Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #19

March 08, 2011


Two new speakers at the National Cybersecurity Innovation Conference -
one from the Nuclear Energy Labs who shows how senior management can be
transformed into powerful proponents of education and the other from a
state agency that is presenting fascinating data on how the more
advanced attacks work, which defenses are most useful, and a pair of
powerful new free tools.
http://www.sans.org/cyber-security-innovations-2011/

TOP OF THE NEWS

The New Cyber Arms Race
Google Remotely Removes Infected Apps From Android-based Devices
Attackers Steal G20 Data From French Finance Ministry Systems
Sony Gets OK to Subpoena Information About Visitors to PS3 Jailbreak Site

THE REST OF THE WEEK'S NEWS

UK Cyber Security Challenge Winner Named
WordPress Founder Says Attacks Emanated From China
Former Employee Sentenced to Home Confinement for Deleting Company Data
Microsoft Urging Users to Upgrade from IE6
South Korean Government Websites Targeted by DDoS Attacks
Libya Severs Internet Service
Microsoft Pushing Out Patch to Disable AutoRun on XP and Vista Machines


*****************************************************************
TRAINING UPDATE
-- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

-- SANS 2011, Orlando, FL, March 26-April 4, 2011 40 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
http://www.sans.org/cyber-security-innovations-2011/

-- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

-- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

-- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
https://www.sans.org/cyber-security-innovations-2011/

-- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Wellington, Barcelona, Amsterdam, Brisbane and London all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
****************************************************************************

TOP OF THE NEWS

The New Cyber Arms Race (March 7, 2011)

Focusing on Stuxnet and other recent attacks, this far-ranging article surveys players and processes engaged in cyber warfare. It weaves together the major developments of the past couple of years into a cohesive picture of what's happening.
-http://www.csmonitor.com/USA/Military/2011/0307/The-new-cyber-arms-race

Google Remotely Removes Infected Apps From Android-based Devices (March 7, 2011)

Google has begun using its "remote removal function" to purge infected apps from Android devices running versions prior to 2.2.2. About 50 apps were found to be infected with malware known as DroidDream; all have been removed from the Android Market. Google has also suspended the accounts of the developers believed to be responsible for the infected applications and plans to take legal action.
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=229300494&subSection=Security

-http://www.h-online.com/security/news/item/Google-remotely-removes-Android-malwa
re-1203049.html

-http://gcn.com/articles/2011/03/07/google-kills-droiddream-malware.aspx?admgarea
=TC_SECCYBERSSEC

-http://www.scmagazineus.com/google-remotely-killing-android-malware/article/1977
94/

-http://www.computerworld.com/s/article/9213641/Google_throws_kill_switch_on_Andr
oid_phones?taxonomyId=17

-http://www.theregister.co.uk/2011/03/07/google_remotely_kills_android_malware_ap
ps/

[Editor's Note (Skoudis): Maybe we're seeing the real security model of these app stores at work here, and it isn't technical. Requiring developers to register to distribute code allows rich companies (Google, Apple, etc.) with powerful lawyers to sue developers who misbehave. That may act as a check against some malicious developer's basest instincts.
(Honan): While the motives for what Google are doing are good I do find it disconcerting that an organisation has the ability to remotely control what applications I run on my system. Given that many smartphone devices probably also contain sensitive data this is an additional reason to insist that people encrypt any data they store on such devices.]

Attackers Steal G20 Data From French Finance Ministry Systems (March 7, 2011)

The French Finance Ministry is the latest victim of cyber attacks that some have suggested are emanating from China. Attackers gained access to roughly 150 French Finance Ministry computers and stole data related to the G20 Summit, which France hosted last month. The attacks began in December 2010; only G20 data were affected. The systems affected by the attack have been cleaned up. G20, or Group of 20, is a coalition of finance ministers and central bank governors from 19 countries and the European Union who work together to help stabilize the world economy.
-http://news.cnet.com/8301-1009_3-20040050-83.html?tag=mncol;titles
-http://www.voanews.com/english/news/economy-and-business/Hackers-Steal-French-Fi
nance-Ministry-Information-117521708.html

-http://www.bbc.co.uk/news/business-12662596
-http://www.v3.co.uk/v3/news/2275138/zeus-france-g20-hack-uk-finance
-http://www.h-online.com/security/news/item/PCs-at-French-Ministry-of-Finance-inf
ected-with-spyware-1203224.html

