SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #87

November 02, 2010

A special invitation for DC-area folks: Join us for breakfast with two of the nation's top experts on cybercrime, the FBI DAD of the Cyber Division, Steve Chabinsky, and Dr. James Mulvenon, a wizard on the Chinese military, its financial activity and cyber warfare. Probably will be one of the great breakfast meetings of the year and it's free because Northrop Grumman is sponsoring it.
http://www.govexec.com/cyber_insider/Nov9-2010.html

---

TOP OF THE NEWS

Technology and the Courtroom
India Drops Plan to Ban Blackberry Support

THE REST OF THE WEEK'S NEWS

Facebook Bans Developers for Selling User IDs
Android Market Bans Spyware App
Disgruntled Former Employee Draws Prison Sentence for Deleting Files
Bredolab Spamit.com Connection
Adobe Fixes 11 Vulnerabilities in Shockwave
Indiana AG Suing WellPoint Over Delay in Data Breach Notification
Prison Term for Selling Pirated Software
Former IT Worker Sentenced for Stealing and Using Co-Workers' Personal Data

---

************************ Sponsored By zScaler **********************
ONLINE FIRESIDE CHAT with Gartner: IPAD + FACEBOOK + BLENDED THREATS = IT NIGHTMARE Are you doing enough to manage your security risk in the Web 2.0 world? Join Peter Firstbrook of GARTNER who will address the growing security concerns and ways to combat them. Nov 16 at 10am PST / 1pm EST http://www.sans.org/info/66388 ************************************************************************* TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):

http://www.sans.org/security-training/combating-malware-enterprise-1482-mid
- -- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security

http://www.sans.org/san-francisco-2010/
- -- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective

http://www.sans.org/london-2010/
- -- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts

http://www.sans.org/cyber-defense-initiative-2010/
- -- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments and Future Trends in Network Security

http://www.sans.org/security-east-2011/
- -- Looking for training in your own community?

http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at

http://www.sans.org/ondemand/discounts.php#current
Plus San Antonio, Geneva, Tokyo, Sydney, Manama and Muscat all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *********************************************************

---

TOP OF THE NEWS

Technology and the Courtroom (November 1, 2010)

During the jury selection process this week for Oracle's corporate theft lawsuit against SAP, potential jurors were warned that if they are selected, they will not be permitted to post about the case on Twitter or Facebook. They will also be prohibited from conducting online searches pertaining to the case. The need to be explicit about technological expectations of jurors has its basis in fact. In one instance, a juror sent a Facebook friend request to a key witness; in another, a juror posted Twitter messages regarding court proceedings. The Judicial Conference of the United States recently endorsed new jury instructions that address these issues.
-http://www.computerworld.com/s/article/9194267/Jurors_banned_from_using_Twitter_
on_Oracle_SAP_trial_?taxonomyId=17
-http://www.law.com/jsp/tx/PubArticleTX.jsp?id=1202473365917&slreturn=1&h
bxlogin=1
[Editor's Note (Schultz): The extent to which social networking has changed society (including its legal processes) is mindboggling. Confidentiality breaches can now happen so quickly and in so many new ways as compared to just a few years ago. ]

India Drops Plan to Ban Blackberry Support (November 1, 2010)

India's Ministry of Home Affairs has acknowledged that it will not ban BlackBerry services in that country, as it had planned to do by the end of October. BlackBerry parent company Research in Motion (RIM) and the Ministry reached an interim agreement regarding government access to data sent over the BlackBerry network. RIM has promised a final proposal by January 31, 2011. India was one of several countries threatening to ban BlackBerry services if the company could not provide a means for the government to monitor data sent over that network. The United Arab Emirates (UAE) cancelled a similar planned ban in early October, saying that RIM had offered a workable solution.
-http://news.cnet.com/8301-1035_3-20021328-94.html?tag=mncol;title

---

************************* Sponsored Links *************************
1) InstantSecurityPolicy.com - Quick, Custom IT Security Policy Templates, Delivered Online - Comprehensive, Complete and 100% Guaranteed http://www.sans.org/info/66393
2) In Case you missed it... Tool Talk Webcast: Tool Talk: Securing Services at the Network Edge - Combining Security Enforcement and Governance Sponsored By: Intel Register at: http://www.sans.org/info/66398
3) Webinar: Learn about the new PCI-compliant cloud reference architecture from VMware, HyTrust, Cisco, Savvis & Coalfire. http://www.sans.org/info/66403 ********************************************************************

---

THE REST OF THE WEEK'S NEWS

Facebook Bans Developers for Selling User IDs (November 1, 2010)

Facebook has banned a number of developers from connecting to the social network for six months after it learned that they had been selling user information to data brokers. Facebook discovered the problem while conducting an investigation into a flaw that caused Facebook user identifiers (UIDs) to be shared inadvertently. Facebook did not specify which developers have been banned, but did say that the decision affects fewer than a dozen and none of the applications are among the social network's 10 most popular. Once the six months are over, companies wishing to return to the site mist submit their data practices to an audit before they will be permitted to access Facebook.
-http://www.nytimes.com/external/readwriteweb/2010/11/01/01readwriteweb-facebook-
declares-zero-tolerance-for-data-b-40638.html?ref=technology
-http://www.computerworld.com/s/article/9194199/Facebook_hits_developers_that_pas
sed_user_IDs_to_data_broker?taxonomyId=17
-http://www.bbc.co.uk/news/technology-11665120
[Editor's Note (Northcutt): My summary: "Yes, it happened on our system (Facebook), but we didn't do it so it was not our fault. Yes, we didn't detect it; the Wall Street Journal did, but it was not as bad as they claimed and we banned the guilty parties for six months." Well, I guess as long as it didn't mess up FarmVille, all is well.]

