Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #71

September 07, 2010

TOP OF THE NEWS

Google Agrees to Pay US $8.5 Million to Settle Buzz Lawsuit
NIST Issues Smart Grid Security Guidelines

THE REST OF THE WEEK'S NEWS

Swedish Police Crack Down on Filesharers
Unencrypted Flash Drive Found on Street Contains Police Data
Scareware Variant Serves Look-Alike Browser Warning Pages
FIFA Fan Database Allegedly Stolen and Sold
DHS IG Says Customs and Border Patrol Needs to Address Cyber
Security Issues
Former MI6 Software Engineer Gets One-Year Sentence for Attempting
to Sell Information
12-Year Sentence for Advance-Fee Scam Mastermind
Facebook Introduces Remote Device Logout Feature


************************** Sponsored By SANS ***********************
SANS introduces two new free whitepaper resources - -McAfee Total Protection for Server Review - http://www.sans.org/info/64428 - -A Guide to Virtualization Hardening Guides - http://www.sans.org/info/64433 Visit our reading room often for free resources! http://www.sans.org/info/64438
*********************************************************************

TRAINING UPDATE

New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 41 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

-- SOS: SANS October Singapore, October 4-11, 2010 6 courses
http://www.sans.org/singapore-sos-2010/

-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php

-- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus London, Dubai, Geneva, Bangalore, San Antonio and Sydney all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

********************************************************

TOP OF THE NEWS

Google Agrees to Pay US $8.5 Million to Settle Buzz Lawsuit (September 3, 5 & 6, 2010)

Google will pay US $8.5 million to settle a class-action lawsuit alleging the company violated users' privacy when it launched the Google Buzz social network in February 2010. The class action lawsuit consolidates several civil suits that had been filed against Google. The lion's share of the money will go to organizations focused on Internet privacy. The settlement proposal still needs a federal judge's approval.
-http://www.theregister.co.uk/2010/09/05/google_buzz_suit_settlement/
-http://www.bbc.co.uk/news/technology-11198297
-http://www.computerworld.com/s/article/9183638/Google_settles_Buzz_privacy_lawsu
it?taxonomyId=17

[Editor's Note (Pescatore): That fine equates to about 0.12% of Google's 2Q2010 advertising revenue, or a little over 2 cents per share off of Google's earnings. That doesn't seem very significant - but more importantly Google Buzz failed in the market and Google let it die off. I like to think the backlash against the privacy violations played a role in the failure of Buzz. (Liston): Google's early string of successes has given way to a series of high-profile privacy and "product" failures. These two problems appear to be related to a single root cause that in an earlier time might have been called "hubris." Google needs to reexamine its direction in light of a growing public sentiment that the search giant's reach may have extended too far.
(Schultz): Google's mission is to make all kinds of information available to the masses. While this is an admirable goal, Google is running into increasingly formidable legal and other barriers. It is thus time for Google's senior management to modify this company's vision ]

NIST Issues Smart Grid Security Guidelines (September 2 & 3, 2010)

The National Institute of Standards and Technology (NIST) has published "Guidelines for Smart Grid Cyber Security," a three-volume, 537-page report aimed at "facilitat
[ing ]
organization-specific Smart Grid cyber security strategies focused on prevention, detection, response and recovery." The publication includes "high-level security requirements, a framework for assessing risks, an evaluation of privacy issues at personal residences, and additional information for businesses and organizations to use as they craft strategies to protect the modernizing power grid from attacks, malicious code, cascading errors and other threats."
-http://www.informationweek.com/news/government/security/showArticle.jhtml?articl
eID=227300159

-http://gcn.com/Articles/2010/09/03/NIST-Smart-Grid-security-guidelines.aspx?admg
area=TC_SECURITY&p=1

-http://www.nist.gov/public_affairs/releases/nist-finalizes-initial-set-of-smart-
grid-cyber-security-guidelines.cfm

