Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #26

April 01, 2011


SANSFIRE in July in Washington - now open for registration - where SANS
immersion training is complemented by nightly briefings from Internet
Storm Center experts sharing the inside information gleaned from
analyzing more than a hundred attacks and new vulnerabilities. Plus,
another round of the NetWars competition where you can measure your
mastery of penetration testing and defense techniques.
Registration: http://www.sans.org/sansfire-2011/

And just before SANSFIRE you can add a day for the IPv6 Summit:
http://www.sans.org/ipv6-summit-2011/

TOP OF THE NEWS

NSA to Join Nasdaq Hack Investigation
Google Settles With FTC Over Buzz Privacy Charges

THE REST OF THE WEEK'S NEWS

Krebs: Following Rustock's Money Trail
Australian Government Computers Attacked
BP Employee Loses Laptop With Unencrypted Claimant Information
Comodo Says Two More Registration Authorities Were Compromised
LizaMoon Pushes Rogue Anti-Virus Software
No Keystroke Loggers on Samsung Laptops
European Parliament Network Attacked
NASA IG Finds Vulnerabilities in Agency Systems
Spam Volume Drops by One-Third Following Rustock Takedown
FBI Seeks Decryption Help in Murder Case


*****************************************************************
TRAINING UPDATE

-- The National Cybersecurity Innovation Conference, April 18-19, 2011 - Users (no vendors or consultants) sharing remarkable solutions they found to (1) defense against APT, (2) continuous monitoring, (3) proving the value of security investment and making security strategic, (4) reliable, risk-based decisions on which new tools to buy, (5) finding all their hardware and software across large networks, (6) the most promising automation initiative in security. Expert briefings on the most dangerous new attack techniques and the 20 Critical Controls.
http://www.sans.org/cyber-security-innovations-2011/


http://www.sans.org/sydney-scada-2011/

-- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

-- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

-- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses.
http://www.sans.org/cyber-guardian-2011/

-- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Barcelona, Amsterdam, Brisbane and London all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

**************************** WinMagic Inc. ***************************
WinMagic SecureDoc offers a comprehensive full-disk encryption solution for Windows, Mac, and Linux platforms and removable media (USB thumb drives, CD/DVDs, SD Cards). The central administration console simplifies enterprise management of encrypted devices, user permissions, and encryption keys. SecureDoc manages Intel Anti-theft Technology, SEDs, advanced Lenovo technologies, and exclusively offers pre-boot networking. Evaluate SecureDoc today.
http://www.sans.org/info/74398
****************************************************************************

TOP OF THE NEWS

NSA to Join Nasdaq Hack Investigation (March 30, 2011)

The National Security Agency (NSA) will join an investigation into cyber attacks against the company that runs the Nasdaq stock market. While its role in the investigation has not been clarified, the fact that it is involved at all suggests that the attacks were more serious than first believed, or that the attacks were state-sponsored. The FBI, the US Secret Service and several foreign intelligence agencies are also helping with the investigation. The attack was reported in February 2011, and took place in October 2010. Nasdaq said the attack did not compromise its trading platform, but affected a web app called Directors desk that facilitates online meetings and information sharing for Nasdaq company board members. The possibility remains that the attackers used the application as a toehold to gain deeper access to Nasdaq systems.
-http://www.wired.com/threatlevel/2011/03/nsa-investigates-nasdaq-hack/
-http://www.bloomberg.com/news/2011-03-30/u-s-spy-agency-said-to-focus-its-decryp
ting-skills-on-nasdaq-cyber-attack.html

Google Settles With FTC Over Buzz Privacy Charges (March 30 & 31, 2011)

On Wednesday, March 30, Google settled deceptive privacy practice charges from the Federal Trade Commission regarding its social networking tool, Buzz. The terms of the settlement call for Google to launch a privacy program and undergo regular third-party audits for 20 years. The settlement does not impose a fine, but Google could face fines if it violates the terms of the settlement. The settlement is the first in which the FTC has ordered a company to implement a comprehensive security policy. On the same day, Google launched a new social networking tool called +1; it allows users to annotate search results to recommend pages to friends.
-http://www.usatoday.com/money/industries/technology/2011-03-30-google-ftc-settle
ment.htm

