Don't Miss Pen Test Hackfest Summit & Training, November 2-9 near DC!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #61

August 02, 2011

Cool Secure Coding Challenge for Programmers Picking Up Steam
Developers from more than forty organizations are participating in two
free secure coding challenges in Java and in .NET. They like it, maybe
because of the prize of iPad2s. Here's feedback from a major defense
"Avoiding vulnerabilities is not that difficult if you know what they
look like. In the past, I saw quality and security as tradeoffs, but
not anymore. What was most cool about this challenge is that it blends
Java knowledge with security. There is nothing else like it."
If your developers want to play:



LulzSec Suspect Charged, Released on Bail
Government Cyber Security Contractor Data Stolen, Posted Online
US Cyber Challenge Camp in Missouri
iFrame Injection Attacks Affect 3.8 Million Pages


Smart Grid Interoperability Standards
Guilty Plea for Credit Card Fraud
AT&T Will Throttle Broadband Speed for Smartphone Data Hogs
External Hard Drives Infected With Conficker are Recalled
SpyEye Spreading With Help of Amazon Cloud
Alleged "iPad Attacker's" Trial Put On Hold During Plea Negotiations
Twelve-Year Sentence for Phishing Ringleader

********************** Sponsored By DigitalPersona, Inc. ****************

IN CASE YOU MISSED IT...Analyst Webcast: Protecting Access and Data: A Review of Digital Persona Pro Version 5.1 FEATURING: Jim Hietala and Tom Grissinger Sponsored By: digitalPersona



--SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include When Prevention Fails: Extending IR and Digital Forensics Capabilities to the Corporate Network; and More Practical Insights on the 20 Critical Controls

--SANS Virginia Beach 2011, August 22- September 2, 2011 10 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats

--SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis

--SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations

--SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security

--SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC

--Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Melbourne, Delhi, London, Baltimore and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live:



LulzSec Suspect Charged, Released on Bail (August 1, 2011)

An 18-year-old man who was arrested last week for his alleged involvement with online activism groups has been charged with unauthorized access to a computer system, conspiracy to commit computer misuse and other offenses. Jake Davis, who was arrested in the Shetland Islands last week, was released on bail. His bail conditions are that he has no direct or indirect access to the Internet, must wear an electronic tag and must observe a 10:00 p.m. to 7:00 a.m. curfew in the custody of his mother. Davis' attorney says that there is no evidence linking his client to cyber attacks. Authorities have accused Davis of possessing 750,000 passwords and being involved in numerous cyber attacks. They also say they found on his computer or hard disk a copy of the fake story of Rupert Murdoch's demise that LulzSec posted on The Sun's website.

Government Cyber Security Contractor Data Stolen, Posted Online (July 29, 30 & August 1, 2011)

A group of online activists has released documents they say were taken from a US government contractor. The 400 megabytes of data are from ManTech International Corporation, which has a five-year, US $100 million contract with the FBI to manage its cyber security.


US Cyber Challenge Camp in Missouri (July 30, 2011)

Three competitors in last week's US Cyber Challenge Regional Cyber Security Camp at the University of Missouri in Columbia earned top honors of US $1,000 scholarships, but all participants honed skills that will help them defend computer networks and pursue careers in cyber security. The week-long camp included discussions of ethics and culminated in a four-and-a-half hour capture-the-flag event that decided the winning team.


iFrame Injection Attacks Affect 3.8 Million Pages (August 1, 2011)

Attacks targeting unsecure installations of osCommerce open-source e-commerce management software are now believed to affect 3.8 million web pages. The attacks exploit a trio of vulnerabilities in osCommerce that have been disclosed in the past 15 months. The attacks involve injecting malicious iFrames, which send users through a series of redirects that ultimately land them on a site that attempts to infect their computers with malware.

*************************** SPONSORED LINKS ******************************

1) Trade in your current NAC solution for ForeScout CounterACT Virtual Appliance today! Limited time promotional offer.

2) Please take five minutes to help us improve the type and quality of Vendor Programs at SANS Conferences. Complete this survey and be entered in a drawing to win a $100 American Express gift card.



Smart Grid Interoperability Standards (August 1, 2011)

The Smart Grid Interoperability Panel is developing a catalog of standards to provide guidance, including security guidance, to manufacturers and developers. The panel has approved six interoperability standards, which deal with formats for exchanging information, standards for charging electric vehicles and for upgrading electric meters on the smart grid.