-http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7628
[Editor's Note (Liston): Unfortunately, "smart grid" is just the latest in a series of technologies that have been deployed with security as an afterthought. While I applaud any effort to better secure our infrastructure, it's a bit late to talk about "security strategies" at this stage of the game. The key question is whether some of the quite-sound recommendations can be retrofit into the existing deployment models. (Pescatore): There is still an opportunity for better security to be built-in to the smart grid build out, vs. try to pretend a compliance regime like NERC/CIP will force it in later. Section 7 of the third volume has a good attack surface analysis that should be a starting point.
(Paller): John Pescatore's comment illustrates one reason that this NIST document and others like 800-53 are exacerbating the nation's cyber risk instead of helping to mitigate the risk. NIST buried the critical information (the attack surface) in the 7th chapter of the third volume (after lengthy, but non-specific descriptions of 197 separate controls in more than 350 pages). A central tenet of effective security is that offense informs defense. In other words, do the most important things first! That means guidance must start with, and be organized around, the attack surface; and guidance must be prioritized according to risk from each attack vector. Which of the 197 recommendations matter most? Which must be implemented first? How will we know that they were implemented effectively? If NIST doesn't know the answers to those basic questions, what are they doing writing guidance? For failing to prioritize the guidance, and for burying readers in information of little immediate consequence, NIST earns a grade of "D" on its new report. ]


********** REALLY INTERESTING NEW PROGRAM ON SCADA SECURITY **************
How has the threat to control systems changed during the last year? Who are the new attackers? What actually happened in the Stuxnet worm attacks? What did DHS and DoD find when they conducted security assessments in control utilities and other control system users? What new technology allows some SCADA engineers to sleep well at night not worrying about attackers hacking into their control systems? Find answers to these questions and more at the: SANS 2010 European SCADA Security Summit in London next month, focusing on "changing form talk to action" You'll also learn innovative and effective governments and power companies and other industries are doing to counter the threats.
http://www.sans.org/info/64398 ****************************************************************************

THE REST OF THE WEEK'S NEWS

Swedish Police Crack Down on Filesharers (September 6, 2010)

Police in Sweden have raided the homes of two people believed to be responsible for running Direct Connect filesharing hubs. Police reportedly impounded a computer and questioned one suspect. The cases against the suspected filesharers are part of a move by Swedish authorities to step up efforts to fight illegal filesharing in that country.
-http://www.pcworld.com/businesscenter/article/204910/swedish_authorities_step_up
_battle_against_filesharers.html

-http://www.unitethecows.com/content/265-swedish-pirates-under-fire.html
[Editor's Note (Honan): There is an update to this story as the police raids have increased not only in Sweden but also throughout Europe in The Netherlands, Italy, Belgium, Norway, Germany, Great Britain, the Czech Republic and Hungary.
-http://www.pcworld.com/article/204924/police_in_europe_conduct_raids_over_filesh
aring_sites.html

-http://www.thinq.co.uk/2010/9/7/pirate-bay-down-police-swoop-across-europe/]

Unencrypted Flash Drive Found on Street Contains Police Data (September 6, 2010)

A flash drive found on the street in Manchester, UK contains police anti-terror training information and personnel data. The device, which had a logo on it identifying it as belonging to the Greater Manchester Police Public Order Training Unit, was found outside a police station in Stalybridge, Greater Manchester. The drive was not encrypted. GMP Superintendent Bryan Lawton said his organization is looking into the incident.
-http://www.scmagazineuk.com/usb-stick-containing-police-information-on-riot-cont
rol-and-officers-names-and-ranks-found-on-a-pavement/article/178308/

-http://www.theregister.co.uk/2010/09/06/anti_terror_usb_stick_dumped/

Scareware Variant Serves Look-Alike Browser Warning Pages (September 6, 2010)

A new set of scareware attacks use pop-ups that look just like browser warning pages. The malware, known as MSIL/Zeven, discerns which browser is running, then serves a page that appears to be a warning from IE, Firefox or Chrome. The pages warn users that their systems are infected with malware and urge the users to run a phony anti-virus program called Win7 AV. The warnings arise from malicious scripts on compromised websites.
-http://www.h-online.com/security/news/item/MSIL-Zeven-malware-impersonates-warni
ng-pages-1073435.html

-http://www.theregister.co.uk/2010/09/06/scareware_fakes_browsers_warnings/
-http://blogs.technet.com/b/mmpc/archive/2010/09/01/rogue-msil-zeven-wants-a-piec
e-of-the-microsoft-security-essentials-pie.aspx

