SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XII - Issue #19
March 09, 2010
If you were not fooled by the CEH hoax on Friday, skip this paragraph. If you were, you are in good company. Two groups don't think the hoax was funny: (1) the poor young reporter who was fooled into publishing it, and her editors, and (2) every security professional who believes it is dangerous to place a person with the wrong skills in a critical cyber defense position.
Alan
TOP OF THE NEWS
Confidential Bank Reports to FDIC Show $120 Million Lost In Three Months To Online Banking FraudGrowing Concern About Cyber Attacks in US, UK and EU
THE REST OF THE WEEK'S NEWS
Thailand Approves Extradition of Alleged Cyber CriminalUS to Allow Export of Internet Applications to Cuba, Iran and Sudan
Ford to Offer Wi-Fi and Improved Security in Next Generation SYNC
Trojan Found in Battery Charger Software Download
Critical Flaw in Opera
Will Mariposa Arrests Prove to be a Deterrent?
Westin Hotel in LA Acknowledges Data Breach
Irish Companies Reporting Cyber Extortion
Phishers Used Facebook to Penetrate Financial Firm's Computer System
FBI Director Says Cyber Terrorism Threat is Growing
**************** Sponsored By Trusted Computer Solutions ****************
Automated, consistent operating system lock down. Who knew? Whether locking down one server or an entire enterprise, Security Blanket performs fast, consistent, and repeatable OS lock down to industry guidelines such as DISA STIGs, CIS, and SANS CAG Top 20 Critical Controls. Now that you know, give Security Blanket a try for FREE. http://www.sans.org/info/55898
*************************************************************************
TRAINING UPDATE - -- SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style
http://www.sans.org/sans-2010/
- -- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
http://www.sans.org/reston-2010/
- -- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/
- -- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/
- -- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/
- -- SANS Boston 2010, June 6-14, 2010 11 courses
http://www.sans.org/boston-2010/
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php
Plus Dubai, Geneva, Toronto, Singapore and Brisbane all in the next 90 days. For a list of all upcoming events, on-line and live: https://www.sans.org/index.php
*************************************************************************
TOP OF THE NEWS
Confidential Bank Reports to FDIC Show $120 Million Lost In Three Months To Online Banking Fraud (March 8, 2010)
FDIC Examiner Dave Nelson reported March 5 that malware on customer computers cost banks more than $40 million each month during the last full quarter for which he had data, July-September, 2009. The FDIC receives confidential reports from financial institutions, from which Nelson's estimates were generated. The hackers trick people into opening weaponized emails or into visiting web sites where their systems are infected. Nelson said business accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and nonprofits have suffered some relatively large losses -- $25 million in the 3rd quarter of 2009. Hackers target small businesses where the security controls are weak.-http://www.computerworld.com/s/article/9167598/FDIC_Hackers_took_more_than_120M_
in_three_months?source=rss_news
-http://www.krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-du
st/
[Editors Note (Pescatore): Let's put this in context: according to NACHA, in 3Q09 3.77 billion transactions representing $7.3 *trillion* dollars was processed by the Automated Clearing House electronic fund transfers. That $120M in fraud represents less than .00001% of the overall volume, essentially within rounding error.
(Paller): John Pescatore's note above almost had me persuaded cyber bank fraud wasn't worth fixing. Then I started calculating the number of deaths in automobile accidents as a fraction of all automobile trips. A similar calculation to John's would suggest the nation wasted its time and resources forcing auto manufacturers to build cars with seat belts and air bags and better bumpers. That was not a waste of resources. It is time the ISPs and financial institutions took responsibility protecting their customers - the customers cannot do it themselves. Brian Krebs showed how bad the damage from these attacks can be.