-http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/03/30/businessinsider-goog
le-were-sorry-for-privacy-problems-with-buzz-2011-3.DTL

-http://www.washingtonpost.com/blogs/faster-forward/post/ftcs-lesson-for-google-d
efaults-design-matter/2011/03/30/AFRmwc4B_blog.html

-http://news.cnet.com/8301-31921_3-20048771-281.html


************************** SPONSORED LINK ********************************
1) New SANS Analyst Program Webcast: Debunking Continuous Monitoring Myths, May 17, 1PM EDT. Learn what holds organizations back from implementing continuous monitoring and where to get started. Featuring Eugene E. Schultz and Steve Johnston. http://www.sans.org/info/74403
****************************************************************************

THE REST OF THE WEEK'S NEWS

Krebs: Following Rustock's Money Trail (March 28, 2011)

Cyber security investigative journalist Brian Krebs describes "following the money trail to learn who ultimately paid the
[Rustock ]
botnet controllers' hosts for their services." The trail takes him to a small Eastern European business that resells hosting services to less-than-savory individuals. He illuminates virtual currency accounts, and records kept by cyber criminals that showed significant profits.
-http://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/

Australian Government Computers Attacked (March 29 & 30, 2011)

Attackers have targeted computers in the office of Australia's Prime Minister and those of several senior Australian government officials. The attacks, which date back to February 2011, reportedly compromised the security of thousands of emails. Australian authorities learned of the breach from US intelligence officials. Attackers have recently also targeted government systems in Canada and Europe.
-http://www.wired.com/threatlevel/2011/03/australian-pm-hacked/
-http://www.nzherald.co.nz/internet/news/article.cfm?c_id=137&objectid=107157
73

-http://www.theregister.co.uk/2011/03/29/oz_govt_email_hack/
[Editor's Note (Paller): Extraordinary skills are needed to find today's more sophisticated attacks. Intrusion detection and other standard tools found in most security operations centers are not up to the job. Instead it takes people called "hunters" with skills including reverse engineering, deep packet analysis, advanced memory and disk forensics, advanced vulnerability analysis of each technology from wireless to hardware, plus counter-intelligence. We are seeing promising evidence of more and more organizations establishing multi-skilled teams tasked with finding these infestations fast and getting rid of them. They measure their success by how short they can make "dwell time" for the infestations. ]

BP Employee Loses Laptop With Unencrypted Claimant Information (March 31, 2011)

BP's acknowledgment that an employee lost a laptop containing unencrypted information of 13,000 people who have submitted claims associated with last year's oil spill has prompted analysts to declare that failing to encrypt sensitive data on portable devices is inexcusable. The information compromised in the BP laptop breach includes names, Social Security numbers (SSNs) and dates of birth. Even a requirement for federal agencies to encrypt sensitive data on portable devices following a breach that compromised the security of records of more than 26 million veterans has not resulted in compliance.
-http://www.computerworld.com/s/article/9215369/Failure_to_encrypt_portable_devic
es_inexcusable_say_analysts?taxonomyId=17

Comodo Says Two More Registration Authorities Were Compromised (March 29, 30 & 31, 2011)

Certificate authority Comodo now says that two additional Registration Authorities (RAs) were affected by the recent attack in which SSL certificates for major web presences like Google and Microsoft were issued through fraudulent means. The two additional RAs did not issue fraudulent certificates, however. Comodo's Chief Technical Officer Robin Alden says the company is taking steps to prevent a recurrence of the attack; the company is "implementing IP address restriction and hardware-based two-factor authentication." Until the new measures are in place, "Comodo will review 100 percent of all validation work before issuing any certificate." The FBI is investigating the breach.
-http://www.net-security.org/secworld.php?id=10826
-http://www.theregister.co.uk/2011/03/30/comodo_gate_latest/
-http://www.v3.co.uk/v3-uk/news/2038919/comodo-reveals-ssl-failure
-http://www.computerworld.com/s/article/9215360/Comodo_hacker_claims_another_cert
ificate_authority

-http://news.cnet.com/8301-31921_3-20048525-281.html?tag=topTechContentWrap;edito
rPicks

