9228828/Microsoft_to_patch_under_attack_X
ML_bug_next_week?taxonomyId=17

-http://www.pcworld.com/businesscenter/article/258814/patch_tuesday_includes_shoc
king_update_for_ie9.html



iOS App Store Serving Corrupted Apps (July 5, 2012)
Certain Apps from the iOS App Store are reportedly having problems after they have been updated, either refusing to load or crashing on startup. There are at least 70 Apps that have been reported as having troubles. The best bet for a fix is to delete affected Apps and install clean copies, but the iOS App store still appears to be serving corrupted versions, so users are urged to wait until the problem has been fully addressed.
-http://www.zdnet.com/ios-mac-app-stores-pushing-out-corrupted-apps-7000000320/
-http://blog.laptopmag.com/encryption-corruption-could-be-causing-updated-ios-and
-mac-apps-to-crash

-http://www.theregister.co.uk/2012/07/05/apple_app_store_file_corruption/


Tenenbaum Sentenced to Time Served for Bank Card Fraud (July 5, 2012)
A US District Judge has sentenced Ehud Tenenbaum, the man behind a sophisticated online banking fraud scheme, to time served. He will also have to pay US $503,000 in restitution and will be on probation for three years. The sentence is for Tenenbaum's guilty plea in 2009 to one count of access device fraud.
-http://www.wired.com/threatlevel/2012/07/tenenbaum-sentenced/
[Editor's Note (Murray): Friends in high places? Information embarrassing to the state? This is the second time Tenenbaum has dodged a bullet. (Leaks suggest that in Solar Sunrise, the USAF was only an hour away from launching a strike against Tenenbaum's proxy in Iraq.) ]


European Parliament Rejects ACTA (July 4 & 5, 2012)
In a 478 to 39 vote, the European Parliament has rejected the International Anti-Counterfeiting Trade Agreement (ACTA). The vote means that the treaty, which had already been signed by the European commission and 22 EU member states but had not been formerly ratified, cannot become law in the European Union or its member states.
-http://www.philly.com/philly/business/20120704_ap_euparliamentrejectsactaantipir
acytreaty.html?cmpid=138890509

-http://www.computerworld.com/s/article/9228787/European_Parliament_easily_reject
s_ACTA_copyright_treaty?taxonomyId=17

-http://www.bbc.co.uk/news/technology-18704192
-http://www.wired.com/threatlevel/2012/07/eu-kills-acta/
-http://www.v3.co.uk/v3-uk/news/2189193/european-parliament-delivers-knockout-blo
w-acta



Six Arrested in Connection with Hong Kong Exchange DDoS Extortion Scheme (July 3 & 4, 2012)
Law enforcement authorities in China and Hong Kong have arrested six people allegedly involved in a distributed denial-of-service (DDoS) blackmail scheme. The group targeted silver, gold, and securities traders in Hong Kong. The group threatened to launch attacks on the companies' Internet presences if they did not pay a ransom. In all, four companies transferred a total of 290,000 yuan (US $45,620) to accounts controlled by the alleged cyber thieves. The gang demanded amounts ranging from 30,000 to 100,000 yuan (US $4,700 to US $15.730) and attempted to extort a total of 460,000 (US $72,360) yuan.
-http://www.theregister.co.uk/2012/07/04/hong_kong_china_bust_ddos_gang_blackmail
/

-http://www.thestandard.com.hk/news_detail.asp?we_cat=11&art_id=123968&si
d=36913214&con_type=3&d_str=20120703&fc=1



European Court Says Software Licenses May be Resold (July 3, 2012)
The European Court of Justice has ruled that software licenses may be resold, and that the author of the software may not oppose the resale. The court said that "the exclusive right of distribution of a copy of a computer program covered by such a license is exhausted on its first sale." The ruling covers downloaded software as well as software purchased on disks. The court also said that the seller of the software is responsible for making his copy of the software on his computer unusable once the sale is complete. The ruling does not permit entities that have purchased licenses for numerous users to break up the license up and sell the unused portions.
-http://www.computerworld.com/s/article/9228762/EU_court_rules_resale_of_used_sof
tware_licenses_is_legal_even_online?taxonomyId=17

-http://www.nasdaq.com/article/eu-court-deals-blow-to-oracle-by-allowing-resale-o
f-used-software-licenses-20120703-00568