Android Market Bans Spyware App (October 30 & November 1, 2010)

The Google Android Market has banned an application that surreptitiously forwards all SMS text messages to another device. The app, Secret SMS Replicator, violates the Android Market Content Policy. The app appears to be designed to be installed on users devices without their knowledge and because "there is no visible icon or shortcut to access it, ... once it's installed, it will continue to monitor without revealing itself," according to Zak Tanjeloff, CEO of DLP Mobile, which developed the app.
-http://www.nytimes.com/external/readwriteweb/2010/11/01/01readwriteweb-google-bo
ots-spyware-app-from-android-marke-88079.html?ref=technology
-http://economictimes.indiatimes.com/tech/internet/Google-bans-phone-apps-used-in
-spying/articleshow/6841699.cms

Disgruntled Former Employee Draws Prison Sentence for Deleting Files (October 29 & November 1, 2010)

A Virginia man has been sentenced to 27 months in prison for deleting files from his former employer's computer system. Darnell H. Albert-El admitted using his still-active account with administrative privileges to access the Transmarx website and delete 1,000 files in July 2008, a month after he was dismissed from his job there as IT Director. The information was backed up, so Transmarx was able to restore it. Albert-El was also ordered to pay US $6,700 in restitution.
-http://www.computerworld.com/s/article/9194027/IT_director_gets_jail_term_for_ha
cking_former_employer_s_site?taxonomyId=17
-http://www.theregister.co.uk/2010/11/01/it_director_revenge_hack/
-http://www.justice.gov/usao/vae/Pressreleases/10-OctoberPDFArchive/10/20101029tr
ansmarxnr.html

Bredolab Spamit.com Connection (October 29 & 30 & November 1, 2010)

The man arrested last week in Armenia in connection with the Bredolab botnet, Georg Avanesov, has been linked to the Spamit.com group, which is believed to be responsible for a significant amount of pharmaceutical spam worldwide. Bredolab was taken down by Dutch National Crime Squad's High Tech Crime Team; it was believed to have infected at least 30 million PCs. Avanesov is believed to be the ringleader behind Bredolab.
-http://krebsonsecurity.com/2010/10/bredolab-mastermind-was-key-spamit-com-affili
ate/
-http://www.computerworld.com/s/article/9194019/Russian_Armenian_botnet_suspect_r
aked_in_140_000_a_month?taxonomyId=17
-http://www.infosecurity-magazine.com/view/13620/bredolab-downed-botnet-linked-wi
th-spamitcom/

Adobe Fixes 11 Vulnerabilities in Shockwave (October 29, 2010)

Adobe has released an update for Shockwave to fix 11 security flaws in Media Player. One of the vulnerabilities fixed is being actively exploited. Users are urged to update to Shockwave version 11.5.9.615. This update is unrelated to the forthcoming announced out-of-band updates scheduled for Flash, Reader and Acrobat.
-http://www.h-online.com/security/news/item/Adobe-patches-11-holes-in-Shockwave-P
layer-1127504.html
-http://news.softpedia.com/news/Adobe-Patches-Critical-Vulnerabilities-in-Shockwa
ve-Player-163597.shtml

Indiana AG Suing WellPoint Over Delay in Data Breach Notification (October 29 & November 1, 2010)

Health insurance company WellPoint is facing a US $300,000 lawsuit for failing to notify customers that their personal data had been compromised in an online data breach. The lawsuit was brought by Indiana Attorney General Gregory Zoeller; the suit alleges that the information was exposed for more than 130 days and that while the company learned of the breach in February, it did not begin notifying affected customers until June. The compromised information includes payment card information and medical record data. The breach is estimated to have affected 470,000 customers, approximately 32,000 of whom are Indiana residents.
-http://www.businessweek.com/ap/financialnews/D9J5JNK00.htm
-http://www.healthdatamanagement.com/news/wellpoint-breach-lawsuit-indiana-attorn
ey-general-41280-1.html

Prison Term for Selling Pirated Software (October 29 & 30, 2010)

A Texas man, Todd Alan Cook, has been sentenced to 18 months in prison for selling pirated software online. The judge in the case also ordered Cook to pay nearly US $600,000 in restitution. Earlier this year Cook pleaded guilty to criminal copyright infringement. For nearly two years, Cook and his father, Robert D. Cook and a third individual, operated websites through which they sold counterfeit software. The value of the pirated software has been estimated at more than US $1 million. The elder Cook is scheduled for sentencing on December 3.
-http://www.computerworld.com/s/article/9194042/Texas_man_sentenced_for_selling_p
irated_software_online?taxonomyId=82
-http://www.eweek.com/c/a/Security/Texas-Man-Sentenced-to-18-Months-for-Software-
Piracy-187275/

Former IT Worker Sentenced for Stealing and Using Co-Workers' Personal Data (October 28 & 29, 2010)

A man who worked for five years in the IT department at the University of California San Francisco Medical Center has been sentenced to 366 days in prison for stealing co-workers' personal data. Cam Giang was fired from his position after his employer learned that he had been using colleagues' names, birthdates and Social Security numbers (SSNs) to fill out online surveys for which he received US $100 Amazon vouchers. Nearly 500 employees were affected by Giang's scheme. The scheme was discovered when employees began complaining that they were unable to complete the online survey because their information had already been used.
-http://www.theregister.co.uk/2010/10/29/sysadmin_jailed_amazon_shopping_voucher_
scam/
-http://www.pcworld.com/businesscenter/article/209157/it_worker_gets_prison_after
_stealing_data_for_online_surveys.html

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/