[Editor's Note (Schultz): PKIs have a certain intuitive appeal, but PKI advocates have failed to anticipate the severity of attacks that are now routinely launched against registration and certificate authorities. A next generation defense strategy will be needed if PKI is to survive. ]

LizaMoon Pushes Rogue Anti-Virus Software (March 31, 2011)

The LizaMoon SQL injection attack is believed to have affected more than 380,000 unique URLs. The malware aims to redirect users to a site that pushes rogue anti-virus products. Two sites associated with the attack are offline, but those responsible for the attack have begun using other domains. The malware has been found on some iTunes sites, but Apple appears to prevent the code from executing.
-http://www.v3.co.uk/v3-uk/news/2039083/websense-warns-lizamoon-sql-injection-att
ack-hit-380-domains

-http://www.theregister.co.uk/2011/03/31/lizamoon_mass_injection_attack/
-http://www.net-security.org/secworld.php?id=10833
-http://www.msnbc.msn.com/id/42361792/ns/technology_and_science-security/

No Keystroke Loggers on Samsung Laptops (March 31, 2011)

Concerns about Samsung laptops shipping with pre-installed keystroke loggers have proven to be groundless. An anti-virus program called VIPRE misidentified a folder created by Microsoft Live Application Suite as a known keystroke logging software. An executive with the company that that makes VIPRE has apologized for the incident.
-http://www.v3.co.uk/v3-uk/news/2039070/false-alarm-samsung-laptop-keylogging-cla
ims-debunked

-http://www.computerworld.com/s/article/9215396/GFI_apologizes_for_false_alarm_on
_Samsung_keyloggers?taxonomyId=17

-http://www.h-online.com/security/news/item/False-alarm-over-an-alleged-Samsung-T
rojan-1219437.html

-http://www.theregister.co.uk/2011/03/31/samsung_keylogger_rumour_debunked/

European Parliament Network Attacked (March 30 & 31, 2011)

In the wake of a cyber attack against the networks of the European Commission and the External Action Service, attackers have also targeted the European Parliament's network. The European Parliament has imposed a number of restrictions, including the suspension of web-based email service on the networks. The attacks, which may or may not be related, appear to have been focused with a specific goal in mind - to steal certain information.
-http://www.theregister.co.uk/2011/03/31/eu_parliament_hack/
-http://www.net-security.org/secworld.php?id=10819

NASA IG Finds Vulnerabilities in Agency Systems (March 30, 2011)

According to a report from NASA's inspector general, six servers on a network the agency uses to control the International Space Station and the Hubble telescope contain security flaws that could be remotely exploited. The IG's report blames the issues on lack of IT security oversight. The flaws would have been addressed by a security oversight plan the agency agreed to last year but has yet to implement. The investigation also found a server susceptible to an FTP bounce attack. The report notes that data security issues are not new to NASA; in 2009, attackers stole 22 GB of export-restricted information from NASA Jet Propulsion Laboratory computers.
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=229400618&subSection=Security

-http://www.computerworld.com/s/article/9215305/Critical_NASA_network_was_open_to
_Internet_attack

-http://www.theregister.co.uk/2011/03/30/nasa_security_outstandingly_mediocre/

Spam Volume Drops by One-Third Following Rustock Takedown (March 29, 2011)

Since the Rustock botnet has been taken down, worldwide spam levels have dropped 33 percent, according to MessageLabs. Other botnets appear to be starting to fill the void. The Bagle botnet is now believed to be the single largest active source of spam.
-http://www.theregister.co.uk/2011/03/29/rustock_takedown_spam_stats/

FBI Seeks Decryption Help in Murder Case (March 30, 2011)

The FBI is seeking help deciphering two encrypted notes found in the pockets of a man who was murdered in St. Louis, Missouri, nearly a dozen years ago. The notes are believed to have been created by the victim, who was a cryptographic enthusiast.
-http://www.net-security.org/secworld.php?id=10823
-http://www.theregister.co.uk/2011/03/30/murder_case_mystery_code_baffles_fbi/
-http://www.fbi.gov/news/stories/2011/march/cryptanalysis_032911/cryptanalysis_03
2911



************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/