-http://www.krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-b
anking-loss/]
Growing Concern About Cyber Attacks in US, UK and EU (March 7 & 8, 2010)
A surge in cyber attacks against NATO and European Union IT systems has prompted warnings to restrict the flow of intelligence. China is believed to be the primary source of the attacks. The US government has also noted a significant increase in the number of attacks against its government systems. The UK's security minister says that computers in the country are under daily cyber attack from foreign states and terrorist groups. Lord West said that there have been "300 significant attacks" on UK government systems in the last year. He acknowledged the difficulty in attributing an attack to a specific country. He said there may come a time when the UK would feel obliged to retaliate.-http://www.guardian.co.uk/technology/2010/mar/07/britain-fends-off-cyber-attacks
-http://technology.timesonline.co.uk/tol/news/tech_and_web/article7053254.ece
*************************** Sponsored Links ***************************
1) Attend an Online Demo of iPrism Web Filter and Get a $20 Amazon Giftcard! http://www.sans.org/info/55903
2) REGISTER NOW for the upcoming Ask The Expert Webcast: Privileged user monitoring - Automating compliance and managing risk http://www.sans.org/info/55908
*************************************************************************
THE REST OF THE WEEK'S NEWS
Thailand Approves Extradition of Alleged Cyber Criminal (March 8, 2010)
Thailand's criminal court has approved the extradition of Gooi Kokseng to the US to face charges in a cyber theft case involving credit card information. The group, of which he is believed to be a member who allegedly stole credit card information and sold it to other people who manufactured counterfeit cards. The cyber crime ring is allegedly responsible for more than US $150 million in losses. Kokseng, who is Malaysian, will be held for 30 days in Thailand before he is extradited.-http://www.theregister.co.uk/2010/03/08/thailand_extradites_hacking_suspect/
-http://www.computerworld.com/s/article/9167019/Thailand_approves_credit_card_hac
ker_s_extradition_to_US
-http://www.bangkokpost.com/news/local/170426/malaysian-hacker-to-be-extradited
-http://www.nationmultimedia.com/home/2010/03/04/national/Court-agrees-to-extradi
te-Malaysian-to-the-US-30123936.html
US to Allow Export of Internet Applications to Cuba, Iran and Sudan (March 8, 2010)
The US government plans to lift embargoes on the export of Internet-based applications to Cuba, Iran, and Sudan, countries where free speech rights are often suppressed. The Treasury Department has granted several general licenses to offer instant messaging, chat, e-mail and social networking services to the three countries.-http://www.computerworld.com/s/article/9167558/Update_U.S._lifts_Iran_Sudan_Cuba
_Internet_services_export_ban?taxonomyId=17
-http://voices.washingtonpost.com/posttech/2010/03/us_to_allow_exports_of_faceboo
.html
-http://government.zdnet.com/?p=7515
Ford to Offer Wi-Fi and Improved Security in Next Generation SYNC (March 8, 2010)
Sync, technology that allows drivers to connect media players and Bluetooth devices to their cars' entertainment systems, has been available in certain Ford, Lincoln and Mercury models since 2008. Ford plans to add Wi-Fi access and web surfing capability to Sync, available only when the car is in park. Because the Internet connectivity may prove tempting to attackers, Ford is also developing a set of security features to protect drivers' personal data and the cars' critical systems from cyber intruders. Included is a firewall that determines what information passes between the cars' entertainment systems and their vehicle's computers. The entertainment computer will not allow applications to be downloaded or executed. Updates to the entertainment system software must be done over PCs, saved to USB drives, and then transferred to the cars' systems.-http://gadgetwise.blogs.nytimes.com/2010/03/08/ford-adds-security-and-other-feat
ures-to-sync-system/
-http://www.darkreading.com/vulnerability_management/security/client/showArticle.
jhtml?articleID=223200163
Trojan Found in Battery Charger Software Download (March 7 & 8, 2010)
A download for the Energizer DUO battery charger software has been found to contain a Trojan horse program. The malware is capable of sending files to the attackers or downloading even more malware. Initial investigations indicate that the Trojan has been in the software since May 2007. US-CERT has issued an advisory about the issue. The software involved is a Windows application that allows users to view the charging status of the batteries. ISC:-http://isc.sans.org/diary.html?storyid=8386
-http://www.computerworld.com/s/article/9166978/Energizer_Bunny_s_software_infect
s_PCs?taxonomyId=17
-http://www.theregister.co.uk/2010/03/08/energizer_trojan/
-http://www.kb.cert.org/vuls/id/154421
-http://isc.sans.org/diary.html?storyid=8386
.