[Editor's Note (Murray): "Interoperability" is easy compared to "safe interoperability." ]

Guilty Plea for Credit Card Fraud (August 1, 2011)

A Tennessee man who bragged about breaking into Miley Cyrus's Gmail account has pleaded guilty to charges related to credit card fraud. Josh Holly was never charged in connection with breaking into Cyrus's account, but he did plead guilty to possession of stolen credit cards and taking control of MySpace pages of celebrities and using them to send spam, earning him more than US $100,000 from the companies on whose behalf he sent the unsolicited messages.

AT&T Will Throttle Broadband Speed for Smartphone Data Hogs (July 29 & August 1, 2011)

AT&T has announced that starting October 1, 2011, smartphone users with unlimited data plans who consume large amounts of data may find that their connections are throttled; the plan will affect those whose use lands then in the top five percent of users in a billing cycle. The plan affects users who have purchased unlimited data plans which AT&T stopped offering last year. Users with tiered service may pay for additional use. AT&T says that the plan is not a permanent long term solution, and that the only way to solve the bandwidth problem would require "completing the T-Mobile merger," which has been opposed by competitors and some legislators. Users will receive warning notices and will have a grace period before the throttling takes effect. Speeds will return to normal levels at the start of the next billing cycle.


[Editor's Note (Schultz): Paying for what you use makes sense. Those who gobble up network bandwidth should have to pay more for Internet services.
(Murray): It is essential that this be in AT&T's terms of service, that it be candid, and that it not be ex post facto. ]

External Hard Drives Infected With Conficker are Recalled (July 29, 2011)

AUSCERT issued a warning to consumers about the Fission External 4-in-1 Hard Drive, DVD, USB and Card Reader being sold at ALDI discount stores. There have been reports that some of the devices are infected with Conficker. ALDI has removed the affected devices from its shelves and has issued a voluntary recall. Users are advised to return the devices to the store and to run anti-virus scans on their PCs. The malware is likely to have infected the drives during factory production.


[Editor's Note (Schultz): Good grief--the patch that prevents Conficker and other compromises was released in October 2008. Failure to install the appropriate patch by now is completely incomprehensible. ]

SpyEye Spreading With Help of Amazon Cloud (July 29, 2011)

Cyber criminals are reportedly using Amazon's Simple Storage Service (S3) cloud service to help them spread the SpyEye Trojan horse program. SpyEye harvests online banking login credentials and uses them to steal funds from the accounts. The malware is designed to elude banks' anti-fraud technologies. The people who are spreading the malware are using S3 to host the sites that distribute SpyEye. The Amazon accounts are opened and paid for with stolen identity and credit card information.

Alleged "iPad Attacker's" Trial Put On Hold During Plea Negotiations (July 28, 2011)

The trial of a man who allegedly broke into an AT&T website and stole information about iPad users has been put on hold while plea negotiations are in progress. A grand jury in New Jersey indicted Andrew Aurenheimer last month. Aurenheimer's co-defendant Daniel Spitler entered a guilty plea in June; he could face up to 10 years in prison in addition to a fine of up to US $500,000. Spitler wrote code that stole information from AT&T servers, including email addresses and unique iPad ID numbers. The attack affected some high-profile individuals, including New York City mayor Michael Bloomberg.


Twelve-Year Sentence for Phishing Ringleader (July 28 & August 1, 2011)

A man who masterminded a phishing scheme has been sentenced to more than 12 years in prison. Tien Truong Nguyen headed up a scheme in which people were redirected to websites that appeared to be those of legitimate financial institutions, but which actually harvested financial information. Those data were then used to open instant lines of credit and make purchases; the merchandise was sold for cash. The information was also used to make phony credit cards. Nguyen's co-conspirators, Stefani Ruland and Ryan Price, stole close to US $200,000 in just two months. Both have been sentenced to prison.

[Editor's Comment (Northcutt): 12 years and 7 months for about $180k in theft, with no violent acts. A decade ago I would have said that was harsh. Today, since the criminals are so advanced and so focused, severe sentences may be the only way to take them out of circulation. Sad.]


The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses ( and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit