SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #95

December 03, 2010

SANS2011 will be back in Orlando in March and registration just opened.
This is the main SANS conferences where classes (e.g. Reverse Engineering Malware, Network Forensics, Penetration Testing, and Forensics) sell out. See all 40 courses at http://www.sans.org/sans-2011/event.php

---

TOP OF THE NEWS

WikiLeaks No Longer Being Hosted on Amazon Servers
Nations Debate Cyber Disarmament
FTC Backs Do Not Track List
Chinese Arrested More Than 460 Hackers in 2010
Chinese Government to Crack Down on Piracy

THE REST OF THE WEEK'S NEWS

Alleged Mega-D Botnet Operator Arrested
ProFTPD Security Breached
Texas School District Will Implement Significant Cyber Security Upgrade
Google Takes Steps to Prevent Bad Merchants From Topping Search Results
Xbox Modifying Trial Begins
Ransomware Makes a Comeback

---

********************* Sponsored By Athena Security ********************* Have you lost track of the business reasons for your firewall rules through multiple change cycles? Industry best practice and compliance requirements from leading authorities such as SANS, NSA, NIST, PCI and NERC say to document the business justification for your firewall rules on a continuous basis. Athena's New Rule Tracker makes this easier than ever. See how at http://www.sans.org/info/67413 ************************************************************************* TRAINING UPDATE
New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Washington DC in December or in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics; and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security
http://www.sans.org/security-east-2011/

-- North American SCADA 2011, Lake Buena Vista, FL, February 23-March 2, 2011
http://www.sans.org/north-american-scada-2011/

-- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Atlanta, San Francisco, Bangalore and Phoenix all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ****************************************************************************

---

TOP OF THE NEWS

WikiLeaks No Longer Being Hosted on Amazon Servers (December 2, 2010)

Amazon has removed WikiLeaks from its servers reportedly because of Wikileaks' failure to comply with Amazon terms of service. Also a US Senate committee asked the online retail giant to explain its relationship with the site that has recently been the focus of worldwide attention. WikiLeaks recently released tens of thousands of confidential US Diplomatic cables. WikiLeaks had moved to Amazon servers after becoming the target of a distributed denial-of-service (DDoS) attack. WikiLeaks is now being hosted in Sweden.
-http://www.nytimes.com/2010/12/02/world/02amazon.html?ref=technology
-http://www.scmagazineuk.com/amazon-chooses-to-stop-hosting-wikileaks-as-cables-c
irculate-on-bit-torrent/article/192039/
[Editor's Note (Pescatore): Amazon stated that its Terms of Service says "you represent and warrant that you own or otherwise control all of the rights to the content... that use of the content you supply does not violate this policy and will not cause injury to any person or entity." So, Wikileaks was clearly violating the AWS Terms of Service. (Ranum): The US Senate committee should have checked with Secretary Of State Clinton before pressuring Amazon. After all, didn't she just treat China to a finger-wagging for censorship and stifling dissidents on the Internet?
(Schultz): I know Julian Assange from a previous period in my life, and while my past dealings with him (which were related to his extremely informative cyber legal issues Web site) were quite positive, I fear he, despite the risks, has made a plunge into something that is way too big for him. Just recently he was grandstanding--now he is hiding. ]

Nations Debate Cyber Disarmament

After a decade of ignoring Russia's recommendations for a cyber disarmament treaty, the U.S. and other nations are beginning to show real interest. The discussions are being led by the International Telecommunications Union (ITU), an agency of the United Nations.
-http://www.worldaffairsjournal.org/articles/2010-NovDec/full-Gjelten-ND-2010.htm
l

FTC Backs Do Not Track List (December 1 & 2, 2010)

A report from the US Federal Trade Commission (FTC) describes a series of revisions of online privacy rules to protect consumers, including the creation of a Do Not Track framework analogous to the Do Not Call list that bars telemarketers from phoning numbers that consumers have registered. The policy would affect all organizations that collect and store consumer information. The FTC made the proposal because the current "notice and choice" system, which has organizations voluntarily notifying consumers of data collection policies and determining their own policies, is not effective.
-http://www.nytimes.com/2010/12/02/business/media/02privacy.html?ref=technology
-http://www.usatoday.com/tech/news/internetprivacy/2010-12-01-do-not-track_N.htm
-http://www.darkreading.com/security/privacy/228500118/ftc-proposes-privacy-refor
ms-for-online-business.html
-http://www.informationweek.com/news/security/privacy/showArticle.jhtml?articleID
=228500104&subSection=Security
[Editor's Note (Pescatore): We have a love/tolerate/hate relationship with Internet tracking. We love to get everything for free on the Internet, we tolerate advertising to fund that free access, but we hate not having control or choice in how much privacy we are giving up. A Don't Track List is a great idea - if I have to opt in to tracking at sites that can't offer free content without tracking, that would be just fine. ]

Chinese Arrested More Than 460 Hackers in 2010 (November 30 & December 2, 2010)

During the first 11 months of 2010, Chinese authorities arrested more than 460 people in connection with computer crimes. The announcement came in the wake of the release of tens of thousands of US diplomatic cables, including one that indicated the Chinese government's involvement in a December 2009 attack on Google's computer systems. Despite the arrests and the shut downs of several websites that provided support for hackers, a Chinese official said that "The current situation ... is still very grim and the number of hacker attacks and sabotage activities in China are still high."
-http://www.reuters.com/article/idUSTRE6B00W920101201
-http://www.telegraph.co.uk/news/worldnews/asia/china/8176201/China-arrests-hundr
eds-of-computer-hackers.html
[Editor's Note (Paller): China has recruited several of the best of these hackers into annual competitions held in each PLA (People's Liberation Army) military district every spring and summer. ]