-http://www.computerworld.com/s/article/9213559/Hackers_targeted_French_gov_t_com
puters_for_G20_secrets?taxonomyId=17

Sony Gets OK to Subpoena Information About Visitors to PS3 Jailbreak Site (March 4 & 5, 2011)

A US federal magistrate has granted Sony permission to obtain the IP addresses of computer users who visited George Hotz's website from January 2009 until now. Hotz gained recent notoriety for posting jailbreak code for the Sony PlayStation 3 gaming console to the Internet. The magistrate also granted Sony's request for subpoenas of Twitter, Google and YouTube to gain information about Hotz's accounts.
-http://voices.washingtonpost.com/fasterforward/2011/03/judge_says_sony_can_see_v
isito.html?wprss=fasterforward

-http://www.wired.com/threatlevel/2011/03/geohot-site-unmasking/
-http://www.theregister.co.uk/2011/03/05/geohot_visitors_unmasked/
-http://www.bbc.co.uk/news/technology-12663410
-http://news.cnet.com/8301-27080_3-20039536-245.html


*************************** Sponsored Link: *******************************
SANS Analysts Program Webcast: Managing Insiders in SCADA Environments on Wednesday, March 23, 2011. Gain key insight from security professionals involved in auditing SCADA and other utility control systems about insider risk in control system environments. Featuring SANS instructor and senior analyst, Matthew E. Luallen. To register, go here: http://www.sans.org/info/72153
****************************************************************************

THE REST OF THE WEEK'S NEWS

UK Cyber Security Challenge Winner Named (March 7, 2011)

The winner of the first UK Cyber Security Challenge is Dan Summers, a postman who once worked in IT. Summers said he is considering moving into cyber security as a profession. Coming in second place was Stuart Rennie, a 17-year-old student. The contest started in July 2010, and the field of contestants was eventually winnowed down to the top 25 competitors who competed in the final round. Registration for the next Cyber Challenge opens on March 28.
-http://www.bbc.co.uk/news/technology-12667535
-http://www.security-watchdog.co.uk/2011/03/cyber-government-challenge-postman-fu
nding.html

-http://www.zdnet.co.uk/news/security/2011/03/07/wakefield-postman-wins-cyber-sec
urity-challenge-40092043/

-http://www.scmagazineuk.com/first-cyber-security-challenge-winner-announced/arti
cle/197717/

[Editor's Note (Skoudis): This is a great, feel-good story, showing that really solid infosec talent is available in sometimes unexpected places. Challenges are proving very useful in identifying people with impressive skills. I was honored to support the UK Cyber Challenge, and wish to congratulate the winners!
(Schultz): I do not think that the winner of this contest will need to try very hard to find a job in information security.
(Honan): Well done to Mr. Summers on a great achievement. I find it interesting to see that the top two places in this challenge went to a postman and a student and not to professionals within the industry. It highlights how we need to expand our thinking when looking at hiring people to work within infosec.]

WordPress Founder Says Attacks Emanated From China (March 4 & 7, 2011)

The founder of blog platform WordPress.com now says that the distributed denial-of-service (DDoS) attacks that caused significant problems at three of the company's data centers originated in China. The attacks slowed access to the WordPress site. Initially, WordPress conjectured that the attacks were prompted by a particular Chinese-language blog, but the company no longer believes the attacks were politically motivated.
-http://news.cnet.com/8301-27080_3-20039385-245.html?tag=mncol;title
-http://www.computerworld.com/s/article/9213601/WordPress_DDoS_attacks_came_from_
China?source=CTWNLE_nlt_pm_2011-03-07

[Editor's Note (Ranum): In other words, "we attributed the attacks to China, but we really don't know." The problem of attribution in cyberspace is so serious that for all intents and purposes nobody should assume anything. Really, we should start asking ourselves "who cares?" because it's hardly as if anyone is going to do anything about it, because there isn't anything rational or reasonable that can be done. In the meantime, this kind of finger-pointing helps exactly nobody.]

Former Employee Sentenced to Home Confinement for Deleting Company Data (March 6, 2011)

Ismael Alvarez has been sentenced to one year of home confinement and five years of probation for breaking into his former employer's computer server and deleting data. Alvarez had worked at Gray Wireline Services for more than seven years before he was fired. Investigators identified Alvarez as the culprit through the IP address used to access the server. The files he deleted contained proprietary reports about oil and gas wells. Alvarez was also ordered to pay more than US $20,000 in fines and restitution.
-http://www.theregister.co.uk/2011/03/06/fired_employee_revenge_hack/

Microsoft Urging Users to Upgrade from IE6 (March 4 & 7, 2011)

Microsoft is starting to actively discourage people from using Internet Explorer 6. The company has launched an official IE6 Countdown Site with graphics showing the percentage of market share IE6 holds in countries around the world; Microsoft hopes to see IE6 usage drop to less than one percent worldwide. IE6 was introduced a decade ago.
-http://www.zdnet.co.uk/news/desktop-apps/2011/03/07/get-rid-of-ie6-urges-microso
ft-40092047/

-http://gcn.com/articles/2011/03/07/microsoft-ie-6-death-watch.aspx
-http://www.v3.co.uk/v3/news/2275125/microsoft-internet-explorer
IE6 Countdown Site:
-http://www.theie6countdown.com/
[Editor's Comment (Skoudis): A year after the so-called Aurora attacks, it is way past time to move from IE6. I'm happy to see Microsoft pushing people to do this. It's really important if you value security at all.
(Northcutt): Friends don't let friends run IE6. Now that IE9 is on the horizon this is the perfect time to push for a change. ]

South Korean Government Websites Targeted by DDoS Attacks (March 4 & 5, 2011)

South Korean government and commercial websites were the targets of recent cyber attacks. Over the weekend, 29 sites were hit with DDoS attacks, following a series of attacks last Thursday and Friday that hit the same number of sites.
-http://www.washingtonpost.com/wp-dyn/content/article/2011/03/05/AR2011030500344.
html

-http://edition.cnn.com/2011/WORLD/asiapcf/03/04/south.korea.cyber.attack/
-http://www.scmagazineuk.com/south-korean-websites-targeted-by-distributed-denial
-of-service-attacks/article/197597/

[Editor's Comment (Northcutt): Something similar happened in July 2009, people blamed North Korea, but it was never proven. The compromised systems used to mount the attacks wiped out their own file systems after a couple of days. US sites were also attacked in that action.
-http://www.theregister.co.uk/2009/07/08/federal_websites_ddosed/]

Libya Severs Internet Service (March 4, 2011)

Internet service in Libya appears to have been completely severed. Previously, service had been intermittent at best. Two weeks ago, Internet traffic in Libya was halted briefly. Last Thursday, March 3, a Massachusetts network security company noted that Internet traffic in and out of Libya had ceased. The shutdown of the Internet is likely an effort to stifle communications, particularly the outflow of information about the uprisings around the country. The earlier shutdown used the Border Gateway Protocol (BGP) to steer servers away from Libyan Internet space. The new shutdown involves a firewall keeping all Internet traffic between Libya and the rest of the world.
-http://www.msnbc.msn.com/id/41911692/ns/technology_and_science-security/
-http://www.computerworld.com/s/article/9213359/Not_so_great_firewall_of_Libya_is
_switched_on?taxonomyId=17

-http://www.bbc.co.uk/news/technology-12653078

Microsoft Pushing Out Patch to Disable AutoRun on XP and Vista Machines (March 3, 2011)

An update from Microsoft that disables AutoRun is being automatically pushed out to Windows XP and Vista users. The Windows feature has been exploited by Conficker and Stuxnet to infect computers. The update was initially released in February; Microsoft said at that time that the patch would be optional, meaning that users would have had to select it manually in Windows Update. Now the patch is being pushed out through the Automatic Updates feature of Windows Update.
-http://www.computerworld.com/s/article/9212938/Microsoft_pushes_anti_AutoRun_upd
ate_at_XP_Vista_users?taxonomyId=203


[Editor's Comment (Northcutt): As I recall, the patch that made it possible to disable autorun came out after Conficker. I am sure this patch will break something, but it needs to be done.
-http://support.microsoft.com/kb/967715
-http://www.askwoody.com/2009/microsoft-finally-disable-autorun/]



************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/