DARPA Develops Disinformation Technology Prototype (July 3, 2012)
The Defense Advanced Research Projects Agency (DARPA) says it has developed prototype "disinformation technology," which is designed to identify insiders who leak information. Called "fog computing" in a playful nod to the burgeoning cloud computing industry, the technology involves identifying how suspected leakers search for data, then planting false but believable information and tracking its access and misuse. The plan presents a couple of problems: first, the techniques resemble spammers' methods, and second, it could undermine trust at the very agencies where trust is critical to effective operations. The plan involves planting real valuable data in among large quantities of useless information, so if the data were to be leaked, those with the information would have a hard time distinguishing the truth from the phony data. The decoy documents would then be tracked as they cross the firewall.
-http://www.wired.com/dangerroom/2012/07/fog-computing/all/
[Editor's Note (Murray) The disinformation path is fraught with danger. The danger includes an announcement of one's intention to use it by calling all one's subsequent announcement's into question. Automated disinformation may equate to automated danger. ]


Microsoft Names Two of the John Does in ZeuS Complaint (July 2 & 3, 2012)
Microsoft has identified two Ukrainian men as being among those allegedly involved with the ZeuS botnet online crime group. The malware has reportedly been used to steal more than US $100 million. It displays phony or altered online banking website which allow the thieves to harvest valuable authentication credentials. The two people are identified as Yavhen Kulibaba and Yuriy Konovalenko, who are already serving time in the UK for other convictions related to ZeuS. The original complaint filed by Microsoft had listed the defendants as John Does.
-http://www.h-online.com/security/news/item/Microsoft-names-alleged-Zeus-bot-herd
ers-1631264.html

-http://www.theregister.co.uk/2012/07/03/microsoft_names_zeus_ringleaders/
-http://news.cnet.com/8301-1009_3-57465470-83/microsoft-identifies-two-zeus-botne
t-crime-ring-suspects/



DISA Back-Up Systems Maintained Connectivity During Power Outages (July 2, 2012)
Despite severe storms knocking out power at an Ohio data center and a Maryland facility, the Defense Information System Agency's (DISA) computer systems moved seamlessly to fall-back systems, meaning that service was uninterrupted by the outages. A DISA spokesperson said that because of the agency's system of network operation centers around the world, there was 'no operational impact during the transfer of operations and management." In contrast, Amazon Web Services experienced an outage at its Virginia data center, losing both primary and back-up power on Friday, June 29; full service was restored to Amazon on Saturday, June 30.
-http://www.nextgov.com/cloud-computing/2012/07/backup-systems-ensured-continuity
-military-networks-during-storm/56587/?oref=ng-channelriver



Man Convicted in Online Financial Fraud Case (July 2, 2012)
An Atlanta, Georgia man has been convicted of conspiracy to commit wire fraud, conspiracy to commit identity theft, and conspiracy to gain access to protected computers. Osarhieme Uyi Obaygbona used personal information obtained from other people through phishing attacks to make fraudulent withdrawals from bank accounts. Obaygbona could face up to 50 years in prison when he is sentenced this fall. In another scheme, another defendant, Karlis Karklins gained access to accounts of New Jersey-based payroll processor ADP and added phony employees to payroll and had checks issued to them. In all, losses from the schemes totaled US $1.5 million.
-http://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/24
0003111/phisher-faces-up-to-50-years-for-role-in-1-5-million-scam.html



Verizon Says FCC's Net Neutrality Rules Violate Constitution (July 2 & 3, 2012)
Verizon is seeking to overturn the Federal Communications Commission's (FCC) net neutrality rules. In a brief filed in federal court, Verizon argues that the FCC over-stepped its authority when establishing the rules. It also calls the rules "arbitrary and capricious" and unconstitutional, violating both the First and the Fifth Amendments. Those in favor of the rules say that they support competition and customer choice, but opponents say that they place an unnecessary burden on businesses and put the Internet under the government's control.
-http://arstechnica.com/tech-policy/2012/07/verizon-net-neutrality-violates-our-f
ree-speech-rights/

-http://thehill.com/blogs/hillicon-valley/technology/235971-verizon-urges-court-t
o-scrap-net-neutrality-rules



Jet Engine Company Guilty of Exporting Military Software to China (June 28 & July 3, 2012)
A Canadian jet engine company has pleaded guilty to two charges brought by the US government for exporting military software to China. Pratt & Whitney Canada was intent on pursuing a lucrative helicopter engine market in China, so it looked the other way when China used the military software it brought in its military attack helicopters. The Quebec-based company will pay US $75 million to the US government as part of the settlement. Pratt & Whitney Canada pleaded guilty to violating the US State Department's International Traffic in Arms Regulations and the False Statements Act.
-http://www.nextgov.com/defense/2012/07/illegal-software-export-helped-china-deve
lop-its-first-attack-helicopter/56622/?oref=ng-HPtopstory

-http://www.theglobeandmail.com/report-on-business/pratt-whitney-canada-pleads-gu
ilty-in-military-software-case/article4377357/



************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/