Chinese Government to Crack Down on Piracy (December 1, 2010)

The Chinese government has announced that it will begin inspecting government computers at the national and local levels for pirated software. The government expects to complete the inspection by May 2011. Chinese officials said they also plan to pursue purveyors of counterfeit merchandise. In a related development, Microsoft has announced that it has filed a lawsuit against ten companies in China for selling computers pre-installed with pirated software. According to statistics from the Business Software Alliance, last year roughly 79 percent of software on Chinese computers was pirated.
-http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleI
D=228500001&subSection=Security
-http://www.computerworld.com/s/article/9198818/China_to_inspect_government_compu
ters_for_pirated_software?taxonomyId=144

---

************************* SPONSORED LINKS ***************************
1) Register Now for the upcoming webcast on 12/10/10 - Beyond AV: Total Endpoint Security For Multi-Regulatory Compliance and Better Security, at http://www.sans.org/info/67418 **********************************************************************

---

THE REST OF THE WEEK'S NEWS

Alleged Mega-D Botnet Operator Arrested (December 2, 2010)

Early last month, FBI agents arrested a 23-year old Russian man in connection with the Mega-D botnet. Oleg Nikolaenko is believed to be the mastermind behind the network responsible for as much as 17 percent of spam sent worldwide. The FBI and the Federal Trade Commission (FTC) have reportedly been tracking Nikolaenko since 2007. He was arrested on November 4 in Las Vegas, Nevada, and was indicted on November 16 for violating the Can-Spam Act.
-http://www.informationweek.com/news/security/management/showArticle.jhtml?articl
eID=228500163&subSection=Security
-http://krebsonsecurity.com/2010/12/fbi-identifies-russian-mega-d-spam-kingpin/
-http://krebsonsecurity.com/wp-content/uploads/2010/12/Nikolaenko-complaint.pdf

ProFTPD Security Breached (December 2, 2010)

Attackers gained access to the main server hosting the ProFTPD FTP server project and installed a back door in the source code. The attackers exploited a flaw in ProFTPD itself to modify the code. The attack went undetected for three days. Users can check the MD5 hash or PGP signature to find out if the version they are running contains the backdoor.
-http://www.h-online.com/open/news/item/Back-door-in-ProFTPD-FTP-server-1146592.h
tml
-http://www.theregister.co.uk/2010/12/02/proftpd_backdoored/

Texas School District Will Implement Significant Cyber Security Upgrade (December 2, 2010)

The Houston (Texas) Independent School District (HISD) plans to spend between US $10 and $15 million on a computer system security upgrade. The announcement follows the disclosure that several weeks ago, a cyber intruder gained access to information of students, employees and vendors dating back 10 years. The upgrade will include having a third party audit to determine a plan for improving the district's overall security environment and limiting wireless access to HISD computers only until the upgrade is complete.
-http://www.khou.com/news/local/HISD-Hacker-gained-access-to-personal-data-of-all
-students-employees-and-some-vendors-111192794.htmls
-http://blogs.houstonpress.com/hairballs/2010/12/hisd_security_hack.php

Google Takes Steps to Prevent Bad Merchants From Topping Search Results (December 1 & 2, 2010)

Google says it has developed an algorithm to prevent websites with large quantities of scathing reviews from appearing at the top of search results. Apparently, by generating customer complaints, merchants are also generating more links to their site. The issue came to light in a New York Times article detailing how one online merchant, who bullied and threatened customers who complained about shoddy products and poor customer service, exploited the situation to place his website at the top of search results.
-http://technolog.msnbc.msn.com/_news/2010/12/02/5567082-google-sucker-punches-on
line-retail-bully
-http://www.nytimes.com/2010/12/02/technology/02ranking.html?hpw
-http://www.nytimes.com/2010/11/28/business/28borker.html
[Editor's Note: (Northcutt): This takes the famous Cohan quote to the next level, "I don't care what you say about me, as long as you say something about me, and as long as you spell my name right." Here is the Google blog on the subject:
-http://googleblog.blogspot.com/2010/12/being-bad-to-your-customers-is-bad-for.ht
ml
Bloggers and social media folks may be able to use rel=nofollow to use a link but not give "Google credit" just because you mentioned it.]

Xbox Modifying Trial Begins (December 1, 2010)

The trial of a California man who allegedly modified Xbox gaming devices so they could be used to run unauthorized software is underway. Prior to the trial's start, US District Judge Philip Gutierrez berated the prosecution because of his "serious concerns about the government's case" against Matthew Crippen. Judge Gutierrez was concerned about alleged illegal behavior of government witnesses and proposed jury instructions that would almost certainly have resulted in a guilty verdict. Crippen faces charges of violating the Digital Millennium Copyright Act (DMCA).
-http://www.wired.com/threatlevel/2010/12/no-deal-in-xbox-modding-case-trial-begi
ns/
-http://www.wired.com/threatlevel/2010/12/xbox-judge-riled/

Ransomware Makes a Comeback (November 30, 2010)

Security firms are noting the resurgence of ransomware, malware designed to hold users' data hostage on their own computers in return for payment. The newest variants demand payment of as much as US $120 to return control of data to their rightful owners. One of the variants used infected PDF files to exploit known vulnerabilities in Adobe Reader. Users whose patches are up to date are protected. Another variant targets the master boot record of Windows PCs' hard drives.
-http://www.computerworld.com/s/article/9198743/Ransomware_rears_ugly_head_demand
s_120_to_unlock_files?taxonomyId=82
-http://www.infoworld.com/t/malware/ransomware-returns-if-you-ever-want-see-your-
data-again-449

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Adv isory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/