FIFA Fan Database Allegedly Stolen and Sold (September 5, 2010)

The UK information Commissioner's office (ICO) has launched an investigation into allegations that someone sold information from a database of FIFA World Cup Soccer tournament attendees for GBP 500,000 (US $770,000). The data breach appears to affect as many as 250,000 people who purchased World Cup tickets from FIFA outlets for the 2006 World Cup event that was held in Germany. Investigators are trying to determine who stole the information and why that database was not destroyed. The compromised data may include passport information.
-http://www.dailymail.co.uk/news/article-1309099/Stolen-sold-Private-details-thou
sands-World-Cup-fans.html

-http://www.guardian.co.uk/football/2010/sep/05/fifa-passports-claims
[Editor's Note (Honan): Both this story and the story on the "Former MI6 Software Engineer Gets One-Year Sentence for Attempting to Sell Information" highlight the insider threat is alive and well. ]

DHS IG Says Customs and Border Patrol Needs to Address Cyber Security Issues (September 2, 2010)

According to a report from the Department of Homeland Security's (DHS) Inspector General (IG), the US Customs and Border Patrol (CBP) has a number of cyber security issues to address. The report found that there was no regular review of employee access rights changes; no strong password enforcement; that systems were not configured to lock users out after a certain number of failed login attempts; that accounts were still active after 45 days of inactivity; and that users were not restricted to accessing the least amount of info necessary to perform their duties.
-http://www.nextgov.com/nextgov/ng_20100902_6263.php?oref=topnews

Former MI6 Software Engineer Gets One-Year Sentence for Attempting to Sell Information (September 3, 2010)

A software engineer who worked for the UK's MI6 Secret Intelligence Service has been sentenced to a year in jail for trying to sell electronic copies of secret information. Daniel Houghton pleaded guilty to violations of the Official Secrets Act. Among the information Houghton was attempting to sell were details of data gathering software and lists of MI6 staff members. Houghton tried to sell the information to Dutch agents, who initially thought the offer was a hoax, but eventually alerted MI6 to the situation. Houghton was scheduled to be released on Friday, September 3 because he has already served 184 days in custody.
-http://www.bbc.co.uk/news/uk-england-london-11176434
-http://www.guardian.co.uk/world/2010/sep/03/mi6-man-jailed-selling-names

12-Year Sentence for Advance-Fee Scam Mastermind (September 3, 2010)

Okpako Mike Diamreyan has been sentenced to more than a dozen years in prison for his role in masterminding an advance-fee scam, also known as a 419 scam, that brought in more than US $1.3 million. Diamreyan was also ordered to pay more than US $1 million in restitution to the 67 people from whom he stole money between 2004 and 2009. Prosecutors were able to convict Diamreyan because he moved to the US in 2008 when he married a US citizen. He continued his illegal activity once he arrived in the country; some of his victims were more comfortable working with someone already in the country.
-http://www.theregister.co.uk/2010/09/03/419_scammer_sentenced/
-http://www.computerworld.com/s/article/9183578/Nigerian_advance_fee_scammer_gets
_12_years?taxonomyId=17

Facebook Introduces Remote Device Logout Feature (September 2, 2010)

Facebook is introducing a feature that allows users to check if they are logged into their accounts through other computers and log out of those active sessions remotely. This feature builds on a notification feature that Facebook introduced earlier this year that alerts users when other devices log into their accounts. Multiple devices logged in to the account can occur when users access their Facebook accounts through friends' computers, through a public computer such as one at a library, or through other devices. In addition, Facebook accounts are increasingly being hacked and used by spammers to send out their unsolicited messages.
-http://www.eweek.com/c/a/Security/Facebook-Security-Feature-Adds-Remote-Logout-3
12113/

-http://news.cnet.com/8301-27080_3-20015482-245.html?tag=mncol;title
-http://www.pcworld.com/businesscenter/article/204780/to_boost_security_facebook_
adds_remote_logout.html

[Editor's Note (Northcutt): That is a sensible addition, apparently it is not available just yet, but here is the Facebook blog on the topic:
-http://www.facebook.com/notes/facebook-security/forget-to-log-out-help-is-on-the
-way/425136200765
]


**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/