Critical Flaw in Opera (March 5 & 8, 2010)
A critical buffer overflow vulnerability in Opera could be exploited to crash browsers, and possibly to execute code remotely. An Opera spokesperson said that remote code execution "is extremely difficult, if not impossible." Users are advised to enable data execution prevention (DEP) until a fix is available. DEP is not enabled by default. Opera is working on a patch. The vulnerability has been confirmed in version 10.50; earlier versions may be vulnerable as well. Users can also switch to another browser until the flaw is fixed.-http://www.theregister.co.uk/2010/03/05/opera_vulnerability/
-http://www.h-online.com/security/news/item/Dangerous-security-hole-in-Opera-9482
77.html
-http://blogs.zdnet.com/security/?p=5619
[Editor's Note (Pescatore): A lot of confusion around this vulnerability. Opera does not make it easy to figure out what vulnerabilities are serious, or where to find patches. ]
Will Mariposa Arrests Prove to be a Deterrent? (March 4, 5 & 8, 2010)
The three alleged ringleaders of the Mariposa botnet who were arrested in Spain last month may not ever go to jail because Spain does not have legislation that addresses their alleged crimes. Merely owning and operating a botnet are not punishable offenses in Spain; to increase the likelihood of prison time, investigators need to produce credible evidence that the men also engaged in data theft and identity fraud. The Mariposa botnet is believed to have helped its operators steal personal information of more than 800,000 people. Opinion is mixed about whether the arrests will have an impact on others who are tempted to try similar schemes. While some view the arrests as a deterrent to others, others say that in general, people arrested for cybercrime are not the brains behind the operation, but the administrators of a system created by the masterminds. The catch in this situation is that while it is illegal to use malicious software, it is not illegal to write it, making prosecution of the authors unlikely if they were ever to be caught. Others note that to win the fight against botnets, international cybercrime law must be harmonized and Internet service providers (ISPs) must "be willing to identify affected machines and quarantine them while informing customers of" the infection.-http://www.krebsonsecurity.com/2010/03/mariposa-botnet-authors-may-avoid-jail-ti
me/
-http://www.cnn.com/2010/TECH/03/05/cyberattack.prosecute/index.html
-http://www.theregister.co.uk/2010/03/08/botnet_takedown_analysis/
Westin Hotel in LA Acknowledges Data Breach (March 5 & 7, 2010)
A Los Angeles hotel has acknowledged that attackers gained access to some of their computer systems last year. Customers who ate at one of the Westin Bonaventure Hotel & Suites' four restaurants or used the hotel's valet service and paid with a credit or debit card may be at risk for fraud. The attack or attacks occurred sometime between April and December 2009. The attackers did not access the system that contains hotel guest data.-http://www.computerworld.com/s/article/9166898/Westin_hotel_in_LA_reports_possib
le_data_breach?taxonomyId=17
-http://content.usatoday.com/communities/hotelcheckin/post/2010/03/hackers-breach
-westin-bonaventure-los-angeles-networks-cybercriminal/1
-http://www.prnewswire.com/news-releases/area-dining-establishments-informed-of-p
ossible-data-security-breach-86678532.html
Irish Companies Reporting Cyber Extortion (March 5 & 6, 2010)
Ireland's Garda Bureau of Fraud Investigation is looking into reports of cyber extortion at small companies. The perpetrators gain access to company systems that lack adequate security and encrypt the company's data, demanding payment in return for unlocking the information. Garda believe that the attacks emanate from the US. So far, the demands have been relatively small; one company reported that they were asked to pay US $700 for a code that would decrypt the data. Companies that have been targeted by cyber extortionists are asked to contact Garda.-http://www.siliconrepublic.com/news/article/15466/cio/hackers-hit-irish-business
es
-http://www.independent.ie/business/irish/hackers-in-us-target-firms-here-to-exto
rt-cash-2090901.html
[Editor's Note (Honan): An interesting twist to this case is that the cyber criminals altered the companies' backup software a number of weeks before the attack so that it no longer backed up their data. This resulted in the victims not being able to access data from recent backups when the criminals encrypted the information on their systems. This story demonstrates that setting up technical controls to protect your data is not good enough if you do not validate those controls are working. ]
Phishers Used Facebook to Penetrate Financial Firm's Computer System (March 4, 2010)
Phishers used Facebook to burrow their way into the network of a large US financial company last year. The attackers took control of one employee's Facebook account and using information culled from that individual's friends' profiles, sent what appeared to be personal messages to several other company employees about pictures taken at a company picnic. The phishers learned of the picnic through postings on the hijacked account. When one of the other employees received a message asking her to click on a link that would allow her to view the pictures, her computer became infected with keystroke logging malware. When that employee logged in to a VPN account to access the company network, the attackers were able to capture the necessary information to gain access to that network. The intruders managed to get deeper into the network and take control of two servers before they were detected.-http://lastwatchdog.com/facebook-phishers-breached-corporate-network/
FBI Director Says Cyber Terrorism Threat is Growing (March 4, 2010)
Speaking at the RSA conference in San Francisco last week, FBI Director Robert S. Mueller said that the threat of cyber terrorism is "real and ... rapidly expanding." Mueller also said that cyber criminals have broken into IT systems at private companies and government agencies and not only stolen information, but corrupted data as well. While Mueller did not provide any details about what data had been corrupted or in what way data had been corrupted, he did note that attackers who gain access to source code could change it to allow them to plant malware or access systems later. Mueller said that the government cannot fight cyber attacks alone; the public and private sectors need to cooperate and share information. In particular, he urged companies to notify the government when they have been attacked.-http://www.washingtonpost.com/wp-dyn/content/article/2010/03/04/AR2010030405066.
html?nav=rss_nation/special
-http://www.computerworld.com/s/article/9166378/FBI_Director_Hackers_have_corrupt
ed_valuable_data
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/